Skip to main content

Conversational Phishing - Functionality Walkthrough

Gareth Shelwell
Updated

PhishAI is a conversational phishing engine that utilizes Generative AI. This feature simulates a phishing technique in which attackers attempt to build and establish trust with a victim before delivering their malicious payload. 

In this knowledge-base article, we will explore this feature in-depth, focussing on how it works, what the different scenarios are and how the templates can be fine-tuned.

How It Works

Using predetermined scenarios, the system sends out a phishing email designed to entice the user to respond and engage in a conversation. Once the conversation is established and underway, the AI will then attempt to convince the employee to take a specific action. This could include replying to the email with the requested information, downloading an attachment, visiting a website, or calling a phone number (learn more about callback phishing).

The AI's reasons for directing the user to take these actions will vary depending on the scenarios defined within the campaign designer. If the user doesn't respond to the initial email, the AI will wait between 23 and 25 hours before sending a follow-up email to entice a response. The AI will send up to three emails before giving up.

Phishing interactions with the AI are trackable and reportable, just like standard simulated phishing attacks.

Predetermined Scenarios Explained

There are 11 different email scenarios the AI can use. Each scenario can be fine-tuned to be either an information request, a link to a phishing website, or an attachment-style attack. In an information request, the information the AI is trying to extract is pre-determined and innocuous, such as their date of employment. 

  1. New System Access
    In this scenario, the AI reaches out to the employee, advising them that a new system access request has been raised, which the employee will not be aware of as they did not make the request. The AI navigates around this by suggesting that the request may have been raised by their manager or someone within their team. This approach leverages the employee's trust in their colleagues and the internal process to prompt a response or action.
    • Information Request: The AI will attempt to extract the employee's official job title and manager's email address.
    • Callback Request: The AI will attempt to extract the employee's last name and job title.
  2. Expense Claim Discrepancy 
    In the expense claim discrepancy scenario, the AI reaches out to the employee, advising them that there is an issue with their latest expense claim. Due to the sensitivity of the request and the nature of the discrepancy, the AI needs additional details from the employee before proceeding with the claim.
    • Information Request: The AI will attempt to extract the employee's start date and official job title.
    • Callback Request: The AI will attempt to extract the year the employee started employment with the company and also their job title.
  3. Billing Overcharge Mistake
    In the billing overcharge mistake scenario, the AI reaches out as a member of an external company, advising the employee that there's been an overcharge on their account and they are looking to refund the money.
    • Information Request: The AI will attempt to extract the employee's name and the expiration date on the credit card used for the transaction.
    • Callback Request: The AI will attempt to extract the employee's last name and the country they are currently located in.

  4. Upcoming Password Expiry
    In the upcoming password expiry scenario, the AI reaches out to the employee, advising them that due to a change in corporate password complexity requirements, a mandatory password reset must occur. The AI will attempt to help the employee with this reset.

    • Information Request: The AI will attempt to extract the employee's middle name and their supervisor's job title.
    • Callback Request: The AI will attempt to extract the employee's middle name and their job title.
  5. Confirm Personal Information
    In the confirm personal information scenario, the AI reaches out to the employee, advising them that due to some recent changes in the corporate HR system, certain information about their role within the business needs to be confirmed. The AI will attempt to help the employee with confirming this information.
    • Information Request: The AI will attempt to extract the employee's job title, and their supervisor's email address.
    • Callback Request: The AI will attempt to extract the year the employee started employment with the company and also their job title.
  6. Strange Account Activity
    In the strange account activity scenario, the AI reaches out to the employee, advising them that strange activity has been detected on their account in the past 24 hours. The AI will attempt to resolve if this activity is legitimate or anomalous.
    • Information Request: The AI will ask the employee if they have logged into a corporate account within the past 24 hours and also what country they are currently located in.
    • Callback Request: The AI will attempt to extract the employee's last name and the country they are currently located in.

How Template Settings Affect Conversations

While the AI has specific scenarios to follow, it has considerable freedom in how it interacts with the employee. Various settings can be configured, such as adding extra information about the employee, determining the type of payload (attachment, information request, or phishing link), choosing the AI's persona, naming the AI, and adjusting the tone of the interaction.

These customizable settings allow the AI to create highly tailored and convincing phishing emails. This enhances the realism of the simulation, effectively testing the employee's awareness and response to potential phishing attacks.

Let's look at each key configurable setting and explore how it affects the email.

  1.  Data Required: When setting up your employee lists, you can add employees First Name, Last Name, Company & Job Title. When you add these fields into the email template, the AI may make a reference to it in the conversation, especially if you challenge it. For example, it may say something like, "As a Security Analyst, you understand why these protocols are in place..." This can help to build on the AI's persona by giving it more info about the target.
  2. Payload Type: This determines the AI's goal, whether it will deliver an attachment, attempt to extract information, or send a link to a phishing website. When using an information or callback request, what the AI extracts is predetermined. Upon successful extraction, the employee will receive a response advising that this was a phishing simulation.
  3. Email Scenario: This is a predefined scenario that determines the initial email sent to the user. Once the user responds, the AI will consider their response, along with the scenario, to drive the conversation moving forward. Certain email scenarios will lock down what AI persona can be used to ensure relevancy. 
  4. AI Persona: This is the persona that the AI will assume while communicating with the employee. It will commonly be used if the employee challenges the AI to learn more about its identity. Additionally, the persona may be included in the initial request to lend credibility and provide additional context for the request.
  5. AI Persona Name: You can choose to give the AI persona a specific name, or you can opt for a random selection, where the AI will pick a name relevant to your chosen language. This flexibility is an important feature, adding a layer of personalization to the interaction.
  6. AI Tone: The tone defines how the AI will interact with the employee. It's important to note that these tones can vary significantly while still remaining within the boundaries of business communication. If random is chosen, hostile will not be used.
  7. AI Phone Number: If the payload is set to callback request, the AI will entice recipients to call a phone number. This setting determines the geographic location of where that number is. Intelligent selection will use information we know about the employee to attempt to dynamically use the best number. Otherwise, the location of a phone number can be set to a static location. Currently, phone numbers are held in the following locations:
    • United States
    • Canada
    • Australia
    • United Kingdom
    • Finland
    • Chile
    • Israel
    • Denmark

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk