Back to Insights
AIPhishingSecurity AwarenessSocial Engineering

The Rise of AI-Powered Phishing: Why Your Awareness Training Needs an Upgrade

MM
Murray Mills
3 min read

The Game Has Changed

For years, we've trained employees to spot phishing emails by looking for telltale signs: poor grammar, suspicious sender addresses, urgent language, and generic greetings. That advice is rapidly becoming obsolete.

AI-powered phishing tools can now generate emails that are:

  • Grammatically perfect, with no more obvious spelling mistakes
  • Contextually aware, referencing real projects, colleagues, and events
  • Personally tailored, using information scraped from LinkedIn, company websites, and social media
  • Stylistically matched, mimicking the writing style of specific individuals

What We're Seeing in the Wild

Recent campaigns have demonstrated alarming sophistication:

  • Business Email Compromise (BEC) attacks using AI to replicate a CEO's writing style, complete with their typical sign-off and tone
  • Supply chain phishing that references actual purchase orders and project timelines scraped from publicly available information
  • Multi-stage attacks where initial emails build rapport over days before delivering the payload

The success rates of these campaigns are significantly higher than traditional phishing, with some reports suggesting click-through rates 3-5 times higher than conventional phishing emails.

Why Traditional Training Falls Short

Most security awareness programmes are built around recognising obvious red flags. But when AI eliminates those red flags, employees are left without the tools to identify threats.

The problems with current approaches:

  1. Static training content doesn't evolve with the threat landscape
  2. Annual compliance exercises create a false sense of security
  3. Generic simulations don't reflect the sophistication of real-world attacks
  4. Over-reliance on email indicators rather than behavioural awareness

What Organisations Need to Do

Upgrade Your Training Programme

  • Move from indicator-based to behaviour-based training
  • Teach employees to verify requests through out-of-band channels (phone calls, in-person confirmation) regardless of how legitimate an email appears
  • Run realistic simulations that mirror actual AI-generated phishing campaigns

Strengthen Technical Controls

  • Implement DMARC, DKIM, and SPF properly, as many organisations still haven't
  • Deploy AI-powered email security that can detect AI-generated content
  • Use conditional access policies that limit what can be done via email-initiated actions

Build a Security Culture

  • Encourage reporting without blame; employees who report suspicious emails (even false positives) should be praised, not penalised
  • Create a verification culture where confirming unusual requests is normal, not awkward
  • Ensure leadership models the behaviour you want to see

The Bottom Line

The arms race between attackers and defenders has entered the AI era. Organisations that don't adapt their security awareness programmes will find themselves increasingly vulnerable to attacks that their employees simply cannot detect using traditional methods.

The goal isn't to make employees perfect at detecting phishing. It's to build systems and cultures where a single click can't compromise the entire organisation.

Need cyber security guidance for your organisation?

Get in Touch

Make a Difference With Expert Guidance

Let's Work Together