UC Davis

As modern technology advances and more users are utilizing the internet, people’s information has become accessible to the public. Although sensitive information such as ID numbers, bank accounts, or passwords might not be publicly discoverable, an individual’s name, interests, education, and social connections may be discoverable.

This research aims to assess the effectiveness of spear phishing emails built upon publicly available information, focusing on individuals within academia as the subjects. The social network of the subjects would be constructed using an information scraper built with Python and machine learning algorithms. The content of the emails would be generated by a Large Language Model (LLM). The experiment aims to evaluate the efficacy of AI-driven target selection through the response rates of email opening and engagement of the embedded link.

Our hypothesis posits that publicly disclosed personal information potentially threatens an individual’s online security and privacy. This vulnerability is manifested through a greater susceptibility to spear phishing attacks and inferred private information using machine learning techniques.

Additionally, we would discuss some mitigation strategies from the perspectives of email service providers, organizations, and users. Our goal is to warn the public regarding the potential threats of publicly available information being accessible to attackers. Being aware of phishing attacks that rely on personal social networks could reduce the success rate of such attack angle.