Phishing emails look more genuine than ever with the help of Artificial Intelligence (AI), and we’re here to update our recommendations on how to spot them – both at work and home.
Large Language Models (LLMs) are a type of ‘generative AI’ that uses deep learning techniques and massive data sets to understand, summarise, generate and predict new content. This means scammers can phish at a greater volume and with more sophistication than ever before.
According to SlashNext, a California-based cybersecurity company, there has already been a 1,265% increase in phishing emails since AI LLMs (e.g., ChatGPT and Bard) launched for broad use last November. There have been, on average, 31,000 threats per day this year alone!
Nearly 70% of all phishing emails target employees by posing as someone they know and trust (such as a manager or senior executive), to access confidential information. They’ll usually look for corporate data such as access to a business’ intranet, extranet, or corporate information, like bank account details.
They are particularly interested in medical records within healthcare settings, so we must remain alert at Monash Health.
In the past, the telltale signs that a message was a phishing scam were that it used a generic greeting, the formatting would be unusual, or the language was full of spelling mistakes and grammar errors. These are often paired with an urgent request purporting to be from senior leadership at a company, usually from a person whose requests are often complied with without scrutiny.
But with AI technology, fraudsters can target specific employees more clearly and accurately, scale their attacks, and send messages that appear to be legitimate and relevant to you.
So, what can you do?
- Activate Multi-Factor Authentication (MFA) on all the platforms you use on your work computer. MFA involves entering a code sent to your phone or generated from an application, such as Google or Microsoft Authenticator, to add another level of security.
- Always double-check unfamiliar sender addresses and unexpected links, because the “verify your bank account” scam emails are about to get a lot more convincing.
- Avoid scanning a QR code in an email before verifying with the sender.
- Never enter your credentials into third-party sites unless you’re entirely sure it’s the correct site by checking the web address or calling the business.
- Don’t download suspicious attachments.
- Always pay attention to whether the email is from an internal or external sender.
- Complete your mandatory cybersecurity training on LATTE to learn more about phishing.
- If unsure, please let us know by logging a request on Central via the Intranet.
MFA remains one of the most effective ways to protect against unauthorised access. Further MFA information can be found on the M365 Knowledge Hub:
With increased awareness and by taking these recommended steps, we can all keep ourselves, our patients and Monash Health safe from phishing attacks.
Approved by Associate Professor Michael Franco, Interim Executive Director, Digital Health