Business Email Compromise Gets Smart with WormGPT: How Businesses Must Prepare

WormGPT, a new, AI-powered tool for pretexting attacks, is attracting subscribers among the cyber criminal community, according to reporting from ZD.net. The capabilities of this tool, which uses similar technology to large learning models like ChatGPT, are grounds for significant concern for all business owners.

Researchers from SlashNext were able to access the tool and examine its capabilities. They found the following:

• WormGPT can create flawless, persuasive emails indistinguishable from a human conversation.
• Built-in translation capabilities allow WormGPT users to communicate fluently and flawlessly in languages they cannot speak. The exact languages that WormGPT can process have not yet been reported.
• The software can write its own malware, though the extent of these capabilities were not tested.

The WormGPT Threat to Businesses

By creating flawless, persuasive, customized emails and texts, WormGPT has the potential to overcome the most obvious fingerprints of a fraudulent Business Email Compromise (BEC) or phishing attack: bad grammar, odd sentence structure and generic requests. Even novice criminals could use this tool to trick employees who have extensive cyber security and fraud prevention training.

Training programs that teach employees to recognize unusual requests or unusual language from customers will still stop most attacks, and programs that emphasize awareness will have some success in thwarting AI-powered attacks with impeccable grammar and urgent requests. The rise of programs like WormGPT does mean that businesses cannot solely rely on language as a way to detect fraudulent emails. To meet this challenge, businesses need to look at technical solutions and their everyday practices.

Effective Techniques to Mitigate WormGPT Threats to Business

The most dangerous WormGPT attacks will attempt to steal goods, money or credentials. Pretexting attacks claiming to come from senior company leaders, clients or IT staff will present the greatest challenge, particularly if criminals have gained access to the actual email accounts of these individuals.

Businesses should take the following steps to prevent sophisticated pretexting attacks of all types:

1. Automatically blacklist all emails. Most email programs can be set to warn users of an email coming from a new or unknown address while allowing emails from known contacts to pass through. This function should be enabled to catch criminals who attempt to spoof email addresses by changing a letter to a number, adding or moving a letter, or changing a domain name. For example, if you work at industries.com and have the CEO’s email in your contacts, fraudulent emails from industries.net, industr1es.com or indutsries.com will be flagged. The same technology can be used to identify attempts to spoof client emails.
2. Establish strict protocols for delivery changes. Businesses are well within their rights to demand faxed approval of any changes to delivery locations, dates or volumes, or to ask for 48 hours’ notice to implement such changes. Similar rules should apply if clients attempt to place orders on credit or ask for significant increases in deliveries.
3. Require phone verification for order or delivery changes. You can either mandate that clients call when they need a significant change in their order volume or a new delivery destination, or send an email telling clients, “Call your account manager to confirm this change.” Do not include details on who to call, and if you receive an email asking for that information, do not reply. This will dissuade the majority of criminals attempting BEC fraud. If the stolen goods are valuable enough, criminals may actually reach out by phone.
4. Set a unique passcode with each client. This works with phone verification to stop fraud. Each individual client should have their own unique passcode that they provide when they need to change order details. In the event that a criminal calls to try and complete a fraudulent switch, they will not know the passcode, and the order will not be changed. Use random strings of letters and numbers in these passcodes, and convey them only via telephone to clients, never by email or text, which can be intercepted by criminals.
5. Call the client to verify the change. A significant increase in order size or a change in delivery location are red flags for fraud. Employees should be required to call the client on record for the account and personally verify any order changes.

These steps serve two purposes. First, they will defeat the majority of attempts to steal goods via BEC attacks. Second, they will provide ample evidence to your insurance company that you have policies and practices in place to deter fraud. Banks and insurance companies have been pushing back on claims for reimbursement involving pretexting attacks and BEC fraud on the grounds that employees allowed these attacks to happen. A demonstrated level of internal vigilance and security may help your cause if you need to take a claim to court.

The other necessary defense against WormGPT and other forms of business fraud is employee training. Criminals count on hurried, helpful employees who are motivated to provide service and clear bottlenecks. Employees who learn to recognize the red flags of fraud can still do their jobs efficiently and keep customers happy while protecting your business.