UTICA — It used to be that poor grammar and language made it a bit easier to spot phishing emails and avoid falling for them.
Developed by OpenAI, ChatGPT is a large language model chatbot that predicts the next word in a series of words. In plain speak, it can “write” conversationally.
And scammers are already utilizing the chatbot — available in an app to just about anyone — to craft phishing emails that sound legit.
With New York state ranking third in financial losses due to cybercrime, according to an analysis by security-compliance automation platform Sprinto, of data from the Internet Crime Complain Center, it’s important that businesses take steps to protect from these enhanced phishing attacks.
“The tactics are getting a little bit more sophisticated,” says Alex MacDiarmid, VP and chief technology officer at Quanterion Solutions, Inc., in Utica.
According to the Sprinto analysis, businesses in New York state lose an average of about $32,000 per fraud complaint. Business-email compromise is the costliest type of fraud.
ChatGPT can be beneficial to businesses in the area of customer service and can boost customer engagement and satisfaction, but there are downsides to the technology as well. Already an issue in the classroom with more than one-fourth of teachers catching students using chatbots to cheat, according to study.com, the risks are spreading.
Phishing emails are sneaky, MacDiarmid says, and chatbots make them even trickier to detect. Such emails are often made to look like they are coming from someone at the company.
One step businesses can take to protect against such attacks is to set up the email system to label any emails that come from addresses outside the organization, MacDiarmid says. That helps end users recognize an email that isn’t legitimate, he adds.
Cully Patch, senior program manager for cybersecurity and intelligence at Quanterion Solutions, suggests businesses follow the cybersecurity framework outlined by the National Institutes of Standards and Technology. Businesses should identify critical processes and assets, have a strategy to protect them, implement processes to detect attacks, develop a plan to respond to attacks, and outline the steps to recovery after an attack.
“Each one of these has got a plan behind it,” Patch says. He also touts the three Ps of cybersecurity — policy, patching, and persistence. Policy should involve both human resources and the IT department in addressing end-user weaknesses. Patching is important because hackers will exploit known software vulnerabilities. Installing patches and updates is key to removing those vulnerabilities. And persistence is a reminder that cybersecurity isn’t a one-and-done deal. It’s an ongoing process, Patch says.
According to the Sprinto analysis, the most frequent types of cybercrime in New York are non-payment/non-delivery, personal data breach, credit-card fraud, identity theft, and social media. Organizations lose an average of 5 percent of revenue to fraud each year, and the estimated cost of fraud in the United States was $4.2 billion in 2021.