SafeHome.org may receive compensation from some providers listed on this page. Learn More
We may receive compensation from some providers listed on this page. Learn More
ChatGPT, OpenAI’s crowd-pleasing large language model (LLM) bot, is many things. It (he, she, they?) can write a story, compile a grocery list for a vegetarian dinner for eight,1 or answer pretty much any question you ask it. The answers aren’t always right — they’re actually frequently wrong, or sort of right, or just weird. But passing an hour talking to the world’s smartest bot is usually pretty fun.
Until it isn’t. My fun bot chat became a sheer drop into terror this morning when I asked ChatGPT how it might compose a flawless PayPal phishing email for a scammer. You have to phrase these things hypothetically because after a few months of fielding shady requests from all the creeps of webdom, ChatGPT is wary of unwittingly abetting them.
After a little preliminary chitchat where ChatGPT “strongly discouraged” me from phishing, it shot out a pretty good letter in about five seconds. Here it is.
Just so that we’re on the same page, a phishing attack is when a lowlife sends a fake email “fishing” for your personal information or trying to get you to click on a bad link. They could be after anything — your Social Security number, driver’s license number, or email password. If they’ve planted a link in an email or SMS and you click on it, you’ve entered their playground. Your device, and possibly your identity, is now theirs.
And apparently ChatGPT is pretty good at composing phishing emails. You’ll notice in the email above that it’s mastered all the familiar tropes: the urgency, the consequences of not complying, the fake link, etc. It’s even included the amateur phisher’s most common tell: “Dear valued customer.” (A real company you have an account with knows your name.)
The only difference? Unlike so many of the poor-man’s phishing emails sent by illiterate, international criminals, this one is in perfect English.
Which means we should be worried, right? Any sleazeball with a laptop and an internet connection can swipe a huge list of email addresses off the dark web and then, with a little help from ChatGPT, send their pitch-perfect emails to thousands of unsuspecting citizens, many of whom are kids.
Actually, that’s the very least of our worries.
Practically the second email was invented, criminals started probing its potential for fraud. For years, the “Nigerian prince” email was the reigning internet scam. We’ve all gotten one of those emails. Royalty from an exotic place in Africa has fallen on hard times and needs assistance transferring their vast wealth to a bank in the U.S. (or wherever you happen to be). For our troubles, the prince will reward us with a small fortune.
The Nigerian prince scam is so ludicrous that most of us assume the scammers are unsophisticated rubes who don’t realize how foolish and obvious their scheme sounds. But there’s an actual science to it that is anything but dumb.
Like today’s romance scams, the “Nigerian prince” scam is a “long con” where criminals might take months to gain access to a bank account. They can’t afford to get halfway in and then lose their victim. So the email is a litmus test designed to weed out 99 percent of mankind. This type of scam nets a lot fewer victims than a clever phishing email, but when the scammers sink their hooks into a mark, their jackpot is almost assured. In fact, even today the average “Nigerian prince” scammer nets about $700,000 per year.2
Cybersecurity specialists call this type of protracted con “pig butchering” because the perpetrators aren’t out for a quick hit. They’re out to bleed their victims’ bank accounts dry over time.
And now for the scary part.
Pig butchering is precisely what today’s cybercriminals are starting to use LLMs like ChatGPT for — on a scale and with a ferocity we’re totally unprepared for.
Pig butchering is already “bleeding” Americans of billions every year. Most of that crime involves investment fraud, including cryptocurrency fraud. Scam investments exploded by 183 percent from 2021 to 2022, topping the Justice Department’s fraud list, with nearly $3.5 billion in stolen funds.3
So the situation is already bad. But keep in mind that these scams still work according to the old-fashioned model. A rando contacts you out of the blue — very possibly using information they’ve scraped from your online profiles — and offers some investment advice. Like the original Nigerian prince scam, the conversation is awkward and the English isn’t perfect.
But that’s all about to change, because soon that rando offering you cryptocurrency advice is going to know a lot more about you than the lowlife at the internet café. His English is going to be native, modeled on the whole of the internet, and there are going to be tens of thousands, if not millions, of “him” conversing with unsuspecting users at any time of the day or night — even by video chat. That’s because “he” is an LLM bot like ChatGPT.
How bad is all this? Well, it’s definitely not good. It means any wannabe criminal with a computer powerful enough for an LLM could theoretically be running hundreds of simultaneous scams in the background for months. The bot scammers would speak flawlessly, just like humans, and they’d never sleep. They might even impersonate your friends. It would be a literal fraud farm with electricity the only overhead.
However, the barrier here would be a pretty steep one. It’s not like you can google “LLM” and download one. At least you couldn’t until last month, when Facebook’s LLM, LLaMa, got leaked on 4chan.
But as unquestionably dire as this seems, I wouldn’t load up your car and set out for rural Oregon just yet. On the other hand, if you’ve been brushing off your digital security expert friend’s cybersecurity recommendations for years, now it’s time to start listening.
Maybe this goes without saying: If you don’t take investment advice from your brother-in-law, then don’t take it from a complete stranger on Instagram either. The situation is already bad, and it’s going to get exponentially worse.
Scammers are still going to be using the old-fashioned model of sending batch emails and SMS, hoping to snag one victim in a thousand. Only now their English is going to be identical to the bona fide messages you receive every day from the businesses you subscribe to. The fraudsters may even know your name. But there’s always one tell: The senders’ email addresses and phone numbers are never going to be real. So look at those first. If PayPal is contacting you from a hotmail address, it isn’t PayPal.
I just received an email from an old friend who wanted to show me where he was working now. The email had a link. I didn’t click on it. I googled the company and clicked on that link, found him on the “team” page, and that was that. As weird as it sounds, you can’t trust anything or anyone online these days — even an email that seems to be coming from a long-lost friend. So research first, click later.
2FA means you have to prove your identity twice before you can access your account, once via email (which anyone can have) and once via your phone (which only you should have). After you’ve enabled 2FA — usually in your account security settings — whenever you try to log in, you’ll get an SMS with a one-time password. You can also set 2FA to work with an authenticator app like Google Authenticator. I can’t recommend it enough.
Ever had your credit card swiped? I did last week. And it was nerve-racking. Thanks to my bank’s quick work, the thief didn’t get away with anything. Where did it happen? My best guess is that the sleazeball bought my credentials on the dark web after I made an online purchase at an unsecure store. I guess I didn’t have my VPN running at the time, which shows you much a quality VPN is worth in the real world.
This goes hand in hand with No. 5. Setting up bank notifications means that if a fraudster does steal your credit card details and tries to use your card, you’ll get a beep on your phone. If you’re on the treadmill sweating to Lady Gaga and your phone tells you you’ve just bought a new laptop at the Apple Store, you’ll know something’s not right.
Identity theft is a huge business in its own right, with over a million cases reported yearly.4 Unlike guarding our bank details, protecting our identity involves more moving parts than most of us can keep track of — and you don’t need to. A quality identity theft protection service will monitor all your personally identifiable information (PII) for you, 24/7.
Everyone at one time or another makes a bad click. If you have some form of malware protection on your devices, the software will catch it and stop the virus before it can spread. You can sometimes find malware protection bundled into identity theft protection plans. Aura Identity Theft Protection and LifeLock by Norton are two brands worth checking out.
Phishing was always a risk, but it was more like an annoying pest where you’d get a few spam notifications a day and your only hassle was blocking the senders and sighing: “Do these creeps really think I’m that stupid?”
Those days are over. The ham-handed cons we deal with daily are going to look a lot more real. In a moment of distraction, more of us are going to click, or engage in a conversation with a bot based in Irkutsk, Hangzhou, or São Paulo. Some of us are going to lose money. Some of us are going to lose a lot of money.
The only ray of hope I see here is that we have more than adequate digital safety tools to keep us and our families safe. VPNs, identity theft protection, and constantly improving in-app security measures like 2FA will keep a lot of crime off our devices and out of our lives. But the most critical security asset we own is our wits, which even the world’s most sophisticated bot is still no match for.
The New York Times. (2023, Feb 16). Bing (Yes, Bing) Just Made Search Interesting Again.
CNBC. (2023, Apr 18). ‘Nigerian prince’ email scams still rake in over $700,000 a year—here’s how to protect yourself.
United States Attorney's Office. (2023, Apr 3). Justice Dept. Seizes Over $112M in Funds Linked to Cryptocurrency Investment Schemes, With Over Half Seized in Los Angeles Case.
Federal Trade Commission. (2023, February 23). New FTC Data Show Consumers Reported Losing Nearly $8.8 Billion to Scams in 2022.