Phishing has become harder to recognise. In late 2025, controlled cybersecurity tests found that 64% of employees failed to identify AI-crafted phishing emails, treating them as legitimate requests from colleagues or managers. The data comes from phishing simulations built to reflect the level of sophistication attackers are using today.
Artificial Intelligence (AI) now crafts attacks that mimic real communication, surpassing the training employees typically receive.
In this article, we explore two things:
- How AI is changing the nature of phishing attacks and why even security-aware employees fall for them
- Why traditional awareness training is no longer enough, and what a modern defence must include
The Old Phishing World Has Changed
For a long time, spotting a phishing email was fairly straightforward. Employees were trained to look for obvious mistakes, suspicious links, or messages that didn’t make sense in their daily workflow. Most phishing attempts were easy to spot because they were poorly written and clearly generic.
Modern AI models can generate messages that read naturally and align with workplace communication. They understand, reflect, and tailor content to individuals using publicly available information from LinkedIn, company websites, and social media.
Emails that match internal language, reference real projects, and appear to come from trusted departments are difficult to distinguish from legitimate communication.
Why AI-Powered Phishing Is More Dangerous
Here are the key ways AI has elevated phishing into a new class of threat:
1. AI Makes Phishing Personal
AI-generated emails include real names, roles, projects, and work relationships, making them familiar and relevant to recipients.
This level of personalisation increases trust, and trusted messages are far more likely to be acted on.
2. Attackers Can Operate at Scale
In the past, crafting a convincing phishing email took time, skill, and patience. Today, AI can generate thousands of individually tailored phishing messages in minutes. Tools can perform open-source intelligence gathering, write the message, pick relevant subject lines, and even adapt in real time based on response rates.
3. Success Rates Are Increasing
Traditional phishing tricked 12% of employees in tests. AI-generated campaigns achieved nearly 50% success, four times more effective than control messages. This means more accounts compromised, more credentials stolen, and more security incidents.
4. Phishing Has Expanded Beyond Email
AI now gives attackers the ability to generate convincing voice phishing calls (vishing) and even deepfakes that impersonate executives. These techniques have grown dramatically.
Some deepfake audio is convincing enough to bypass human verification, allowing attackers to authorize wire transfers or request sensitive information.
Phishing is expanding into the full spectrum of communication channels, each with its own challenges for detection.
Why Employees Struggle to Spot Modern Phishing
Employees still make decisions based on trust, urgency, and routine. AI-driven phishing exploits these same factors with precision.
AI-assisted attacks exploit human decision patterns, using persuasive language, familiar writing styles, and adaptive messaging to increase the chance of success. All of this happens before a message ever reaches an inbox.
Modern phishing emails often reference real tasks, mimic colleagues’ writing styles, and ask for routine actions, making them harder to detect. This is why awareness based on surface-level cues no longer holds up.
Research comparing AI-generated phishing to human-written attempts shows that AI performs just as well, and in some cases better, because the messages feel authentic to recipients.
Why Old Security Training Is No Longer Enough
Most organisations still rely on annual phishing training. Employees watch a presentation, complete a quiz, and may receive a simulated test once or twice a year. This setup only makes sense if phishing attacks are simple and predictable, which is no longer the case.
AI-driven phishing changes frequently. Messages adapt to company culture, role expectations, and current events. Training delivered once a year cannot prepare employees for threats that evolve continuously.
Even experienced professionals struggle to identify AI-generated phishing emails, increasing the risk of compromise.
What Modern Security Training Should Include
To close the gap between AI attackers and human defenders, organizations need to shift from compliance-based training to adaptive, continuous, and realistic training. Here’s what that means:
1. Realistic Simulations
Employees need exposure to phishing simulations that mirror current attack techniques. Static templates and outdated examples no longer prepare staff for what they actually face.
2. Role-Specific Scenarios
Sales, HR, finance, and IT teams all receive different types of communications in their roles. Attackers tend to use that to their advantage. Security training should be tailored to the unique threat profiles of different departments.
3. Multi-Channel Coverage
Attackers are not only sending emails. They are using SMS, messaging platforms, voice calls, and deepfakes. Modern training should cover vishing, smishing, and deepfake detection alongside traditional email simulation.
4. Immediate Feedback
Learning is more effective when feedback is timely. Employees should understand what went wrong as soon as a simulation ends, while the context is still fresh.
5. Technology That Supports People
Training works best when paired with technical controls. Phishing-resistant Multi-Factor Authentication (MFA), AI-driven email filtering, and identity protection tools reduce dependence on human judgment.
A Look at Real Phishing Incidents
Phishing remains one of the most common entry points for serious breaches. In 2025, around 36% of security incidents began with a phishing email, with the average cost of these breaches approaching $4.9 million.
In one documented case, a mid-sized U.S. tech company lost over $3 million after employees acted on a spear-phishing email that appeared to come from the CEO. The message referenced real internal activity and used familiar language, which helped it bypass suspicion. The incident led to credential resets, forensic investigations, and long-term reputational impact.
Another survey of security leaders showed that organisations are seeing phishing attempts daily or weekly, with more than half of companies reporting routine exposure to targeted campaigns.
These outcomes reflect how effective modern phishing has become.
The Future of Phishing Defense
AI is changing the phishing landscape, but the heart of defense remains human. Attackers use AI to craft convincing emails, voice messages, and even deepfake videos that mimic real colleagues, projects, and company culture. Defenders, meanwhile, rely on AI to detect anomalies, block threats, and automate responses.
Attackers succeed if a single user falls for a message, whereas defenders must secure all users across every channel continuously. This imbalance makes traditional training of yearly presentations and quizzes insufficient.
The next generation of phishing defense must combine human awareness with technological support. Employees are the most critical line of defense, but they cannot reliably spot messages that look and sound like legitimate communication without realistic training and the right tools.
Modern defense requires:
- Continuous, realistic training with exercises that mirror actual attacks.
- Evolving simulations that adapt to new tactics and channels.
- A strong security culture: empowering employees to question, verify, and pause before acting.
- Technical controls: email filtering, phishing-resistant MFA, and identity protection to catch threats humans may miss.
In short, defending against phishing today is a partnership between humans and technology. AI has made attacks more sophisticated, but by combining awareness, practice, and technical support, organisations can tilt the balance back in their favour.
Conclusion
Most employees will fail the next phishing test because AI has made phishing more targeted and contextual. Traditional training that focuses on obvious mistakes is insufficient. Effective defence relies on continuous, realistic training, strong technical controls, and empowering employees to pause and verify requests before acting.
At Cyberkach, we focus on making cybersecurity straightforward, practical, and actionable. Stay ahead of the latest phishing scams, AI-driven threats, and protective strategies by subscribing to the Cyberkach blog or joining our newsletter for expert guidance delivered directly to your inbox.