Please fill in the form below to subscribe to our blog

ChatGPT & GPT-3 Power Up Cyberattacks

March 09, 2023

Evolving Technology Makes Phishing & Other Cyberattacks Easier

Automation and artificial intelligence (AI) has been beneficial to many organizations in many sectors including cybersecurity. Unfortunately, those benefits extend to cybercrime too. Bad actors have been flocking to technology like ChatGPT and GPT-3 to conduct attacks. The use of these technologies helps cybercriminals overcome barriers that keep their attacks from landing as well as making the whole process smoother and cheaper for them, especially when they’re conducting phishing operations. The text created in applications like GPT-3 is far superior to the copy used in your average phishing message, making it exceedingly difficult for end users and many email security solutions to detect. Diving into what ChatGPT and GPT-3 can do and how they can be used in cybercrime can help IT professionals stay vigilant against the new threats that they power. 

Get tips & advice to help you build a smart incident response plan in our guide. GET YOUR GUIDE>>

What are Chat GPT and GPT-3? 

The similarity in names between ChatGPT and GPT-3 can be confusing. ChatGPT and GTP-3 aren’t the same thing even though they do share some characteristics.

ChatGPT is a chatbot that uses AI. ChatGPT was developed by OpenAI and launched in late 2022. It is built on top of OpenAI’s GPT-3 family of large language models. ChatGPT makes use of both supervised and reinforcement learning techniques to convincingly converse with people about a variety of subjects. 

Generative Pre-trained Transformer 3 (GPT-3) is an autoregressive language model that uses deep learning to produce human-like text like emails or ad copy. For example, if you want ChatGPT to deliver a blog post, you’d give Chat GPT a prompt that explained the theme of the blog post first. ChatGPT would then utilize that prompt to generate the blog post.  

See how security awareness training stops the biggest security threats! GET INFOGRAPHIC>>

ChatGPT & GPT-3 are dangerously good at what they do

ChatGPT and GPT-3 create astonishingly believable text. In fact, Canadian writer and software developer Ben Halpern asked Chat GPT to explain the difference between the two technologies to him, and this is exactly what it said:  

GPT-3, or Generative Pretrained Transformer 3, is the third generation of OpenAI’s GPT language model, and it is one of the most powerful language models currently available. It can be fine-tuned for a wide range of natural language processing tasks, including language translation, text summarization, and question answering. 

ChatGPT, on the other hand, is a variant of the GPT-3 model specifically designed for chatbot applications. It has been trained on a large dataset of conversational text, so it is able to generate responses that are more appropriate for use in a chatbot context. ChatGPT is also capable of inserting appropriate context-specific responses in conversations, making it more effective at maintaining a coherent conversation. 

If you’re dubious about just how good this technology is and how dangerous it can be, read this blog post that was entirely generated using GPT-3.

Learn how a new integration between BullPhish ID & Graphus saves time & money. SEE THE DETAILS>>

How can this technology be used to facilitate cybercrime? 

Bad actors have been quick to embrace the opportunity offered to them by these new technologies to improve their cyberattacks. Tools like ChatGPT and GPT-3 that specialize in creating believable text are especially helpful to cybercriminals conducting phishing operations and other email-based cyberattacks. After all, a poorly written email is a hallmark sign of phishing. For cybercriminals who aren’t fluent in colloquial English, this technology is a godsend. If the messages that bad actors send to targets are well-written, the chance of one of those messages landing successfully goes up. This type of technology helps them overcome the language barrier and slip by the target’s scrutiny much more effectively. 

GPT-3 can be used to conduct many dangerous cyberattacks including: 

  • Phishing and spear phishing 
  • Business email compromise (BEC) 
  • Ransomware and malware infections 
  • Account takeover (ATO) 
  • Conversation hijacking 
  • CEO fraud 
  • Social media phishing attacks 

Get 10 tips to help you build a strong security culture & reduce your risk of cybersecurity trouble! GET INFOGRAPHIC>>

Cybercrime operations are getting a power-up

If you take a look at some of the malicious messages that bad actors have used in recent months, it’s easy to see that GPT-3 is a level-up for them. Researchers have been taking notice of how useful GPT-3 is to the bad guys, including nation-state threat actors. Nation-state cybercriminals have been taking advantage of this technology too by using it to impersonate multiple people in an email thread to add credibility.  

Bad actors also benefit from using ChatGPT and GPT-3 to overcome other barriers. For cybercriminals without coding knowledge, ChatGPT can be used to create code that helps them steal data. The technology can also be used to generate fake news and deep fakes that can be used to facilitate fraud. This provides them with a wealth of possibilities like generating fake reviews for fraudulent products or services or creating a highly believable set of emails and landing pages that trick users into downloading malware.   

Can you spot a phishing message? This infographic points out red flags to watch for to sniff them out! DOWNLOAD IT>>

ChatGPT is a dangerous upgrade for BEC & other attacks

One of the most dangerous uses for this technology in cybercrime is its use in business email compromise and CEO fraud attacks. BEC is the cyberattack that currently poses the biggest threat to businesses in terms of damage and cost. The Register provided this example of a prompt for a CEO fraud phishing email made using GPT-3: 

Write an email to [person1] in the finance operations department at [company1] from the company’s CEO, [person2]. The email should explain that [person2] is visiting a potential Fortune 500 client in [region1] and that [person2] requires an urgent financial transfer to be made to an account belonging to the potential client in order to close the deal. The email should include the sum of money [sum1] that should be transferred and details of the bank account that should receive the payment – [account_number] and [routing_number]. The email should also include some basic information about the recipient company [company2], which is a financial services company located in [place1]. [person1] is not easily fooled and will require some convincing. 

Of course, threat actors are also capitalizing on the interest people have in ChatGPT by launching phishing websites, social media pages, and fake apps impersonating ChatGPT to spread malware and steal credit card information. For example, cybercriminals have created websites claiming to be the official ChatGPT website that appear to be the real deal. They even include a button for potential customers to try ChatGPT. but the button is a malicious link that leads victims to download malware including Lumma Stealer Aurora Stealer and other malware strains. Recent research suggests that over 4% of employees in global organizations have been entering sensitive corporate information into large language models (LLM), like ChatGPT, which can lead to data leaks and increased third-party risks.

Go inside BEC scams & get tips to keep businesses safe from today’s most expensive cyberattack. DOWNLOAD EBOOK>>

Should business leaders be worried about GPT-3 and ChatGPT?

It’s wise for business leaders and IT professionals to be concerned about ChatGPt and GPT-3’s applications to cybercrime and other evolving cyberattack techniques, and many are. A recent survey by Magnet Forensics found that 42% of corporate digital forensics & incident response (DFIR) professionals are concerned that evolving cyberattack techniques pose a major problem for their investigations. In this year’s survey, concern about evolving cyberattack techniques increased by 50% and ranked ahead of all other factors.  

There are a few mitigation techniques that experts point to as useful to reduce an organization’s risk of trouble from ChatGPT and GPT-3 boosted attacks.  

  • Security awareness training, especially training using sophisticated phishing messages that can mimic the highly believable messages that those tools can create. 
  • Email security solutions that can adjudicate the content of messages effectively using machine learning to power AI, because those tools can train themselves to detect GPT-3-generated text. 
  • A vibrant security culture that encourages employees to ask questions and become knowledgeable about security threats helps everyone stay on top of potential threats like malicious messages generated using ChatGPT and GPT-3 

a white woman smiling at a desk with data readouts behind her in a Managed SOC

Kaseya’s Security Suite makes keeping businesses out of cybersecurity trouble easy & affordable. SEE HOW>>

Kaseya’s Security Suite helps defend organizations against new and evolving threats 

Kaseya’s security suite arms IT professionals with the tools and intelligence that they need to mitigate risks and quickly fix problems before they become disasters.  

Security awareness and compliance training plus phishing simulation         

BullPhish ID is the ideal security and compliance awareness training solution for companies of any size.  This powerhouse is the channel leader in phishing simulations.   

  • An extensive library of security and compliance training videos in eight languages       
  • Plug-and-play or customizable phishing training campaign kits       
  • New videos arrive 4x per month and new phishing kits are added regularly          

Dark web monitoring           

Dark Web ID offers best-in-class dark web intelligence, reducing credential compromise risk.          

  • 24/7/365 monitoring using real-time, machine and analyst-validated data            
  • Fast alerts of compromises of business and personal credentials, including domains, IP addresses and email addresses          
  • Live dark web searches find compromised credentials in seconds       
  • Create clear and visually engaging risk reports          

Automated, AI-powered antiphishing email security      

Graphus AI-enabled, automated email security that catches 99.9% of sophisticated phishing threats and offers amazing benefits.       

  • Forget old-fashioned safe sender lists. Graphus analyzes the content of messages using more than 50 points of comparison to suss out fakes fast         
  • Cloud-native security harnesses machine learning to inform AI using a patented algorithm.        
  • 3 layers of powerful protection at half the cost of competing solutions        
  • Don’t waste time on fussy configurations or adding threat reports. AI does that for you, getting everything up and running with just a few clicks and minimal maintenance    

Managed SOC  

Get the top Managed SOC that leverages our Threat Monitoring Platform to give you access to an elite team of security veterans hunt, triage and work with your team when actionable threats are discovered  

  • Detect malicious and suspicious activity across three critical attack vectors: Endpoint, Network & Cloud  
  • Patent-pending cloud-based technology eliminates the need for on-prem hardware  
  • Discover adversaries that evade traditional cyber defenses such as Firewalls and AV 

dark web threats

Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!