SINGAPORE (ANN/THE STRAITS TIMES) – In 2023, approximately 13 per cent of scams examined by the Cyber Security Agency of Singapore (CSA) were likely created using artificial intelligence (AI).
This suggests that scams are becoming more sophisticated, despite the overall number of cyber threats remaining stable or decreasing compared to 2022.
This marks the first instance where the agency has reported on the use of AI in phishing scams.
Phishing scams, which deceive victims into divulging passwords or other sensitive data to gain access to banking or corporate accounts, saw a 52 per cent decline, with 4,100 cases reported.
These findings were detailed in CSA’s annual Singapore Cyber Landscape 2023 report, released on July 30.
Infected infrastructure, such as computers hacked through malware or coordinated cyber attacks, fell 14 per cent to 70,200 systems.
The number of defaced websites dipped 68 per cent to 108 websites.
The number of ransomware attacks, where crooks release malware designed to deny an organisation access to its systems unless it pays a ransom, was unchanged at 132 incidents reported. This figure remained high, CSA added.
The drop in phishing cases reported is consistent with the police’s statistics for scams in 2023, which recorded 5,938 phishing scams amounting to SGD14.2 million in losses, compared with 7,079 cases in 2022.
“For the first time in five years, the total amount lost to scams had declined,” said CSA chief executive David Koh, who added that this could be due to new anti-scam measures rolled out by major banks, such as anti-malware measures to combat a surge in malware scams that caused more than SGD34 million in losses in 2023.
These measures block banking apps when suspicious apps are detected on the same device.
CSA said that while the overall attempts fell, the numbers come amid a sharp spike in phishing scams globally and are likely the “tip of the iceberg, with the majority of phishing attempts likely going unreported”.
The number of cases reported to CSA is still about 30 per cent higher than that in 2021, it added.
The agency worked with partners to study the content of phishing emails from 2023 using AI-content detection tools.
It found that at least five e-mails among 40 real-life samples that were flagged to CSA’s Singapore Cyber Emergency Response Team showed signs of AI-generated content, such as near-perfect language and a better flow of logic.
While there are no tools that can identify AI-generated content with full certainty, the tools that are trained on large language models can be helpful towards identifying whether there are elements that were likely AI-written, CSA said.
Generative-AI chatbots like ChatGPT – the use of which exploded globally in 2023 – have likely fuelled the production of phishing emails at scale, and scams will only get more convincing, said CSA.
This development and the rising threat of deepfake voice messaging that uses AI to mimic the sound of real people speaking can make scams wholly convincing.
Visually, phishing scams are also beginning to look more convincing as fraudsters are able to mimic more closely the appearance of genuine emails, such as those from the Inland Revenue Authority of Singapore.
Scammers are increasingly using “.com” links in scam websites, which help make them look more legitimate.
CSA said it is reviewing how it can use AI to enhance Singapore’s cyber defence, programming the technology to detect abnormal behavioural patterns and process large volumes of intel to help analysts spot scams more effectively.
It urged organisations to review their cyber-security policies and conduct simulated phishing exercises for employees.
