January 2023 | Nextworks
During the 1990’s, 2000, and 2010s spamming was the main mechanism to gain access to your computer, your credit card, your identity, or your bank account. Traditional spam involves the bulk sending of same or similar emails to thousands or millions of people. Most spam gets trapped by spam filters. But a fraction passes through the filters. The spammers use brute force through sheer volume and trial and error to channel varying percentages of solicitous email through the filters.
Let’s presume 1 out of 100 spammy emails get through a typical spam filter. (This is a difficult metric to pin down but it’s probably a safe assumption.) If a spammer sends 1 million emails, that’s 10,000 people that at least saw the subject line in their inbox. Then, let us predict that perhaps only 1 out of 100 people click to open the email. The spammer now has 100 people who read their solicitation. If they can convince just one person to buy into their scam or provide personably identifiable information (PII), then that’s a win for the spammer.
Why stop there? They can quickly continue spamming the same email list that they have managed to accumulate again and again.
The spammer does have some investment. They likely purchased email lists on the dark web. It also takes effort to consistently send so many emails with reasonable spam filter penetration. It also requires the shifting of financial mechanisms to capture funds. (Or shuffle web sites and hosts that gather PII, install malicious software, etc.)
However, since 2014, global spam volume as a percentage of email traffic has been steadily declining as noted in a July 2022 report conducted by Statista. (Nevertheless, they report that a full 45% of the world's email in January of 2021 was unsolicited spam. We’re not out of the woods.)
Spam is steadily becoming less effective as filters improve and more significantly, people catch on that that a “Viagra 4Sale at DisCOUnt Price$” email is probably not on the up and up.
The spammers have been seeing lessening returns on their investment.
Just as modern warfare has primarily moved from carpet-bombing to strategic, targeted strikes, so has the cybercriminal. Spam is evolved into phishing and has progressed further into spear phishing. This type of attack entails a campaign targeting a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents.
→ See our article: The Ubiquitous Heist, which explores a common phishing scam.
Phishing is working and “business” is booming. As reported by APWG, "In the third quarter of 2022, APWG observed 1,270,883 total phishing attacks, a new record and the worst quarter for phishing that APWG has ever observed."
At Nextworks we routinely assist our clients with cybersecurity best practices. In Q1 2023 we are introducing new cybersecurity training course and an employee “Phishing Beware!” email test campaign service.
Affective phishing (especially deeper and more thorough spear phishing) requires research, sociological insight, patience, and tenacity. Due to this one-on-one interaction with you and the cybercriminal, it is difficult for them to multitask these attacks at large scale. (But the payoff can be rather substantial.)
However, an AI with natural language processing and human-like responses could conduct an almost unlimited number of simultaneous "one-on-one" phishing conversations. Combining the carpet bomb spam approach with the tactical precision of phishing is a terrifying thought.
Don’t believe it? Sigh up for a free account with OpenAI’s ChatGPT and ask about, well, whatever you have on your mind. If you are a CPA, ask questions about the tax code. If you study exoplanets, ask it about the Stefan-Boltzmann law.
It might be some time before cybercriminals are able to encapsulate AI’s with the sophistication of OpenAI. But consider that today your smart phone has more power than all the Apollo lunar landers combined. New technologies trickle down to everyone.
We’ll let the reader put two and two together from here. What's real and what's not? Scary.
✎ Related Article: Is ChatGPT a cybersecurity threat? [ TechCrunch + ]
Contact Nextworks today for a no cost Security Assessment.
[ Return to News & Commentary home. ]