Business Email Compromise Gets Smart with WormGPT: How Businesses Must Prepare

WormGPT, a new, AI-powered tool for pretexting attacks, is attracting subscribers among the cyber criminal community, according to reporting from ZD.net. The capabilities of this tool, which uses similar technology to large learning models like ChatGPT, are grounds for significant concern for all business owners.

Researchers from SlashNext were able to access the tool and examine its capabilities. They found the following:

  • WormGPT can create flawless, persuasive emails indistinguishable from a human conversation.
  • Built-in translation capabilities allow WormGPT users to communicate fluently and flawlessly in languages they cannot speak. The exact languages that WormGPT can process have not yet been reported.
  • The software can write its own malware, though the extent of these capabilities were not tested.

The WormGPT Threat to Businesses

By creating flawless, persuasive, customized emails and texts, WormGPT has the potential to overcome the most obvious fingerprints of a fraudulent Business Email Compromise (BEC) or phishing attack: bad grammar, odd sentence structure and generic requests. Even novice criminals could use this tool to trick employees who have extensive cyber security and fraud prevention training.

This does not render cyber security employee training useless. Training programs that teach employees to recognize unusual requests or unusual language from customers will still stop most attacks, and programs that emphasize awareness will have some success in thwarting AI-powered attacks with impeccable grammar and urgent requests. The rise of programs like WormGPT does mean that businesses cannot solely rely on language as a way to detect fraudulent emails. To meet this challenge, businesses need to look at technical solutions and their everyday practices.

Effective Techniques to Mitigate WormGPT Threats to Business

The most dangerous WormGPT attacks will attempt to steal goods, money or credentials. Pretexting attacks claiming to come from senior company leaders, clients or IT staff will present the greatest challenge, particularly if criminals have gained access to the actual email accounts of these individuals.

Businesses should take the following steps to prevent sophisticated pretexting attacks of all types:

  1. Automatically blacklist all emails. Most email programs can be set to warn users of an email coming from a new or unknown address while allowing emails from known contacts to pass through. This function should be enabled to catch criminals who attempt to spoof email addresses by changing a letter to a number, adding or moving a letter, or changing a domain name. For example, if you work at industries.com and have the CEO’s email in your contacts, fraudulent emails from industries.net, industr1es.com or indutsries.com will be flagged. The same technology can be used to identify attempts to spoof client emails.
  2. Establish strict protocols for delivery changes. Businesses are well within their rights to demand faxed approval of any changes to delivery locations, dates or volumes, or to ask for 48 hours’ notice to implement such changes. Similar rules should apply if clients attempt to place orders on credit or ask for significant increases in deliveries.
  3. Require phone verification for order or delivery changes. You can either mandate that clients call when they need a significant change in their order volume or a new delivery destination, or send an email telling clients, “Call your account manager to confirm this change.” Do not include details on who to call, and if you receive an email asking for that information, do not reply. This will dissuade the majority of criminals attempting BEC fraud. If the stolen goods are valuable enough, criminals may actually reach out by phone.
  4. Set a unique passcode with each client. This works with phone verification to stop fraud. Each individual client should have their own unique passcode that they provide when they need to change order details. In the event that a criminal calls to try and complete a fraudulent switch, they will not know the passcode, and the order will not be changed. Use random strings of letters and numbers in these passcodes, and convey them only via telephone to clients, never by email or text, which can be intercepted by criminals.
  5. Call the client to verify the change. A significant increase in order size or a change in delivery location are red flags for fraud. Employees should be required to call the client on record for the account and personally verify any order changes.

These steps serve two purposes. First, they will defeat the majority of attempts to steal goods via BEC attacks. Second, they will provide ample evidence to your insurance company that you have policies and practices in place to deter fraud. Banks and insurance companies have been pushing back on claims for reimbursement involving pretexting attacks and BEC fraud on the grounds that employees allowed these attacks to happen. A demonstrated level of internal vigilance and security may help your cause if you need to take a claim to court.

The other necessary defense against WormGPT and other forms of business fraud is employee training. Criminals count on hurried, helpful employees who are motivated to provide service and clear bottlenecks. Employees who learn to recognize the red flags of fraud can still do their jobs efficiently and keep customers happy while protecting your business. To learn more about employee training that generates real change in the workplace, contact us online or call us at 1-800-658-8311.

Protect Now Clears First Step for Online Cyber Security Employee Training CE Accreditation

Online cyber security employee training courses from Protect Now have been certified by the International Distance Education Certification Center (IDECC). This certification represents a critical step toward offering continuing education (CE) credits for licensed real estate professionals who take Protect Now’s Cyber Social Identity (CSI) Protection Certification courses online.

IDECC is an internationally recognized standards and certification body for online and distance education. More than 40 U.S. and Canadian jurisdictions require or endorse IDECC certification as a prerequisite for state and provincial CE accreditation.

“This is both a validation of the quality of our online training courses and an important step toward getting licensed professionals the cyber security training that they need,” said Robert Siciliano, co-founder and head of training for Protect Now.  “Our in-depth employee training enables licensed professionals to protect themselves, their clients and their businesses. As we gain CE eligibility, it becomes a professional benefit as well.”

In-person training and live virtual training seminars from Protect Now are already CE-eligible in 18 states, including Florida, New York and Texas, with the company adding additional accreditations on a regular basis as it works to provide a CE-eligible program throughout the United States. Protect Now’s eLearning classes cover the same material as their in-person sessions, using a series of self-directed videos that allow students to learn at their own pace.  In addition to convenience, the eLearning provides an affordable option for individuals and small businesses.

Once a student enrolls, they have lifetime access to the video library and its updates for future reference. Protect Now regularly reviews and updates its course content in response to shifting trends in cyber crime, while teaching students to recognize and apply the value they place on personal data protection in business settings.

“A few years ago, training focused on dangerous links sent in emails and texts, as well as phishing attacks,” Siciliano explained. “Now our students face far more sophisticated attacks involving fake websites and criminals who will call on the phone and directly engage to try and steal credentials or money. We constantly monitor the threats aimed at small and midsized businesses to ensure that we provide our students the skills they need to avoid cyber crime.”

With IDECC certification in hand, Protect Now is on its way for state-level CE accreditation for its online cyber security employee training in all 50 states. Announcements of eligibility will be made in the coming months.

About Protect Now

Led by noted cyber security speaker and expert Robert Siciliano, Protect Now provides in-person, virtual and online cyber security employee training that changes attitudes toward cyber security by making it personal. The company’s in-person CSI Protection Certification is CE eligible for real estate professionals in more than 18 states, with CE eligibility pending for its eLearning modules. To learn more or try a free online employee training class, visit protectnowllc.com.

Cyber Security Newsletter Hits 10,000 Subscriber Milestone

The cyber security newsletter from Protect Now Partner and Head of Training Robert Siciliano hit a milestone of 10,000! subscribers on LinkedIn on July 17, 2023. Subscriptions for the newsletter grew exponentially as the 10,000-reader threshold neared.

In addition to LinkedIn, the CSI Cyber Security Newsletter is available via email subscription, with past issues posted to the Protect Now Blog. Each issue highlights current cyber security news of interest to small- and mid-sized-business owners, including evolving threats, regulatory updates and practical advice to avoid cyber criminals, presented in language that non-technical web users can understand.

“Tremendous thanks to everyone who has subscribed, but also everyone who has ever shared or forwarded the newsletter,” Siciliano said. “I created the CSI newsletter to fill a void that I saw in security coverage. The response over the last few months has surpassed my expectations.”

A Practical Cyber Security Newsletter for Businesses

The “void” Siciliano cites is a reliable, knowledgeable source of practical information business owners and employees can use to understand and respond to evolving cyber threats. With new cyber threats and new social-engineering techniques emerging constantly, individuals need to understand how to keep their data and systems safe.

“Finding information on cyber crime is not a problem,” Sicilano noted. “Finding relevant information with practical advice is far harder than it should be. There is a real effort in every issue to identify the most relevant threats, so that readers get a curated view of what is happening now, or what may be right on the horizon.”

Siciliano puts himself in the shoes of his clients when choosing topics and ways to present them. “The average employee is not worried about a zero-day exploit in file transfer software, but they care a lot about the growing trend of pretexting attacks, where a criminal will call and pretend to be a client or coworker to steal money or information,” he said.

The newsletter also serves as an evolving, value-added supplement for those who complete Protect Now CSI Cyber Security Employee Training. As Siciliano explains, new cyber attacks are often easily foiled using the same methods that thwart older hacking and phishing techniques. “You have to be skeptical and you have to be vigilant. We all get a feeling when something seems off. If you can learn to recognize that and apply it to online interactions, you can stop the majority of these attacks, no matter how the criminal tries to make contact. All cyber crime breaks down into two categories: A criminal breaking into systems, which is a software issue, or a criminal convincing an employee to do something, which is a people issue.”

The CSI cyber security newsletter is published monthly. LinkedIn users can subscribe via Siciliano’s LinkedIn page, or sign up to receive the email newsletter using the Subscribe for Email Updates section below.

ChatGPT Conversations Stolen: What You Should Do Now to Protect Yourself

Stolen ChatGPT conversations have been found on the Dark Web, according to Singapore-based cybersecurity firm Group-IB. The theft and publication of ChatGPT conversations reveals a danger about the software that many users may not know.

According to Group-IB’s data, nearly 27,000 ChatGPT conversations were offered for sale on the Dark Web in May 2023. The majority of these data were stolen from India and Pakistan using malware during the past year. The United States had the sixth-largest number of stolen conversations, at 2,995, just ahead of France, which led Europe with 2,923 conversations.

What Makes ChatGPT Conversations Vulnerable?

Conversations with ChatGPT take place using a browser or through a remote connection to a ChatGPT server in the overwhelming majority of cases. If you have a local installation of ChatGPT that you access directly via a LAN, with no connection to the Internet, you are at a much lower risk for data theft, but such installations remain rare.

Hackers can steal ChatGPT conversations as they happen in one of three ways:

  1. Using malware programs such as Raccoon, which exfiltrate data from an infected device.
  2. Using eavesdropping software that captures communications as they move back and forth between a ChatGPT server.
  3. Hacking a ChatGPT account and directly downloading past conversations.

The third method of attack is the one that may surprise many ChatGPT users. By default, ChatGPT saves your prompts and the logs of your conversations. If hackers can gain access to your account, they may be able to download complete transcripts of your past conversations. This could include sensitive business data, software code or personal information that could be used to compromise your identity or your business.

The current global distribution of ChatGPT theft may not appear to be a threat to North American users, but this is a mental trap. Hackers may be targeting particular industries or businesses overseas, but the techniques and methods they learn spread almost instantly across the globe. More ChatGPT theft will happen, and more U.S. businesses will be targeted. The only good news is that you have time to prepare.

How to Prevent ChatGPT Conversation Theft

There are a few steps ChatGPT users should take immediately to prevent data loss.

  1. Scan your devices for malware. This should be a common, regular practice at home and at work. Keyloggers and malware can creep onto your devices even if you practice great cyber security habits. Regular scans offer confirmation that your devices are clean.
  2. Disable your ChatGPT history. To do this, access the Settings in your account and turn off Chat History & Training. This forces ChatGPT to dump any conversations that are more than 30 days old. Be sure to save any conversations you want to keep outside of the ChatGPT interface, using Microsoft Word, Notepad or another program that resides on your hard drive.
  3. Clear your old conversations. To do this, click on your profile picture, then click on Clear Conversations. This will give you the option to remove all of your archived ChatGPT conversations.
  4. Beware of what you share. Even with these steps, ChatGPT will store conversations for 30 days. It is best to avoid using ChatGPT to compose documents with sensitive business information that could be valuable to rivals, or to completely write code that powers proprietary software, as these could easy be stolen in the event of a breach. Do not give personal details to ChatGPT, such as your address, phone, email, login credentials or bank and credit card numbers. Hackers will mine ChatGPT logs for this information.
  5. Protect your ChatGPT account as fiercely as your bank account. Never share any login information for your ChatGPT account with anyone under any circumstances. If possible, use two-factor authorization or a password manager to log in to your ChatGPT account. In cases where a single account is shared across an organization, every individual user should have their own login with two-factor authentication or a password manager for additional security.

The explosive growth of ChatGPT and its brand-new capabilities provide fertile ground for criminals. The majority of ChatGPT users probably have not considered conversation log theft as a cyber security risk, but it can be, depending on how you use this AI tool. As criminals probe new ways to harvest data from AI systems, remember that basic cyber security employee training, such as our CSI Protection Certification, will prepare employees to use new online tools with a much lower degree of risk.