A method for detecting financial phishing in instant messengers using an ensemble of dialogical intelligent assistants based on large language models

In the context of the rapid digitalization of financial services, instant messengers have become the dominant communication channel, which has led to an increase in the activity of cybercriminals in this segment. Financial phishing in instant messengers takes the form of complex sociotechnical attacks, the recognition of which using traditional signature methods and even classical neural network tools is complicated, since such attacks are based on psychological manipulations and contextual mimicry, which requires the use of large language models for deep semantic analysis of content. At the same time, the practical application of individual large language models is limited by their tendency to generate false facts and uneven sensitivity to different threat vectors, which makes the use of ensemble approaches relevant, which potentially provide increased recognition efficiency. The aim of the work is to increase the efficiency of detecting financial phishing in instant messengers by developing and experimentally testing a method for detecting financial phishing in instant messengers using an ensemble of dialogical intelligent assistants based on large language models. The original feature of the developed method is the use of an approach to the aggregation of recognition results, which is based on the mechanism of weighted linear convolution of responses of the ensemble of dialogical intelligent assistants taking into account the adaptive coefficients of their competence. To ensure the adaptability of the method and determine the weight coefficients of the competence of the models, an automated calibration procedure was developed using an iterative cross-validation algorithm. Also, within the framework of the proposed method, a classification of financial phishing features was carried out, which allowed identifying six dominant attack vectors, in particular: imitation of official institutions, creation of artificial urgency, technical masking of links, incitement to compromise confidential data, requests for anomalous transactions and linguistic deviations. For each of the indicated vectors, recognition criteria were formed, implemented in the target predicates of the queries. A formalized query structure has been developed, which includes components of role initialization, contextualization and criterion evaluation, which allows to unify the process of interaction with dialogical intelligent assistants and ensure stable results. Experimental studies conducted on a control sample involving the ChatGPT, Gemini and DeepSeek models have shown the high efficiency of the developed approach. The overall classification accuracy when using the proposed method exceeds the results of individual large language models. At the same time, the probability of missing phishing messages has been reduced by half while maintaining a low level of false positives.