Investigating the Security Risks of Gen-AI-Powered Phishing Attacks on University Students

Abstract

Generative Artificial Intelligence (GenAI) is a paradigm shift in the cyber-threat environment as it allows generating hyper-realistic, personalised and scalable phishing campaigns. This is a study that explores how this technological development has intersected with the human susceptibility that has been there in the realm of higher education. This paper, which targets university students as a target population with a high level of digital exposure but possibly low levels of security awareness, also adopts a positivist, quantitative approach in its attempt to investigate empirically the security risks that AI-driven phishing presents to them. It was a cross-sectional online survey (N=63), in which a simulated GenAI phishing mail was used as a behavioural stimulus. Descriptive and inferential statistics demonstrate a crucial lack of connection: self-reported confidence in detection was at a moderate level (M=3.13/5), whilst behavioural susceptibility to it is alarmingly high, with 81.7 percent stating that they were likely to choose to click the malicious link. It was discovered that there was a deep institutional training deficit, as 90.1% of respondents had not been trained in cybersecurity at university and analyses (kh2(1)) demonstrated that prior training had no significant protective effect on phishing experience (kh2(1) =0.948, p=.330). Moreover, existing guidance in universities was perceived as insufficient by 76.1% of them. The results highlight a severe overconfidence paradox and a systemic defect in the modern pedagogical models to help counteract AI-improved threats. This paper has determined that the human firewall within the academic context is highly misaligned and recommends an immediate, strategic move to compulsory, simulation-based training programmes that are specifically crafted to take into account the advanced affordances of GenAI in social engineering attacks.