Ah yes, agentic phishing, excellent

I recently got this email screenshot from my co-founder:

On the surface, that’s a pretty easy one to spot: The from address, the fact that I’d never write like that, etc.

Phishing emails using relationships is not something new, of course my grandmother gets emails from “me” all the time.

In fact, in college I wrote custom malware in Go and convinced a scammer that was bothering my grandmother to run it, which encrypted all files in their Downloads, Documents, and Desktop folders and shipped them up to my C2 server.

Unfortunately, my dumbass forgot to save the AES IV in addition to the key, so I was never able to decrypt the files! I could tell by the file names though that there was some victim tracking .xlsx files, so hopefully I saved some folks!

But we now live in an age of Agents, the demi-gods in a box that can go off and do tedious work for us at scale.

Agents can now go find out all the relevant relationships for phishing targets at scale, then aid bad actors in crafting much more convincing emails.

Read that email, there’s nothing “scammy” about it. Any LLM, even Claude, would have happily performed that task, written that email, and sent it.

Clearly scammers are not there quite yet with perfectly-crafted phishing emails, but as agents become more widely available and are able to understand how people speak and write from available content online, we’re definitely going to need our email providers to take a more defensive posture.

I don’t know that this was agent-assisted, but maybe that from address isn’t a coincidence 🤷

Discuss on hackernews: https://news.ycombinator.com/item?id=43995840