AI-Powered Phishing

Module 2 · Section 3 of 7

AI-Powered Phishing

This is the highest-volume attack category. The model is straightforward: AI dramatically reduced the cost and skill barrier for producing convincing, personalised social engineering.

Before 2022, a sophisticated phishing email targeting a specific organisation required research, skilled writing, and time. The same email today takes five minutes and costs almost nothing. The AI can write in any language, match any communication style, and incorporate specific contextual details — your manager’s name, a project you are working on, a recent company announcement — scraped from public sources.

The practical result: 93% of sophisticated phishing attempts now bypass traditional email security filters, according to Obsidian Security research. The grammar errors and generic greetings that those filters were tuned to catch are gone. Researchers found that 78% of people open AI-generated phishing emails, and 21% click on malicious content inside them — even people who knew they were participating in a phishing test.

The new red flags (since grammar is no longer one):

• Artificial urgency. “Wire transfer needed within the hour.” “Your account will be suspended unless you verify immediately.” Urgency is manufactured to prevent you from verifying through a separate channel.
• Requests that bypass normal process. Any financial request, password reset, or system access grant that comes via a route that skips your organisation’s normal approval process.
• Too perfect. An email from a supplier that reads more like a marketing document than how that person actually writes. Attackers calibrate to impressive rather than authentic.
• Pressure to use a specific channel. “Don’t call — just respond here.” This prevents you from using a known good contact method.