The new face of cyber threats
The CSA reports that AI has also enabled bad actors to scale their operations.
The agency and its partners analyzed phishing email samples seen in 2023 and found that about 13% contained AI-generated content.
The emails had “good grammar and good sentence structure,” according to the CSA.
AI-generated or AI-assisted phishing emails also feature “better flow and reasoning, aimed at reducing gaps in logic and increasing legitimacy.”
He added that AI can adapt to any tone of voice, allowing bad actors to exploit a wide range of emotions in victims.
The technique is also being used to scrape social media profiles and websites for personally identifiable information that can be exploited by malicious actors, allowing them to increase the speed and scale of their attacks.
The CSA warned that legitimate research into how generative AI can be misused could also unintentionally allow bad actors to benefit.
According to the agency, these actors may replicate and operationalize research findings to incorporate into cyber attacks.
“The use of generative AI adds a new dimension to cyber threats,” said Cybersecurity Commissioner and CSA CEO David Koh.
“As AI becomes more accessible and sophisticated, threat actors will become better able to exploit it.”
The CSA said individuals and organisations need to learn how to detect and respond to malicious uses of Gen AI.
The company says users can tell if the content they're watching is a deepfake by using tools to evaluate the message, analyze audiovisual elements and authenticate the content.
Phishing scams to decline in 2023
The CSA report said Singapore saw a 52% year-on-year decline in phishing attacks in 2023. The decline bucks a global trend of sharp increases.
However, the total number of phishing attacks in 2023 increased by approximately 30 percent over 2021.
The CSA warned that phishing attacks remain a major threat to organisations and individuals, particularly as threat actors become increasingly sophisticated in their cyber attacks.
The agency has observed that cybercriminals are making their attempts seem more legitimate and authentic.
For example, more than one-third of phishing attacks reported in 2023 used the more trustworthy domain “.com” instead of “.xyz,” an increase of nearly 20 percent from 2022.
More than half of reported phishing URLs also used the more secure “HTTPS protocol,” a significant increase from 9% in 2022, the CSA said.
The most spoofed industries in 2023 were banking and financial services, government, and technology.
63% of organizations impersonated in phishing scams were in the banking and financial services sector.
“This industry often poses as banks, trusted organisations that hold large amounts of sensitive and valuable information, including personal details and login credentials,” the CSA said.
