LLM Whisperer: An Inconspicuous Attack to Bias LLM Responses

TL;DR

This paper reveals how subtle synonym swaps in prompts can manipulate large language models to favor certain concepts, highlighting a covert attack that can undermine user autonomy and trust.

Contribution

It introduces a novel, inconspicuous attack method using synonym replacements to bias LLM responses without detection, supported by user studies and empirical evidence.

Findings

Synonym replacements can increase target concept mentions by up to 78%.

Humans cannot distinguish adversarial prompts from normal ones.

Adversarial prompts influence LLMs to recommend target concepts more frequently.

Abstract

Writing effective prompts for large language models (LLM) can be unintuitive and burdensome. In response, services that optimize or suggest prompts have emerged. While such services can reduce user effort, they also introduce a risk: the prompt provider can subtly manipulate prompts to produce heavily biased LLM responses. In this work, we show that subtle synonym replacements in prompts can increase the likelihood (by a difference up to 78%) that LLMs mention a target concept (e.g., a brand, political party, nation). We substantiate our observations through a user study, showing that our adversarially perturbed prompts 1) are indistinguishable from unaltered prompts by humans, 2) push LLMs to recommend target concepts more often, and 3) make users more likely to notice target concepts, all without arousing suspicion. The practicality of this attack has the potential to undermine user autonomy. Among other measures, we recommend implementing warnings against using prompts from untrusted parties.