Phishing in the Age of AI: How Attacks Got Better and How Defense Must Respond

Traditional phishing awareness training teaches people to look for spelling errors, generic salutations, and suspicious domains. AI has made all three of those detection signals unreliable.

How AI Changed Phishing

Scale and personalization: LLMs can generate thousands of highly personalized phishing emails from scraped LinkedIn and company website data. What previously required a skilled social engineer for a high-value target can now be applied at scale.

Voice cloning: AI-generated voice calls that convincingly impersonate executives (“Hi, this is [CEO name], I need you to process an urgent wire transfer…”) are being used in business email compromise attacks.

Convincing pretexts: Sophisticated attacks now use accurate organizational context — real colleague names, accurate project names, plausible scenarios — sourced from company communications and social media.

What Modern Defense Requires

FIDO2/WebAuthn everywhere: The only phishing-resistant MFA. Time-based OTP codes and SMS can be real-time relayed by a man-in-the-middle; FIDO2 keys can’t be. Deploying FIDO2 for all employees eliminates credential theft as a phishing outcome.

Email authentication (DMARC/DKIM/SPF) with strict policy: These don’t prevent phishing from lookalike domains, but they prevent attackers from directly spoofing your domain. Start with monitoring mode, then move to p=reject.

Behavioral training over awareness posters: Training that simulates real attacks and provides immediate feedback dramatically outperforms annual security awareness presentations. Organizations running regular phishing simulations maintain meaningfully lower click rates.