Say you receive an email from someone in your organization or a subscription account informing you of a login attempt using your details. Do you take everything in the email at face value if it seems authentic and even uses the company logo?
If the answer is yes (and you haven’t exactly checked if the credentials are legit), you’ve fallen for the classic cybercriminal tactic of phishing.
Just a few years ago, spotting this scam was relatively easy because emails would be riddled with spelling and grammatical errors.
Nowadays, AI-generated emails add a new level of complexity to recognizing scams, as freely available AI models can perfectly recreate legitimate company communications, and use correct branding and perfect grammar.
To make matters worse, phishing emails not only look real, but they’re often context-aware and may reference past interactions.
Put everything together, and we are now in a situation where organizations aren’t trained to spot classic phishing, let alone recognize modern supercharged AI versions. As a result, they may not be equipped to close security gaps.
So, how do you change that?
Through knowledge.
Why is phishing still prevalent?
While pop culture brainwashed us to think that threat actors compromise accounts by rapidly typing code and accessing a mythical “mainframe”, the reality is a lot less exciting.
Hacking often boils down to tricking people into giving up their login credentials. It’s easy to see why.
This direct approach effectively bypasses all defenses, as it’s really hard for even the latest security systems to differentiate between a genuine log-in attempt and a criminal using what’s practically a spare set of house keys.
At the same time, the threat level is increasing with each passing day, and user data is a hot commodity, as evidenced by a recent data breach that resulted in a whopping 16 billion stolen records. It can be used to feed AI phishing engines, and by extension, craft highly targeted and personalized emails.
For instance, data leaked from a MOVEit hack from 2023 only included basic information such as names, addresses, phone numbers, and email addresses. Still, it’s enough tidbits to help fuel the next wave of scary phishing attacks.
The more you learn about it, the scarier it gets, though.
A 2025 IBM X-Force report reveals that one in three incidents resulted in credential theft, and there was a 180% increase in phishing emails with infostealers compared to 2023, indicating attackers rely more on AI to scale distribution.
Moreover, while the aim of stealing credentials is to access a system or account and escalate privileges, moving laterally to cause the most amount of damage is still alive and kicking. It’s just that the usual MO also got more sophisticated, thanks to AI.
A good example is modern malware that leverages artificial intelligence to obfuscate its behavior or signature in order to skirt around traditional malware detection.
In other words, a malicious piece of software is now able to improvise and adapt its behavior based on the specific system environment.
A matter of trust
Using these credentials to log into the corporate network can lead to what can only be described as internal bleeding.
Threat actors will set up the trusted employee trap by sending infected emails to coworkers, which dials up the danger to eleven.
Even if the members of the organization are cybersecurity-conscious and wouldn’t fall for regular phishing, they may open an attachment if it seemingly comes from someone they trust.
Logically, since poor password hygiene and credential hijacking are a breeding ground for phishing, forward-thinking enterprises now generally try to avoid these scams by relying more on passwordless authentication.
Though passkeys and biometric logins (and multi-factor authentication, to an extent) are safer than a plain old password, fraudsters may now resort to a new range of AI-driven tactics.
These are highly sophisticated and may involve interception or sneaky deep-faked video or audio to trick help desks into resetting credentials or bypassing verification steps.
Sadly, plenty of individuals and businesses are careless, despite sources like Station X claiming that 3.4 billion phishing emails are sent each day. The sheer scope makes it impossible to avoid being targeted, but learning more about the signs of classic and AI phishing may help you avoid falling for the trap.
There's many forms of phishing
There’s no shortage of phishing tactics floating around. While basic tricks are still prevalent, they’ve been pretty much rejuvenated by the advent of AI. Here’s what organizations are up against in 2025:
Mimic attacks
Vanilla mimic attack involves impersonating trusted brands, including their websites and emails. The end goal is tricking users into entering credentials on a convincing spoof page.
With LLMs such as ChatGPT being freely available, threat actors are now using their functions to create dynamic, fake websites with real-time content generation, thus tailoring the scam to users based on their profiles.
Since these fake sites may look identical to the real thing, detecting a scam is very difficult.
Malware attachments
In the days before AI, cybercriminals would use social engineering to gain access to information that only a trusted individual from your contact list could know. Now, it’s even worse, as attackers can use the same info to impersonate the tone of these trusted persons even better.
In some cases, you can’t even rely on your spam filter and antivirus software anymore, since email attachments may contain AI-generated DOC or PDF files that bypass scans and activate upon execution.
Whale and spear phishing
These attacks target individuals in the organization with personalized emails. As the name suggests, spear phishing can target full groups or specific individuals, but whale phishing is limited to the higher-ups in the company.
Sadly, AI made this tactic more effective as criminals can now go as far as to use voice cloning, internal jargon modelling, or LinkedIn scraping to make impersonations more convincing.
Other forms of AI phishing
Not only are business email attacks (BEC) on the rise, but it’s also becoming very common for malicious parties to use deepfakes to impersonate CEOs to compromise employees.
Similarly, it’s not unheard of for fake chatbots to impersonate IT or HR staff to lull employees into a false sense of security, guiding them through fraudulent security checks designed to install malware or steal their credentials.
Lastly, smishing (phishing via SMS) also got a major facelift, courtesy of AI language models.
How to battle against the new generation of cyberthreats?
Educating teams on good password practices is no longer sufficient. It’s actually necessary to go a step beyond and set up an encompassing security approach that accurately reflects modern-day threats.
Two-factor authentication is still relevant; however, adaptive authentication may be a smarter direction. This may include using device recognition, geographic location analysis, and phone number fraud prevention.
Furthermore, to specifically target AI phishing, it’s only fair to fight fire with fire by implementing a range of AI defenses.
For instance, AI-powered threat detection monitors mouse movements, login behavior, and keystroke dynamics to recognize any anomalies, thereby protecting you in situations where an employee’s credentials are compromised.
Many businesses now also rely on zero trust architectures to cut the reliance on static authentication methods, but it may not be enough considering what we’re up against.
As said previously, knowledge is power, so it’s wise to invest in user education and awareness programs, tailoring them to reflect AI-driven attack scenarios.
An example of this could be an AI-generated phishing simulation that mimics realistic attacks. Its goal would be to train everyone in the organization to recognize phishing attempts and acquire the know-how for minimizing the damage if one of their colleagues catches the bait.
How we can close those critical security gaps?
Phishing is here to stay, and judging by how the tides are moving, it’s easy to anticipate it will become an even bigger issue in the years to come.
The only way to actually address this challenge is to take on a holistic cybersecurity strategy that involves not only the latest security tools, but training that can effectively remove any blind spots on a company-wide level.
There’s no way around it – AI made phishing a fluid and fast-evolving threat. The only way to stay ahead is to ensure your cybersecurity policy is just as dynamic, if not more so.