Högskolan i Skövde

Artificial Intelligence (AI) is ever increasingly becoming more and more widespread, and is available, for the most part freely to anyone. While AI can be used for both good and bad, the potential for misuse exists. This study focuses on the intersection of AI and cybersecurity, with a focus on AI-generated phishing emails. In this study a mixed-method approach was applied and, an experiment, interviews, and a survey were conducted. Experiments and interviews were conducted with 9 participants with various backgrounds, but novices in phishing. In the experiment, phishing emails were created in three distinct ways: Human-Crafted, Internet-aided, and AI-generated. Emails were evaluated during semi-structured interviews, and each participant reviewed six emails in total, where two of these, were real phishing emails. The results from the interviews indicate that AI-generated phishing emails are as persuasive as those created in the Human-Crafted task. On the contrary, in the survey, participants ranked the AI-generated phishing email as the most persuasive, followed by Human-Crafted. The survey was answered by 100 participants. Familiarity plays a crucial part in both persuasiveness and also willingness to go along with the requests in the phishing emails, this was highlighted during interviews and the survey. Urgency was seen as very negative by both the respondents and interviewees. The results from the study highlight the potential for misuse, specifically with the creation of AI-generated phishing emails, research into protection measures should not be overlooked. Adversaries have the potential to use AI, as it is right now, to their advantage.