13% of scams analyzed by CSA likely AI-generated

The Cyber Security Agency of Singapore (CSA) has revealed a startling new trend: approximately 13% of phishing scams analyzed in 2023 were likely generated by artificial intelligence (AI). This marks the first time the agency has disclosed figures on AI's role in phishing scams, signaling a significant shift in the landscape of cyber threats.

Phishing scams, which deceive victims into revealing sensitive information like passwords or banking details, have become increasingly sophisticated. The CSA's annual Singapore Cyber Landscape 2023 report, published on July 30, noted a 52% drop in reported phishing cases, down to 4,100 incidents. Despite this decline, the quality and convincing nature of these scams have notably improved, thanks to AI.

David Koh, CSA's chief executive, stated, "For the first time in five years, the total amount lost to scams had declined." This reduction is attributed to new anti-scam measures implemented by major banks, such as anti-malware systems that block banking apps when suspicious applications are detected on the same device. These measures have been crucial in combating the surge in malware scams, which caused over $34 million in losses in 2023.

However, the CSA warns that the reported cases are likely just the "tip of the iceberg," with many phishing attempts going unreported. The number of cases reported to CSA is still about 30% higher than in 2021, indicating that while the overall attempts fell, the threat remains significant.

The CSA collaborated with partners to analyze the content of phishing emails from 2023 using AI-content detection tools. They found that at least five out of 40 real-life samples flagged to CSA's Singapore Cyber Emergency Response Team showed signs of AI-generated content. These emails exhibited near-perfect language and a better flow of logic, making them more convincing to potential victims.

"Generative-AI chatbots like ChatGPT, whose use exploded globally in 2023, have likely fueled the production of phishing emails at scale," the CSA reported. This development, coupled with the rising threat of deepfake voice messaging that uses AI to mimic real people's voices, makes scams increasingly convincing.

Visually, phishing scams are also becoming more sophisticated. Fraudsters can now mimic the appearance of genuine emails more closely, such as those from the Inland Revenue Authority of Singapore. Additionally, scammers are increasingly using ".com" links in scam websites, which helps make them look more legitimate.

To counter these evolving threats, the CSA is exploring how AI can enhance Singapore's cyber defense. By programming AI to detect abnormal behavioral patterns and process large volumes of intelligence, analysts can spot scams more effectively. The agency also urges organizations to review their cybersecurity policies and conduct simulated phishing exercises for employees to better prepare them against such threats.

While the overall number of phishing scams has decreased, the role of AI in generating more convincing and sophisticated phishing attempts is a growing concern. The CSA's findings underscore the need for continuous vigilance and the adoption of advanced technologies to stay ahead of cybercriminals.