SINGAPORE: Around 13 per cent of scams analysed by the Cyber Security Agency of Singapore (CSA) in 2023 were likely generated by artificial intelligence (AI) – indicating that scams are getting more convincing even as overall cyber threat numbers fell or remained constant, compared with 2022 figures.

This is the first time the agency has disclosed figures on AI usage in phishing scams.

Phishing attempts, which trick victims into revealing passwords or other sensitive information to access banking or company accounts, fell by 52 per cent to 4,100 reported cases, according to CSA’s annual Singapore Cyber Landscape 2023 report, published on Tuesday (July 30).

Infected infrastructure, such as computers hacked through malware or coordinated cyber attacks, fell 14 per cent to 70,200 systems.

The number of defaced websites dipped 68 per cent to 108 websites.

The number of ransomware attacks, where crooks release malware designed to deny an organisation access to its systems unless it pays a ransom, was unchanged at 132 incidents reported. This figure remained high, CSA added.

The drop in phishing cases reported is consistent with the police’s statistics for scams in 2023, which recorded 5,938 phishing scams amounting to S$14.2 million in losses, compared with 7,079 cases in 2022.

“For the first time in five years, the total amount lost to scams had declined,” said CSA chief executive David Koh, who added that this could be due to new anti-scam measures rolled out by major banks, such as anti-malware measures to combat a surge in malware scams that caused more than $34 million in losses in 2023.

These measures block banking apps when suspicious apps are detected on the same device.

CSA said that while the overall attempts fell, the numbers come amid a sharp spike in phishing scams globally and are likely the “tip of the iceberg, with the majority of phishing attempts likely going unreported”.

The number of cases reported to CSA is still about 30 per cent higher than that in 2021, it added.

The agency worked with partners to study the content of phishing e-mails from 2023 using AI-content detection tools.

It found that at least five e-mails among 40 real-life samples that were flagged to CSA’s Singapore Cyber Emergency Response Team showed signs of AI-generated content, such as near-perfect language and a better flow of logic.

While there are no tools that can identify AI-generated content with full certainty, the tools that are trained on large language models can be helpful towards identifying whether there are elements that were likely AI-written, CSA said.

Generative-AI chatbots like ChatGPT – the use of which exploded globally in 2023 – have likely fuelled the production of phishing e-mails at scale, and scams will only get more convincing, said CSA.

This development and the rising threat of deepfake voice messaging that uses AI to mimic the sound of real people speaking can make scams wholly convincing.

Visually, phishing scams are also beginning to look more convincing as fraudsters are able to mimic more closely the appearance of genuine e-mails, such as those from the Inland Revenue Authority of Singapore.

Scammers are increasingly using “.com” links in scam websites, which help make them look more legitimate.

CSA said it is reviewing how it can use AI to enhance Singapore’s cyber defence, programming the technology to detect abnormal behavioural patterns and process large volumes of intel to help analysts spot scams more effectively.

It urged organisations to review their cyber-security policies and conduct simulated phishing exercises for employees. - The Straits Times/ANN