Sam Adams, Security Engineer, ANSecurity tells SJUK the reason phishing remains a leading cybersecurity threat is simple: It works, it adapts and AI is making it harder than ever to stop.
In cyber-crime, the basics work. There are a number of trends which never seem to go away and it’s not hard to see why.
For cyber-criminals, those basics work and keep working – over and over again. Because of that basic principle, phishing is perhaps the cyber-criminals’ best and most trusted tactic.
It’s simple, it’s cheap and it works – why fix what isn’t broken?
Anti-phishing efforts have seen millions in budget and work hours poured into training employees and the general public about how to spot phishing emails.
That has doubtlessly done much to defend against phishing, but not enough to stop it working or evolving.
Take, for example, the rise of mishing – or mobile-phishing – in which the mobile device becomes the core element in the phishing attack.
Many have now been trained to spot what a phishing email looks like, comparatively fewer expect it from a mobile device and are thus far more susceptible to phishing attempts through this medium.
In itself, there are multiple forms of mishing including Smishing – which sends malicious messages in the form of SMS texts which recipients have been proven to be less suspicious of, and more likely to fall for.
Verizon’s 2024 Mobile Security Index shows that 80% of phishing attempts now target mobile devices.
Furthermore, people are apparently 6-10 times more likely to fall for the smishing email, resulting in a higher conversion rate from targets to victims.
Quishing has also arisen as a form of abusing the ubiquity of QR codes in the ‘real’ world.
As we go around scanning these codes to read menus, access offers or peruse information, we do so without suspicion.
Attackers have sensed an opportunity here and now litter physical environments with QR codes that promise some kind of benefit but conceal a malicious link.
Much as with the mobile device, as certain technologies have improved and become more widespread – cyber-criminals have turned it to their own advantage.
AI is already becoming a platform to revolutionise phishing.
The value of AI to phishing is two-fold. First is the access they now have to sophisticated technology which can effectively impersonate – whether through video, voice or text – real people.
The second – and similarly dangerous – is the way they can scale their campaigns with ease and at low cost.
Phishing campaigns often rely on casting a wide net to get as many people to click through to malicious URLs.
Publicly available generative AI tools help those campaigns automate and scale those efforts, while also making them more convincing.
Data from KnowBe4 shows that as of the beginning of 2025, 82% of phishing emails now use some form of AI.
Another report – from the Harvard Kennedy School of Public Policy – tried to assess the efficacy of AI in phishing in a controlled study.
They found that phishing emails written with the help of AI tools had a click through rate of 54% compared to a 12% click through rate for human written phishing emails.
On top of that, thousands of these messages can be generated and sent in minutes, with individual variations between each message’s phrasing to appear more convincing and circumvent signature-based email filters.
AI tools can be further employed to evaluate the success of each campaign and highlight the tactics and messages that worked and those that didn’t, allowing the fraudsters to improve and iterate upon previous wins by employing polymorphic strategies.
AI tools are also evolving phishing’s capabilities beyond email and mobile.
Deepfakes, for example, are cheaper and easier to perform than ever and a sufficiently resourced attacker can now impersonate, through image or recorded and live video-based means, anyone they have enough data about to personify.
This has been particularly important for a category of phishing known as whaling – or spear phishing – in which an important person within an organisation is impersonated in order to con their colleagues and employees into making decisions within the company.
It might sound outlandish but documented cases of this abound in only the last few years.
In 2021, cyber-criminals cloned the voice of a company director and then used that to successfully get a UAE-based bank into transferring $35 million into their accounts.
In 2024, Hong Kong police reported that an employee at multinational engineering firm, Arup, had been conned into transferring $25 million to fraudsters who used a live video call to impersonate the company’s Chief Financial Officer (CFO) and other colleagues whom the employee recognised.
The next year, the US Federal Bureau of Investigation published multiple advisories stating that fraudsters were now actively using this technology to impersonate US public officials.
Indeed, Deepfake and AI based video and voice phishing has exploded in the last few years.
CrowdStrike’s 2025 Global Threat Report, for example, reports that vishing has risen by 442% in the last year.
Meanwhile Deloitte’s Center for Financial Services predicts that deepfake-related fraud could cost the US economy $40 billion by 2027.
The risk is present for both individual firms and consumers, but potentially for the larger discipline of security too.
In 2024, Gartner predicted that deepfakes were getting so good at outwitting biometric identity verification solutions that a third of enterprises would no longer consider those solutions reliable.
Phishing may always be with us. It’s a simple, cheap and startlingly effective way to exploit human foibles, and punch a hole in any organisation an attacker wants to compromise.
Furthermore, while it is classically an email-based strategy, it is still simple enough to be adapted to anywhere humans receive messages or desire information.
The introduction of AI in the last few years appears to have unleashed new potential for phishing tactics.
That might sound daunting, but organisations need to understand that the basics often work in cyber-crime because so many do the basics badly in cyber-defence.
In 2026, organisations need to reinforce their security controls and think about where their fundamental gaps linger, while adapting to the new challenges AI-enabled phishing brings.
