AI makes it easier than ever to phish – now in flawless native language

There’s a good reason why “Nigerian princes” don’t speak Danish. When West African scam groups have sent emails around the world, they’ve done so in successful variations of English, German, French, Spanish, and most other major languages.

In contrast, sending emails in broken Danish – so clumsy it screams Google Translate – hasn’t exactly been a winning strategy. Not even the laziest scammer would attempt it.

That has also applied to phishing emails, which try to gain access to our computers – and from there, to larger IT systems – through reckless clicks or file openings. But that’s no longer the case.

From being a small, hard-to-access language with just six million speakers worldwide, Danish has suddenly become much more accessible. Large language models, led by GPT-4o, have made it possible to write very convincing emails – including scam emails – in Danish.

Phishing remains hackers’ and cybercriminals’ favourite method of attack. More than 80 percent of all attacks start with an email or SMS. In more organised cybercriminal groups, there is often someone whose sole job is to gain access this way. Now they have a tool to craft even more persuasive emails.

So does it really matter whether the deception comes in Danish or English? Research shows that it does. People tend to be more sceptical and rational in languages they learned later in life, while we respond more emotionally to our native tongue.

And emotional responses – curiosity, fear – are exactly what phishing emails aim to provoke. These are the reactions that make people click where they shouldn’t.

The linguistic moat that once protected our small language community is, unfortunately, gone. We’re now facing a future with more – and more sophisticated – phishing emails that, without countermeasures, will leave Danish society increasingly vulnerable to cyberattacks.

For years, the dominant approach to cybersecurity for employees has been awareness training – typically e-learning with a quiz at the end.

That should absolutely continue. But organisations also need to go further to ensure employees truly understand the risks. And that starts by confronting hackers’ favourite tactic – phishing – and ensuring staff can resist it.

In addition to training staff to spot phishing emails, phishing campaigns provide a much stronger data foundation for evaluating overall security levels. They also reveal which employees fall below the desired threshold and where efforts need to be focused to improve security across the organisation.

Fortunately, many organisations are already conducting phishing campaigns. But too often, they’re one-offs – sometimes just a single test email. To unlock the full potential, a more strategic approach is required.

Start by assessing current employee awareness. Then develop a long-term plan for how to improve it. Here, it makes sense to involve experts to ensure the challenge is approached in the best way possible – and to get a true picture of the organisation’s security level.

Next, determine how to ensure employees who pose a security risk are brought up to standard – so they can help defend against attacks, not enable them.

Language models will only get better. It will only become easier for cybercriminals to create convincing phishing emails. That’s why now is the time to act – and make sure your organisation’s security posture and employee awareness are high enough.

Because in just a few years, it won’t just be text we need to watch out for – it will be audio and video, too, in flawless Danish.

Read the article in Danish.