Lateral Phishing With Large Language Models: A Large Organization Comparative Study

📄 arXiv: 2401.09727v2 📥 PDF

作者: Mazal Bethany, Athanasios Galiopoulos, Emet Bethany, Mohammad Bahrami Karkevandi, Nicole Beebe, Nishant Vishwamitra, Peyman Najafirad

分类: cs.CR, cs.CL

发布日期: 2024-01-18 (更新: 2025-04-15)

备注: Accepted for publication in IEEE Access. This version includes revisions following peer review

期刊: IEEE Access, 13, 60684-60701

DOI: 10.1109/ACCESS.2025.3555500


💡 一句话要点

比较LLM生成与人工撰写的网络钓鱼邮件的有效性

🎯 匹配领域: 支柱九:具身大模型 (Embodied Foundation Models)

关键词: 大型语言模型 网络钓鱼 教育机构 网络安全 钓鱼邮件 人类撰写 有效性比较

📋 核心要点

  1. 现有文献未能充分比较LLM生成与人工撰写的网络钓鱼邮件在真实环境中的有效性,尤其是在大型组织中。
  2. 本研究通过在一所大型大学内进行实验,比较了LLM生成的网络钓鱼邮件与人工撰写邮件的效果,填补了这一研究空白。
  3. 实验结果显示,LLM生成的邮件与专业人士撰写的邮件在有效性上没有显著差异,强调了LLMs在网络钓鱼攻击中的潜在威胁。

📝 摘要(中文)

随着大型语言模型(LLMs)的出现,网络钓鱼邮件的威胁加剧,因为它们能够生成高度针对性、个性化和自动化的攻击。传统的网络钓鱼邮件通常存在拼写错误和语言不当等问题,而LLMs可以有效减少这些错误,从而降低攻击者的门槛。尽管如此,目前缺乏大规模研究来比较LLM生成的网络钓鱼邮件与人工撰写邮件的有效性。为填补这一空白,我们在一所大型大学内进行了开创性研究,针对约9000名员工进行实验。结果表明,LLM生成的网络钓鱼邮件与专业人士撰写的邮件同样有效,突显了LLMs在网络钓鱼攻击中的严重威胁。该研究为教育机构的网络安全威胁提供了深入理解,并强调了增强用户教育和系统防御的必要性。

🔬 方法详解

问题定义:本研究旨在解决LLM生成的网络钓鱼邮件与人工撰写邮件在有效性上的比较问题。现有方法未能充分探讨LLM在生成钓鱼内容时的优势,尤其是在大型组织环境中。

核心思路:本研究通过在一所大型大学内进行大规模实验,比较LLM生成的钓鱼邮件与人类撰写邮件的有效性,旨在揭示LLM在网络钓鱼攻击中的潜在威胁。

技术框架:研究设计包括对9000名员工进行钓鱼邮件实验,邮件内容分别由LLM和人类撰写。通过问卷调查收集定性数据,分析员工的脆弱性及其背后的动机。

关键创新:本研究的创新之处在于首次在大规模组织环境中比较LLM生成与人工撰写的网络钓鱼邮件的有效性,揭示了LLM在生成更具说服力和无错误内容方面的能力。

关键设计:实验中使用了详细的问卷调查,分析员工对钓鱼邮件的反应和行为动机,结合定量和定性数据,提供了全面的研究视角。

🖼️ 关键图片

fig_0
fig_1
fig_2

📊 实验亮点

实验结果显示,LLM生成的网络钓鱼邮件与专业人士撰写的邮件在有效性上无显著差异,强调了LLM在网络钓鱼攻击中的严重威胁。研究还揭示了不同部门和职位之间的脆弱性差异,为未来的防御策略提供了重要依据。

🎯 应用场景

该研究的潜在应用领域包括教育机构、企业安全培训和网络安全防御策略的制定。通过深入理解LLM生成钓鱼邮件的有效性,组织可以更好地设计用户教育和防御系统,以应对日益增长的AI驱动的网络钓鱼攻击。未来,这一研究可能推动相关领域的进一步探索和技术发展。

📄 摘要(原文)

The emergence of Large Language Models (LLMs) has heightened the threat of phishing emails by enabling the generation of highly targeted, personalized, and automated attacks. Traditionally, many phishing emails have been characterized by typos, errors, and poor language. These errors can be mitigated by LLMs, potentially lowering the barrier for attackers. Despite this, there is a lack of large-scale studies comparing the effectiveness of LLM-generated lateral phishing emails to those crafted by humans. Current literature does not adequately address the comparative effectiveness of LLM and human-generated lateral phishing emails in a real-world, large-scale organizational setting, especially considering the potential for LLMs to generate more convincing and error-free phishing content. To address this gap, we conducted a pioneering study within a large university, targeting its workforce of approximately 9,000 individuals including faculty, staff, administrators, and student workers. Our results indicate that LLM-generated lateral phishing emails are as effective as those written by communications professionals, emphasizing the critical threat posed by LLMs in leading phishing campaigns. We break down the results of the overall phishing experiment, comparing vulnerability between departments and job roles. Furthermore, to gather qualitative data, we administered a detailed questionnaire, revealing insights into the reasons and motivations behind vulnerable employee's actions. This study contributes to the understanding of cyber security threats in educational institutions and provides a comprehensive comparison of LLM and human-generated phishing emails' effectiveness, considering the potential for LLMs to generate more convincing content. The findings highlight the need for enhanced user education and system defenses to mitigate the growing threat of AI-powered phishing attacks.