top of page
  • Writer's pictureESET Expert

Writing like a boss with ChatGPT and how to get better at spotting phishing scams

It’s never been easier to write a convincing message that can trick you into handing over your money or personal data.

ChatGPT has been taking the world by storm, having reached 100 million users only two months after launching. However, media stories about the tool’s uncanny ability to write human-sounding text mask a potentially darker reality.

In the wrong hands, the powerful chatbot (now also built into the Bing search engine) and technologies like it could be misused by scammers and so ultimately help “democratize” cybercrime to the masses. By delivering a fairly low-cost, automated way to create mass scam campaigns, it could be the start of a new wave of more convincing phishing attacks.

How cybercriminals could weaponize ChatGPT

ChatGPT is based on OpenAI’s GPT-3 family of “large language models.” As such, it has been painstakingly trained to interact with users in a conversational tone, wowing many with its naturalistic responses. It’s still early days for the product, but some of the initial signs are troubling.

While OpenAI has built guardrails into the product to prevent its use for nefarious ends, they don’t always appear to be effective or consistent. Among other things, it has been claimed that a request to write a message asking for financial help to flee Ukraine was flagged as a scam and denied. But a separate request to help write a fake email informing a recipient they had won the lottery was given the green light. Separate reports suggest that controls designed to stop users in certain regions from accessing the tool’s application programming interface (API) have also failed.

Type in a prompt and voila! Criminals could also ask the tool to further tweak these kinds of (still mostly boilerplate-ish) messages to their heart’s content and leverage the output for attacks, both targeted and indiscriminate.

This is bad news for everyday internet users; indeed, cybercriminals have already been spotted leveraging ChatGPT for malicious purposes on multiple occasions. These developments might put the ability to launch large-scale, persuasive, error-free and even targeted cyberattacks and scams such as business email compromise (BEC) fraud into the hands of far more people than ever before.

Indeed, most (51%) cybersecurity leaders now expect ChatGPT to be abused for a successful cyberattack within a year.

One clear takeaway is that we all need to get better at spotting the tell-tale signs of online phishing scams and prepare for a potential surge in malicious emails. Here are some things to look out for:

Signs you’re probably reading a phishing email

1. Unsolicited contact

Phishing messages usually appear out of the blue. Granted, business marketing missives can also seem pretty sudden. But when an unsolicited email that claims to be from a bank or any other organization pops into your inbox, you should automatically be on high alert for potentially suspicious activity, doubly so if it contains a link or attachment.

2. Links and attachments

As mentioned, one of the classic methods used by scammers to achieve their ends is by embedding malicious links or attaching malicious files to their emails. These might covertly install malware onto your device or, in the case of links, whisk you to a phishing page where they’ll be asked to fill in personal information. Avoid clicking on links, downloading files or opening attachments in messages even if they appear to be from a known, trusted source – unless you have verified with the sender via other channels that the message is authentic.

3. Requests for personal and financial information

What is the end goal for a phishing attack? Sometimes it’s to persuade the recipient to unwittingly install malware on their machine. But in most other cases it’s to trick them into handing over personal information. This is usually sold on dark web marketplaces and then pieced together to commit identity theft and fraud. It could be a request to take out a new credit line in your name, or payment for an item with your card details, for example.

4. Pressure tactics

At the heart of phishing is a technique known as social engineering, which is essentially the art of making other people do what you want through persuasion and exploitation of human error. Creating a sense of urgency is a classic social engineering tactic – achieved by telling the victim they only have a limited time in which to respond or else they’ll be fined or miss out on the chance to win something.

5. Something ‘free’

If something looks too good to be true it usually is. Yet that doesn’t stop people falling for non-existent freebies all the time. A classic example of this is generous ‘gifts’ offered to people in return for participating in surveys, in which they have to hand over personal and/or financial information. Needless to say, the victim never receives their iPhone, gift card, money or any other item they were promised.

6. Mismatched sender display and real domain

Phishers will often try and make their email address look like it’s come from a legitimate source, when in fact it has not. For example, by hovering over the sender domain you can often see the real email address that sent it. If the two don’t match and/or if the underlying one is a long combination of random characters, there’s a good chance it’s a scam.

7. Unfamiliar or generic greetings

Phishing actors try to impersonate individuals from legitimate organizations in a bid to build trust with their victims. But they may not always know the right tone to use when emailing. If you’re used to being called by your first name by a company but then see an email which is more formal, it should ring alarm bells, and vice versa. Also, no legitimate bank or another organization will send you an email from an address that ends in

8. Exploiting current events or emergencies

Another classic social engineering technique is to piggyback on popular news events or emergencies in order to persuade recipients to click through. This is why phishing emails soared during COVID-19 and also why criminals deployed charity scams soon after Russia invaded Ukraine. Always be skeptical of messages that cite current events.

9. Unusual requests

Similarly, look out for emails in which the sender makes unusual requests. It may, for example, be your bank asking to confirm personal and financial details via email or text, which an actual bank will never do. Any email that opens with “Dear customer” or “Dear [email address]” should set your alarm bells ringing.

10. Asking for money

Phishing is about harvesting personal information and/or installing malware. But some scams are even more direct. It goes without saying that you should never agree to hand over money to someone who sends you an unsolicited message, even if it is described as a “fee” to release a delivery, or a cash prize.

Grammatical errors may be a thing of the past thanks to tools like ChatGPT. But fortunately, there are many other warning signs to alert us to possible scams. Take your time online, and always think about what motivated an individual to send a particular message.

Go ahead and test your ability to spot phishing emails in the video below. While you’re at it, why not also take ESET’s cybersecurity awareness training?



bottom of page