AI programs, built using large language models, make it possible to automatically create phishing emails based on a few data points about a user. They stand in contrast to traditional phishing emails that hackers manually design using general rules gleaned from experience. The V-Triad is an advanced set of rules for manually designing phishing emails to exploit our cognitive heuristics and biases. In this study, we compare the performance of phishing emails created automatically by GPT-4 and manually using the V-Triad. We also combine GPT-4 with the V-Triad to assess their combined potential. A fourth group, exposed to generic phishing emails, was our control group. We utilized a factorial approach, sending emails to 112 randomly selected participants recruited for the study. The control group emails received a click-through rate between 19-28%, the GPT-generated emails 30-44%, emails generated by the V-Triad 69-79%, and emails generated by GPT and the V-Triad 43-81%. Each participant was asked to explain why they pressed or did not press a link in the email. These answers often contradict each other, highlighting the need for personalized content. The cues that make one person avoid phishing emails make another person fall for them. Next, we used four popular large language models (GPT, Claude, PaLM, and LLaMA) to detect the intention of phishing emails and compare the results to human detection. The language models demonstrated a strong ability to detect malicious intent, even in non-obvious phishing emails. They sometimes surpassed human detection, although often being slightly less accurate than humans. Finally, we make an analysis of the economic aspects of AI-enabled phishing attacks, showing how large language models can increase the incentives of phishing and spear phishing by reducing their costs.

翻译：基于大型语言模型构建的AI程序，能够根据用户的少量数据点自动生成钓鱼邮件。这与传统由黑客凭借经验总结的通用规则手动设计的钓鱼邮件形成鲜明对比。V-Triad是一套用于手动设计钓鱼邮件以利用人类认知启发和偏见的先进规则。本研究比较了由GPT-4自动生成的钓鱼邮件与使用V-Triad手动设计的钓鱼邮件的表现，并将GPT-4与V-Triad结合以评估其联合潜力。第四组作为对照组，接触通用钓鱼邮件。我们采用析因设计方法，向随机招募的112名参与者发送邮件。对照组邮件的点击率为19%-28%，GPT生成邮件的点击率为30%-44%，V-Triad生成邮件的点击率为69%-79%，而GPT与V-Triad联合生成邮件的点击率为43%-81%。每位参与者需解释其点击或未点击邮件中链接的原因。这些回答常常相互矛盾，凸显了个性化内容的必要性——使某人避开钓鱼邮件的线索，反而可能使另一人上当。接下来，我们使用四种主流大型语言模型（GPT、Claude、PaLM和LLaMA）检测钓鱼邮件的意图，并将结果与人类检测能力进行比较。语言模型展现出强大的恶意意图检测能力，即使对非明显钓鱼邮件也不例外。它们有时能超越人类检测，尽管通常略逊于人类准确性。最后，我们分析了AI辅助钓鱼攻击的经济层面，揭示了大型语言模型如何通过降低网络钓鱼和鱼叉式网络钓鱼的成本来增加其激励效应。