A Large-Scale Study of Personalized Phishing using Large Language Models
Large Language Models (LLMs) can generate fluent and persuasive text, making them valuable tools for communication. However, this capability also renders them attractive for malicious purposes. While several studies have shown that LLMs can support generic phishing, their potential for personalized attacks at scale has not been explored and quantified yet. In this study, we thus evaluate the effectiveness of LLM-based spear phishing in an experiment with 7 700 participants. Using the target email addresses as queries, we collect personal information through web searches and automatically generate emails tailored to each participant. Our findings reveal a concerning situation: LLM-based spear phishing almost triples the click rate compared to generic phishing strategies. This effect is consistent, regardless of whether the generic emails are written by humans or generated by LLMs as well. Moreover, the cost of personalization is minimal, with approximately $0.03 per email. Given that phishing is still a major attack vector against IT infrastructures, we conclude that there is a pressing need to strengthen existing defenses, for example, by limiting publicly available information linkable to email addresses and incorporating personalized phishing into awareness trainings.
