Novel Use of Chatbots in Phishing Schemes

Web Servers Systems Networks
Advisory ID:
May 23, 2022


Hackers have begun incorporating chatbots into their phishing schemes to provide an air of authenticity to an interaction. Chatbots have become a more common medium of engagement on mainstream company websites, so using it during a phishing attack instills trust in the victim that the interaction is genuine. A chatbot is a program that simulates conversations with human users, allowing businesses to provide customer service around the clock while saving money.

Description & Consequence

The phishing process begins with an email purporting to contain parcel delivery information and impersonating the DHL shipping brand. Unlike traditional phishing links, which take the victim directly to a webpage that requests sensitive information and other personally identifiable information (PII), this method attempts to initiate a conversation first with a chatbot before sneakily directing the victim to the actual phishing pages where sensitive information and PII will be obtained. It may even include a bogus CAPTCHA page in an attempt to gain the victim's trust. Furthermore, the victim may be redirected to a phishing page that requires the victim to enter vendor account credentials before proceeding to a payment step, ostensibly to cover shipping costs. The final "Secure Pay" page includes the standard credit card payment fields, such as cardholder name, card number, expiration date, and CVV code. The method of delivery remains email.

A successful attack may lead to credential and monetary theft and/or the installation of malware on the victim’s device.


  1. Do not attend to unsolicited emails and think twice before clicking on links.
  2. Always check the URL of any website and do not enter any personal information into the page if it appears suspicious or does not match the legitimate domain.
  3. Verify a site’s security by ensuring it is using https, has a closed padlock icon near the address bar and checking the site’s security certificate.
  4. Change passwords to online accounts regularly.
  5. Never give out personally identifiable information (PII).



Related Articles