ChatGPT Can Phish

Ah, the sweet irony of AI. On one hand, it’s the darling of tech innovation, automating tasks, and making our lives easier. On the other hand, it’s a Pandora’s box of cybersecurity nightmares.

IBM’s recent research on ChatGPT’s proficiency in crafting phishing emails is a wake-up call. It’s like handing a Stradivarius to a scam artist and saying, “Play me the world’s saddest song.”

Let’s break down the numbers. IBM’s X-Force team pitted human-written phishing emails against those penned by ChatGPT in an A/B test involving a global healthcare company’s 1,600 employees. The human-crafted email tricked 14% of recipients into clicking a malicious link. ChatGPT? A close second at 11%.

Here’s the kicker: it took IBM’s team 16 hours to craft their email, while ChatGPT churned out its version in just five minutes. Efficiency, thy name is AI.

Stephanie “Snow” Carruthers, IBM’s chief people hacker, said it best: “If this is what it’s at right now, what’s it going to be like in, I was going to say five years, but honestly six months?” It’s a chilling thought.

OpenAI has implemented safeguards to prevent ChatGPT from generating phishing emails, malware, or other cyber tools of mass destruction, but there are plenty of open source AI models that will do a great job writing phishing emails.

According to Carruthers, the human element still has the upper hand in emotional intelligence. She said ChatGPT’s phishing emails felt “cold and robotic,” but don’t get too comfy; AI is improving exponentially, and it’s only a matter of time before it masters the art of digital deception.

To paraphrase Joseph Nye: “Cybersecurity is a lot like oxygen. You don’t think about it until it’s gone.” As AI tools become more sophisticated, so will the tactics of those who wield them for nefarious purposes. It’s a never-ending game of cat and mouse. Right now, the mouse is doing push-ups, taking steroids, and reading Sun Tzu’s “The Art of War.”

Author’s note: This is not a sponsored post. I am the author of this article and it expresses my own opinions. I am not, nor is my company, receiving compensation for it. This work was created with the assistance of various AI models, including but not limited to: GPT-4, Bard, Claude, Midjourney, Stable Diffusion, and others.

About Shelly Palmer

Shelly Palmer is the Professor of Advanced Media in Residence at Syracuse University’s S.I. Newhouse School of Public Communications and CEO of The Palmer Group, a consulting practice that helps Fortune 500 companies with technology, media and marketing. Named LinkedIn’s “Top Voice in Technology,” he covers tech and business for Good Day New York, is a regular commentator on CNN and writes a popular daily business blog. He's a bestselling author, and the creator of the popular, free online course, Generative AI for Execs. Follow @shellypalmer or visit



PreviousCan Reddit Survive Without Search? NextNYC’s AI Action Plan: The Future of Artificial Intelligence in New York

Get Briefed Every Day!

Subscribe to my daily newsletter featuring current events and the top stories in technology, media, and marketing.