What You Need to Know About AI Phishing

Most of us have learned to spot phishing: generic greetings, awkward phrasing, a vague sense something is "off." For years, those instincts were enough.

That has changed. Attackers now use AI to craft messages that are grammatically flawless, personally relevant, and tailored to the individual recipient. AI-generated content makes up more than 82% of phishing emails today, and AI-assisted attacks achieve click rates up to four times higher than traditional phishing. Unfortunately, this isn’t a futuristic threat to monitor. AI threats are here, they’re real, and they’re happening every day.

What Makes AI Phishing Different

Traditional phishing worked by volume: bad actors blast out millions of generic emails and hope a few landed. AI flips that model. Tools can now scrape LinkedIn profiles, company websites, and social media to craft messages that feel like they belong in your inbox, referencing real projects, real colleagues, and real business context. There are no typos. There is just a convincing email asking someone to approve a wire transfer or reset their credentials.

The threat has also expanded beyond email. Voice phishing has surged over the last several years, with attackers using AI voice cloning to impersonate business leaders by phone.

Why Your Current Defenses May Be Falling Short

Most organizations rely on spam filters, endpoint protection, and some security training. Against AI-powered attacks, each faces new pressure. Spam filters look for suspicious patterns, but AI-generated phishing is designed to avoid them. Security training teaches employees to spot bad grammar and generic greetings, but that preparation that doesn’t hold up as well against a message that reads just like it came from their manager.

The good news: organizations with consistent, updated training can significantly reduce their susceptibility to these threats.

What Good Defense Looks Like

• Upgrade to phishing-resistant MFA: Standard MFA can be bypassed. Hardware security keys and phishing-resistant authentication methods are much harder to defeat. These are especially important for leaders, HR administrators, and finance teams.

• Utilize modern security awareness training platforms: Employees need current examples — AI-generated spear phishing, voice cloning, deepfakes — not years-old scenarios. Behavioral-based training consistently outperforms checkbox compliance. Formal security awareness training platforms keep pace with the evolving threat landscape, keeping your team informed of the latest threats and

• Verify financial requests out-of-band: Require a phone call, Teams, or Slack message to confirm any financial transaction over a set threshold. This simple policy stops the majority of impersonation attacks that might be headed for your finance team.

• Implement DMARC, DKIM, and SPF: These email authentication protocols make it significantly harder for attackers to spoof your domain. If they are not in place, that should be a near-term priority.

The Bottom Line

The FBI's 2025 Internet Crime Report documented $893 million in AI-assisted attack losses, and even noted that figure is likely a significant undercount. A single successful attack can result in financial loss, regulatory exposure, and reputational damage that takes years to repair.

The defenses exist and are increasingly accessible even for organizations without large IT teams. The challenge is prioritization. If you want to talk through where your organization stands, we are here to help.