Social Engineering with AI

The new availability of powerful Artificial Intelligence (AI) as an everyday copilot has instigated a new wave of attack techniques, especially in the area of Social Engineering (SE). The possibility of generating a multitude of different templates within seconds in order to carry out an SE-attack lowers the entry barrier for potential threat actors. Still, the question remains whether this can be done using openly available tools without specialized expert skill sets on the attacker side, and how these compare to each other. This paper conducts three experiments based on a blueprint from a real-world CFO fraud attack, which utilized two of the most used social engineering attacks, phishing and vishing, and investigates the success rate of these SE attacks based on utilizing different available LLMs. The third experiment centers around the training of an AI-powered chatbot to act as a social engineer and gather sensitive information from interacting users. As this work focuses on the offensive side of SE, all conducted experiments return promising results, proving not only the ability and effectiveness of AI technology to act unethically, but also the little to no implied restrictions. Based on a reflection on the findings and potential countermeasures available, this research provides a deeper understanding of the development and deployment of AI-enhanced SE attacks, further highlighting potential dangers, as well as mitigation methods against this “upgraded” type of threat.