A new study has found that AI can successfully create and execute highly effective phishing email campaigns, achieving click-through rates of over 50%. The research, conducted by Simon Lermen and Fred Heiding, tested various AI models’ abilities to gather personal information and craft targeted phishing messages.
The study compared four different approaches to phishing emails: traditional random phishing, human expert-created messages, fully AI-automated emails, and AI emails with human oversight. Both AI-generated methods matched human experts’ success rates at 54-56%, significantly outperforming conventional phishing attempts which achieved only 12% success.
The researchers used advanced language models including GPT-4o and Claude 3.5 Sonnet to automatically collect publicly available information about targets. This automated intelligence gathering proved highly accurate, with 88% of profiles containing useful and correct information about potential victims.
The economic analysis revealed that AI-powered phishing is substantially more cost-effective than traditional methods, potentially reducing attack costs by up to 50 times. The automated process required only 2:41 minutes per target, compared to 34 minutes for manual methods.
The study also evaluated AI systems’ ability to detect phishing attempts. Claude 3.5 Sonnet demonstrated a 97.25% success rate in identifying malicious emails without false positives, though researchers noted that current AI safety measures failed to prevent the creation of phishing content.
These findings raise significant concerns about cybersecurity, as AI-generated unique emails could bypass traditional spam filters that rely on identifying known malicious patterns. The researchers recommend developing AI-powered defensive measures to counter these sophisticated threats.