A woman writes at her desk while a glowing, humanoid figure made of digital code looms nearby—representing an AI-driven phishing attacker observing and learning from her behavior.

AI Learning You to Steal From You

Image generated by Midjourney and modified in Affinity Photo

When was the last time you received a phishing email that made you pause and think, “Wait, how did they know that?” If you haven’t experienced it yet, you likely will soon. According to a recent External Threat Intelligence report , 67.4% of all phishing attacks in 2024 utilized some form of AI, and the trend is accelerating rapidly into 2025.

As I dive deeper into the chapter on social engineering for my upcoming book on personal cybersecurity, I’m struck by how deeply AI has transformed the phishing landscape. Gone are the days when typos and broken English were reliable red flags. Today’s AI-powered phishing attacks are so sophisticated that even cybersecurity professionals are falling victim.

The AI Advantage: Why These Attacks Hit Differently

The numbers tell a sobering story. Recent research by Hoxhunt shows that in November 2024, AI was 10% less effective than human red teams at creating phishing campaigns. By March 2025, AI was 24% more effective than humans, demonstrating the rapid evolution of these tools. But what makes AI phishing so dangerous?

Hyper-Personalization That Feels Eerily Real

AI can scrape your public data from social media, LinkedIn profiles, data breaches, and even your recent online purchases to craft messages tailored specifically to you. Imagine receiving an email that references your recent work promotion, mentions your colleague by name, and discusses the project you just posted about on LinkedIn—all while impersonating what you think is a trusted source asking you to ‘verify’ your credentials.

(This has happened to me.)

Flawless Communication

According to SlashNext, since the fourth quarter of 2022 (which was around when ChatGPT entered the scene), there’s been a 1,265% increase in malicious phishing emails. Large language models can now generate impeccable, human-like writing with perfect grammar, proper formatting, and the exact tone you’d expect from your boss, bank, or favorite online retailer.

The Multi-Channel Assault

It’s not just email anymore. Based on a 2024 Threat Report by proofpoint, following an initial phishing email, Microsoft Teams was the most common second entry point (30.8%), while Slack was the second most common follow-up point (19.2%). Attackers orchestrate campaigns across platforms, reinforcing their legitimacy with each touch point.

Real-Time Deepfake Conversations

Perhaps most chilling are AI-powered voice and video attacks. In 2024, a multinational finance company fell victim to a deepfake scam where attackers used a manipulated video conference call, resulting in a $25 million loss . Recent research from Starling Bank shows that 28% of UK adults think they were targeted by an AI voice-cloning scam in the year to August 2024.

Scale and Automation

AI enables cybercriminals to generate millions of unique, targeted phishing campaigns in minutes. Each message can be dynamically adjusted based on real-time feedback—what users clicked, opened, or replied to—creating a constantly evolving threat landscape.

Staying Safe in the Age of AI Phishing

As these attacks become more sophisticated, our defenses must evolve too. Here are two actionable steps you can implement immediately:

1. Implement Multi-Factor Verification for All Requests

Never trust urgent requests for sensitive information or financial actions, even if they seem to come from trusted sources. Create verification protocols with your family and workplace:

    • Establish a secret phrase or code word for family emergency calls
    • Require callback verification to a known number for any financial requests
    • Use out-of-band verification (different communication channel) for sensitive requests

2. Trust Your Gut and Slow Down

The added benefit of verification techniques is that they give you a minute to step back, breathe, and engage in some critical thinking. Many scams of this nature rely on panic and keeping you in your lower brain. When something feels off—even slightly—trust that instinct. Take a moment to verify independently before taking action.

Human Awareness and Instincts are More Important than Just Tactics

Companies combining human-centric resilience with AI defenses have 65-85% lower phishing incident rates. Human-centric defenses include:

  1. Security awareness training: Teaching people to recognize threats rather than just relying on technology
  2. Building a security-conscious culture: Where verification and skepticism become natural behaviors
  3. Empowerment over punishment: Making employees feel comfortable reporting suspicious activity without fear of blame
  4. Behavioral change: Moving beyond just “don’t click bad links” to teaching critical thinking and verification habits
  5. Human decision-making: Recognizing that people, not just technology, are part of the security solution

The future of cybersecurity isn’t just about better technology—it’s about building a security-aware culture where vigilance becomes second nature.

As I continue working on my book, one thing becomes increasingly clear: in the age of AI-powered deception, our humanity—our ability to pause, question, and verify—remains our strongest defense.

Have You Been Hit by AI Phishing?

What’s your top cybersecurity worry as AI continues to evolve? Have you encountered any suspicious communications that made you question their authenticity? Let me know in the comments below—your experience could help protect others.

Website Power Tip: Find Cybersecurity Answers in Seconds

Need specific cybersecurity guidance? Use the Search Box on the top right corner of the Adventures of a Sage home page to quickly discover all those cybersecurity tips you always wanted to know about (but were afraid to ask). It’s a treasure trove of jargon-free advice!

The Sage’s Invitation

The path to digital security is a shared endeavor. Join me—share your thoughts on the cyber challenges you foresee in 2025 below. Together, we can navigate this landscape with wisdom and care to block the bad actors.  Sign up for email alerts using the form below.

PS—If you don’t see the signup form below, your browser is blocking the form with its security settings, or with a plugin. Here’s an alternate form to get you subscribed.