When we think of ransomware e-mails, we often assume that the most significant risk is the Nigerian Prince with his chest of gold at customs. No one has time to send personalized messages to small and medium businesses, and most don’t have the budget to pay a ransom such as expected from MGM or the US government. Yet, the proliferation of AI has changed the cyberattack equation. Thus, let us explore why small and medium organizations are more at risk than ever.
A Willing Recipient
Let me introduce you to Jason Cavness. Jason runs an outstanding HR start-up, CavnessHR, in Seattle. When he asked me to help with a small business conference, he didn’t know that my main contribution would be a scam e-mail. To his credit, during the meeting, he was suspicious of why he would get a sales request out of the blue; after all, stage fright makes us nervous and question things.
Yet, when I sent the e-mails to my contacts beforehand using a fake sender, I got a 98% opening rate. When one of my colleagues turned the game around and sent me the same e-mail with my name, I opened it myself.
After ten years of running a small operation, there is no way I wouldn’t have opened a customer inquiry. Twelve years in cybersecurity, including as an expert on corporate boards and the government, cannot overwrite the human excitement and validation I receive from a prospect without doing any cold calling.
My brain was overjoyed that a customer wanted to buy from me. Thus, I was a willing recipient of my own scam e-mail.
The Sales Funnel of Cyberattacks
Many of us will think ourselves too clever to fall for an attack. However, the statistics speak a different language. Let’s look at the number of ransomware attacks and payments.
- 94% of all American businesses detected an e-mail-based attack in 2023.
- 46% of all American companies suffered from a successful attack.
- 32% of all firms paid a ransom to a criminal. To either release their data, have it deleted, or have stolen accounts returned to them.
Yet, the 2023 numbers still have a majority of e-mails sent by the Nigerian Prince with his chest of gold or from the US Soldiers needing Apple Gift Cards to pay for their flight home from an overseas deployment. It doesn’t yet account for the changes due to AI in creating personalized messages.
How AI Changed Scam Cyberattacks
The release of ChatGPT in November 2022 brought large language models (LLM) to the masses. By January 2023, a million people had tried the tool. By March 2023, it had widespread media coverage. At the same time, organizations released the first commercial applications utilizing the LLM as a backend. Likewise, the cat-and-mouse game of abusing the software for criminal purposes began.
Before the rise of AI, writing a single personalized e-mail would have cost me an hour or more. It would have involved several manual steps:
- Finding the business I want to attack
- Determining their main product
- Finding a suitable contact person
- Writing the e-mail
- Writing the ransomware
- Sending the package
Going after most small and medium businesses would have been prohibitively expensive. In January of this year, I only needed to write a bot that could gather the information I needed and then create the e-mail text. Combined with an AI ransomware generator, the script could send the whole package to thousands of recipients without me lifting a finger or running afoul of GMail’s mail restrictions or anti-virus scanner.
It didn’t matter whether the business provided flower arrangements for weddings, social media consulting, or filed lawsuits for personal injuries; the AI could create the perfect opening. They were spelled correctly and significantly more credible than the million dollars in gold bars.
Profit-Loss Statement of a Cyberattack
With AI, cybercrime has become very cheap. Writing a bot that would do the heavy lifting of finding businesses and their employees and then writing a custom e-mail took me a couple of hours. Even at Seattle IT Wages, that comes to $900 in labor. The costs for AI were $100 per thousand e-mails. Buying in a ransomware generator would add another $120k to the equation if I go after mid-size businesses or $12k if I promise to go after small-time operators. (Surge pricing in cybercrime, nearly 100% over theĀ 2021 prices)
Consequently, the price for a thousand personalized ransomware e-mails is around $121k
Going back to the numbers from above, out of the 1000 E-Mails, 480 will successfully infect the recipient. 320 of the 1000 will pay the ransom. The mean payment in 2023 was $378k. Thus, on a $121k investment, a criminal would nearly make $121m. That is a 99% profit margin.
If criminals go after small businesses, the profit margin sinks to 93%. However, the risk of prison also deflates considerably.
Profit-Loss Statement of a Cyberattack
E-mail-based ransomware and scam attacks are not new. Yet, with AI’s proliferation, they will become successively more annoying and successful. As long as the profit margins and risk profiles favor the criminals, they will continue to haunt us. We must make it more challenging and less rewarding for cybercriminals to attack us. Otherwise, we will soon need to find a future without electronic communication.