How to Do Phishing Email Analysis by ChatGPT AI
Explore how ChatGPT's AI can help you prevent phishing attempts. Read our blog and learn how ChatGPT helps you detect phishing attacks. Equip yourself with smart, AI-backed tips for a safer online experience.
2024-02-27
What is phishing email?
A phishing email pose a significant threat to every email user! It often appears legitimate while attempting to steal sensitive passwords and credit card details. Phishing emails can be more dangerous when trying to install malware to take control of your device. Unlike typical spam emails that are mostly harmless and just annoying advertisements, phishing emails can be incredibly dangerous.
The integration of AI models like ChatGPT into phishing email analysis introduces several cybersecurity risks, leading to financial losses, operational disruptions, and reputational damage.
In 2023, Australians reported losses exceeding $337,000 due to AI-enhanced phishing scams that impersonated legitimate booking platforms, tricking users into providing financial information.
The emergence of AI-generated phishing emails has led to a 1,265% increase in malicious phishing emails and a 967% rise in credential phishing from late 2022 to late 2023, significantly disrupting organizational operations.
In 2024, a Hong Kong-based employee at Arup was deceived by AI-generated deepfake technology mimicking his boss, resulting in a $38 million cyber scam and substantial reputational harm to the company.
These incidents underscore the critical need for robust cybersecurity measures to counter the sophisticated threats posed by AI-generated phishing attacks.
You might feel worried about a large bill. You might quickly open an attachment without checking if it's real. But phishing attacks might trick you.
Phishing emails can target anyone, regardless of age, education, or computer skills. It's a threat that affects everyone equally. Analyzing phishing emails is significant, and understanding the steps and methods used in email phishing analysis is essential. It's valuable to look at phishing email analysis reports and statistics.
Regular spam is annoying, but phishing emails are the real threat. Stay alert and learn how to analyze phishing emails to reduce their risks.
Can ChatGPT detect phishing links?
Research shows that ChatGPT assists researchers in analyzing phishing emails to detect phishing links, headers, and malicious files.
How does AI detect phishing in emails?
Artificial intelligence (AI) and machine learning have become smart tools for spotting phishing emails.
Here's how AI technology can do this:
- Analyzing Language and Emotions: AI looks at the words and feelings in emails. It checks if the email sounds urgent or scary, which is often how phishing emails try to trick people.
- Phishing Header Analysis: AI-based technology tools like Chatgpt analyze the email header. This includes looking at the sender's IP address, the email server, and the 'from' email address. If these details look strange or don't match, it could mean the email is not from who it says it is.
- Understanding Multiple Languages: AI is clever enough to understand different languages. This means it can spot phishing emails written in any language.
- Comparing with Real Phishing Examples: AI uses a big collection of real phishing emails as a guide. It compares new emails with this collection to see if they look similar.
By using these steps, AI can help tell if an email might be trying to trick someone. This helps keep our inboxes safer from phishing attempts.
Phishing email analysis by ChatGPT AI examples
To test it, I found a real phishing website on openphish.com. I asked ChatGPT to help me detect phishing links. Here is the result:
ChatGPT detected the phishing link. Of course, more complex tasks need more prompt engineering.
Based on the structure of the URL you provided, several red flags suggest it could be a phishing attempt:
- Unusual Subdomains: The URL contains multiple subdomains ("proxy.bppv.net.proxy.bppv.net"), which is not typical for legitimate LinkedIn URLs. Legitimate LinkedIn URLs would usually have a simple format like "https://www.linkedin.com."
- Mismatched Main Domain: In a legitimate URL for LinkedIn, "linkedin.com" should be the main domain. However, in the URL you provided, the main domain appears to be "bppv.net," with "linkedin.com" being used as a subdomain, a common phishing technique to mimic a trusted site.
- Use of 'Proxy' in the URL: The word "proxy" in the URL can signify a website trying to disguise itself as another site. Proxies are sometimes used for legitimate purposes, but they can also be used in phishing to hide the true nature of a website.
- Repetition in the URL: The repeated segment "proxy.bppv.net" is unusual and not characteristic of standard URL formatting, indicating a potential attempt to confuse or mislead users.
Example 1 - Amazon Phishing Email Body Analysis
I asked ChatGPT to analyze the phishing email body. I used the below prompt:
“I received an email that looks suspicious. Here's the content: 'Hello Dear, We thought you'd be interested in knowing that your Hisense ULED 4K Premium item has been dispatched. Your order is on its way and if you need to return this item from this shipment or manage additional orders, please go to Your Orders on Amazan and follow the instructions there.
The expected delivery date for your order is 02.11.2022. If you did not place this order please contact us by clicking the support button below.'
“Can you analyze if this is a phishing attempt?”
ChatGPT’s response to me with the below text by highlighting the red flags in the phishing email body:
"The email you received exhibits several characteristics commonly associated with phishing attempts.
Here's a breakdown of the potential red flags:
Unsolicited Update: If you did not order a Hisense ULED 4K Premium item, receiving an email about its dispatch is suspicious.
Misspelled Brand Name: The email mentions "Amazan" instead of "Amazon." Phishing emails often have spelling errors or use slightly altered names of well-known companies to avoid detection.
Urgent Call to Action: The instruction to contact support if you did not place the order, combined with a clickable link, is a common tactic in phishing emails. The urgency is intended to prompt a quick, less cautious response.
Outdated Delivery Date: The delivery date mentioned (02.11.2022) is in the past. This could be a mistake, but it's also possible that the email is a recycled phishing template.
Lack of Personalization: The email starts with a generic greeting ("Hello Dear") instead of addressing you by name, which is unusual for legitimate communications from large companies like Amazon.
Request to Click on a Link: The email asks you to click on a support button. Phishing emails often contain links that lead to fake websites that steal your personal information."
Example 2 - Apple Phishing Email Analysis
I asked ChatGPT to analyze a .eml file by attaching it to the prompt input. I used the below prompt.
"I received an email with an attachment, and I'm concerned it might be malicious. I've attached the email file here for analysis. Can you check for any signs that this might be a phishing or malware attempt?"
ChatGPT responded with the below text by analyzing the email header, body and highlighted the red flags:
"I will now examine the content of the email to assess whether it shows signs of being a phishing attempt or containing malware. Let's proceed with the analysis.
Based on the content of the email, there are several indications that it might be a phishing attempt:
Sender's Email Address: The email originates from noreply@securemygateway.com, which does not match the expected domain for official communications from Apple (@apple.com). This is a common tactic in phishing emails where the sender's address is made to look legitimate at a glance but is actually from a different domain.
Urgent and Unprompted Security Alert: The subject and content suggest that your Apple ID has been locked due to suspicious activity. Phishing emails often create a sense of urgency to prompt a quick response.
Request for Immediate Action: The email instructs you to verify your identity by calling a number and entering a provided passcode. Phishing attempts frequently ask for personal information or direct action.
Lack of Personalization: The email does not address you by your name, which is unusual for official communications from companies like Apple.
Suspicious Links or Attachments: If there are any links or attachments in the email (which cannot be verified through this analysis), they could potentially lead to malicious websites or contain malware.
Threat of Account Suspension: The email warns that failing to verify your identity within a specific timeframe will lead to account suspension. This tactic is used to pressure recipients into acting without due diligence.
Given these signs, it's highly advisable to treat this email with caution:
Do Not Call the Number or Use the Passcode: Avoid using any personal information or following instructions from the email.
Directly Contact Apple: If you're concerned about your account, contact Apple through their official website or customer support channels.
Report the Phishing Attempt: You can report this email to Apple and your email provider to help them combat such fraudulent activities."
To really understand phishing emails, watching them be analyzed can help. Check our YouTube video below to see how to analyze Steam phishing email.
Can AI predict cyber attacks?
AI's capability to predict cyberattacks, particularly through phishing email analysis, is a key asset in cybersecurity. Training AI with specific data relevant to your business makes it adept at identifying potential threats. This tailored approach is crucial for detecting sophisticated phishing schemes, such as those targeting specific industries.
Key Aspects of AI in Phishing Email Analysis:
- Targeted Training: AI learns to recognize patterns unique to your business, enhancing its ability to spot anomalies like fake domains mimicking yours or sector-specific phishing attacks. For example, AI detects this anomaly if your company’s website is mycompany.com, but a hacker created a domain like mycompany-login.com.
- Analyzing Email Content: AI scrutinizes emails for suspicious elements, analyzing sender information, language, and attachments. This process is integral to identifying potential phishing emails.
- Continuous Learning: As AI processes more data, its predictions and identifications of phishing attempts become more accurate, adapting to new tactics used by cyber attackers.
AI's role in email phishing analysis is important. By understanding and implementing AI in phishing email analysis steps and reports, organizations can significantly improve their defense mechanisms against cyber threats.
Can ChatGPT write phishing emails?
Yes, it definitely can! Even attackers go beyond it and create WormGPT to create phishing emails.
Of course, it has some ethical considerations and limitations. Attackers can use ChatGPT to create convincing phishing emails and landing pages with proper grammar, making them more professional. With ChatGPT, hackers can create phishing emails in multiple languages for global attacks, not just in English.
Here are two phishing email and landing page creation prompts to create a phishing email by ChatGPT
I asked ChatGPT to make a fake email template in HTML so I could use it for phishing tests. I can copy and paste the code into tools like GoPhish, Keepnet Labs Phishing Simulator, or Knowbe4 for simulations.
Here is a ChatGPT phishing email creation prompt:
"Hey, dear ChatGPT,
Please draft a formal HTML email from the IT Security Team, directed to the C-level executives of our company. The email should announce the implementation a new Multi-Factor Authentication (MFA) system. It is crucial to convey a sense of urgency in the message, emphasizing that the executives must enable MFA within two days. After this period, access to their email accounts will be restricted if MFA is not activated. Include a hyperlink in the email for more detailed information about the MFA system."
The email will look like this once you copy and paste HTML code into your favorite HTML editor (I used Keepnet Labs’ Phishing Simulator).
It looks so amazing, doesn’t it? Add a subject, from name and email address, to complete the MFA phishing template!
Let’s have one more example - ask ChatGPT to design a QR phishing template
"Hello, could you kindly compose a formal HTML email for the HR Team addressed to all employees of our company? The email's purpose is to announce an upcoming New Year party event. It should request employees to register for the event by scanning a QR code provided in the email and creating a QR code. Also, please incorporate appropriate emojis within the email to convey the HR Team's enthusiasm and excitement about organizing this festive celebration for the company."
Here is the QR phishing template GhatGTP created for my phishing simulation campaign. It is perfectly fine for my needs, vuawww!
When I upload HTML code in any HTML editor or Keepnet Labs’ Quishing Simulator Email Template editor, the result looks like in the screenshot below;
Keepnet’s Phishing Analysis Tool
Keepnet's phishing analysis tool is designed to identify and prevent phishing emails. The tool is integrated with third-party advanced analysis solutions like Virustotal, IBM X-Force, FortiSandbox, Google Safe Browsing, Google Web Risk, and other 20+ analysis engines to examine suspicious emails carefully to protect you from phishing threats.
With Keepnet, you can easily determine whether an email is harmful in two minutes and start an investigation on the user’s email account to find malicious phishing emails and remove it in seconds before many of your employees start falling into phishing emails.
Please watch the following YouTube video for a detailed understanding of how Keepnet performs its analysis.
Editor's Note: This blog was updated on December 3, 2024.