Dr Ruth Shillair* and Bill Dutton

For years, cyber security experts have taught the public how to reduce the risks of phishing attacks, such as by looking for poor English grammar, misspellings, the lack of high-quality logos, strange URLs, or calls seeking immediate action (e.g., click here immediately). Good advice pre-AI, but the use of artificial intelligence by bad actors could very quickly undermine many of our accepted practices.

With the new AI tools, for example, phishing emails can more easily adhere to proper grammatic constructions in any language, and more specific personal details about you than an authentic email message. The public can no longer use the simplified mental models of cybercriminals being foreigners or people with a poor education or weak writing skills. The days of the Nigerian fraud scams are ancient history.

Many cyber threat actors can use the same tools as fortune 500 companies to compose their emails. Therefore, identifying fraudulent emails, like a phishing attack, by looking for signs in their “voice” or content will be far more difficult.

With AI, it will also be increasingly risky to blindly trust even live video calls. Deepfake tools are easily accessible by almost anyone. A bad actor can use small samples of video or audio and construct convincing videos that might ask for money or another harmful action. What can you do? It may sound like a spy novel, but family members and key members of companies might need to prearrange (in person) a secret word or phrase to prove it is them. Recipients of a threat video/ audio should also immediately try other ways to verify any message that calls for transferring funds, accessing key information, or other critical action.

You are not left without some good practices. For example, if you get an email that asks you to update your account information, you should be in the habit of not clicking any links. Instead, you should go directly to the company webpage and log in as they normally ask customers to do. In addition, one of the best ways to help protect yourself from bad actors online is still to make sure you use strong and unique passwords for different accounts and use multi-factor authentication. And, of course, don’t share current trips or travel plans on social media as that provides detailed information that can be used to deceive you, such as by personalising an email approach. 

AI tools can be extremely helpful.  Many people enjoy using AI models to chat with as they respond positively and don’t judge. One of the first experiments with AI in the 1970s was Joseph Weizenbaum’s (1976: 188-201) ELIZA, which could be programmed to parody a nondirective psychotherapist in an initial psychiatric interview. People loved to talk to ELIZA, even though they knew ‘she’ had no knowledge of them or their context. Today’s AI could be even more engaging, such as being programmed to agree with users and engage them longer to provide sources of revenue for the company (either through monthly fees or advertising revenue). However, so called Chatbots are not reliable sources for emotional support or guidance and are unlikely to protect the user from self-defeating behaviours. People need to seek professional help – not a machine – for dealing with depression or loneliness.

Similarly, businesses and their employees need to use AI tools judiciously. Depending on the terms and conditions of the contract that they are using, uploaded data may be shared with the larger language models and incorporated outside their own corporate domain. In such ways, important confidential data could be compromised or seen by business adversaries.

There is a growing concern that individuals are using AI tools in various aspects of their workflow that are not approved by their corporation. For example, popular AI tools are available to organize your calendar and to summarize emails or memos. Using AI might well mean that the AI tool will gain full access to email accounts, calendars, and meeting times. It is not scaremongering to say that such data could easily be used to compromise a business if it falls in the wrong hands.

AI tools can also summarize meetings or create detailed transcripts of meetings that may include personal or other sensitive information that would harm their personal relationships or the productivity of their business. One of the authors of this blog has been constantly followed by an AI tool that wants to listen to his meetings – creating work for him to do before each meeting in making sure this tool is blocked.

Welcome to the world of AI safety. In most cases for most people, AI would enhance their productivity and not be a problem. But in a significant number of cases, some people, some of the time, will be targets of bad actors. As they say on the underground, enjoy the ride but “Mind the Gap”.

Reference

Weizenbaum, J. (1976), Computer Power and Human Reason. San Francisco, CA: W. H. Freeman and Co.

*This post arose from a conversation between Bill and Ruth Shillair, Assistant Professor and Director of the Media + Information Master’s Program in the Department of Media and Information in MSU’s College of Communication Arts and Sciences.