Fredrik Heiding, researcher at Harvard University, gives a briefing on phishing at Black Hat USA 2023.

Aug 11 2023

Black Hat USA 2023: How Large Language Models Can Help Detect Phishing Attacks

Experts give an inside look at phishing attacks, what constitutes a effective phishing email and what tactics IT leaders should employ to outsmart them.

“There are roughly 20,000 people at Black Hat right now. What if I create a phishing email that scams all of you?” said Fredrik Heiding, Ph.D research fellow at Harvard University. He smiled — he was joking, of course. But in this scenario, Heiding demonstrated just how easy it is now to write a successful phishing email using ChatGPT.

According to experts, phishing attacks need only a few accurate details and data points about their recipients to work. “If they are targeted to the right people at the right time — like, say, participants at a security conference with the offer of a free voucher for dinner at Mandalay Bay Convention Center — you’ve created context. Once you do that, the email has relevancy,” he said.

Phishing attacks are fast becoming one of the most pervasive types of cyber breaches, and now, there are even variations of phishing, such as vishing, smishing and quishing.

In many ways, ChatGPT and machine learning make it easier to compose a phishing email. But large language models can also help IT leaders defend against hacks by improving security training. Experts offer the following insight and advice.


The percent increase of phishing attempts that occurred in 2022

Source: Mimecast, The State of Email Security, April 2023

The Rise Of More Sophisticated Phishing Attacks 

There were an estimated 255 million phishing attempts in 2022, a 61 percent increase from the previous year, according to a recent Mimecast report. For some hackers, phishing attacks are just a way in.

“If they get into your email, then the next phase is your files, data, systems and, eventually, infrastructure. The intent has become much more serious,” Heiding said.

Newer, more advanced attacks feature an interactive element, such as an “unsubscribe” or “opt out of this email” option. “Sometimes a hacker will write an email and put an unsubscribe icon at the bottom,” said Heiding. And this one call to action is all it takes.

Phishing attacks also have a “Gotcha!” effect because they are customized enough to your online patterns and Google searches to avoid looking suspicious.

“Phishing attacks deliberately play with human psychology and personal bias,” said Heiding. “They work because they hijack shortcuts in your brain. But if you pause and reflect on the contents of an email, your rational brain will take over and stop you from clicking.”

LEARN MORE: Find out everything you need to know about phishing attack prevention.

The Rise of Automated Phishing Emails

Unfortunately, large language models are getting better at hacking humans, and with small manual adjustments, they have an even higher success rate.

Generative AI also makes it easier and faster to create a phishing email. “You don’t need to be a native English speaker or know proper grammar because ChatGPT writes it for you,” Heiding said.

Add machine learning, and you can also automate phishing emails to run a multipart email scheme against a set of individuals. Heiding described how these follow an A-B-A-C format, much like the multiple follow ups in a marketing campaign to generate conversions.

Once phishing attacks become automated, the risks grow considerably. But data scientists say this actually presents an opportunity. “If we learn how these models work, we are one step closer to using them for our ends, just as the hackers are using them now for theirs,” Heiding said.

DISCOVER: Find out how cyber criminals use AI in their attacks and how you can use it as a defense.

How To Train Large Language Models To Fight Phishing Attacks 

Because large language models are a tool that can stretch both ways, research fellows at Harvard and MIT — Bruce Schneier, Arun Vishwanath and Jeremey Bernstein — are exploring how large language models can be trained to detect phishing attacks.

“The more cybersecurity professionals learn about large language model capability, the better equipped we are to train them,” Heiding said.

These models can also be used to improve cybersecurity training because they can analyze a user’s suspicion profile quickly and give IT leaders context into why that person was targeted.

“AI is a very efficient tool,” said Heiding, “and it can be used to help us get better. We just need to treat it like a test and learn.”

DIG DEEPER: Get to know the range of threat management solutions right-sized for your business.

Why Analyzing Intent Is Key to Preventing Phishing Attacks

While large language models are in defensive training, IT leaders can also ask themselves a few questions to avoid being phished, beginning with analyzing the intent of the email.

“Is there a scammy tone? Is the content relevant to your work, location, your current day? Is it asking me to take a vague call to action? These are all signs it’s a phishing scam,” said Heiding.

These emails also often have linguistic flare. They are seductive by design. Heiding’s final takeaway: “If it’s urgently trying to get you to click on it, resist. Reflect. Take a breath.”

To keep up with our coverage of Black Hat USA 2023, bookmark this page and follow us on X (formerly Twitter) at @BizTechMagazine or check out the official conference account, @BlackHatEvents

Photography by Lily Lopate

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT