It’s no secret that cybercriminals use AI to craft high quality phishing emails, making traditional awareness training less effective. How can organizations adapt to these threats?
What are the Changing Phishing Threats?
Today, attackers hit inboxes from all fonts. They abuse trusted services to send phishing emails and host phishing sites on trusted domains. They use QR codes and hybrid vishing attacks to lure users into less secure environments. And they increasingly harness the power of AI to do these things better, faster, and at scale.
The 2025 Fortra State of Cybersecurity Survey Results states that 83% of respondents highlighted “Phishing/Vishing” as a top concern for 2025, more than any other single security factor, including malware, social engineering, and accidental data loss. This is largely because phishing tactics contain all of these threats rolled into one, and with the rise of AI-based practices, these email-based attacks are more advanced than ever.
Here are a few ways.
AI Vishing
As recently covered in USA Today, scammers are leveraging AI voice changers (the stuff of James Bond movies) to imitate people’s voice and steal money in real life: “This new AI-cloning development will take scams to an entirely new level, making it harder for consumers to spot fraudulent robocalls and texts.” Sometimes threat actors use spoofed phone numbers and real names to make the call look like the real thing. Using less than a 30-second voice clip (scraped off of social media or even your voicemail), attackers can “[use] AI to make it sound like celebrities, elected officials, or even your own friends and family are calling.”
How does this relate to phishing? Because a vishing call is a phishing call. And if you need a stronger email connection, scammers use emails containing vishing phone numbers (and a bit of convincing wordplay) to slip past email scans looking for malicious links and attachments. To level up your email defenses to catch AI-based phishing scams, try Fortra’s Integrated Cloud Email Security (ICES) solution. According to Mobile ID World reports that, AI-driven vishing attacks increased by a phenomenal 442% in 2024.
AI Smishing
Smishing, or “SMS phishing” is when an attacker sends you a compromised text message, hoping to fool you into clicking a link or engaging with a real-live scammer on the other end. And yes, AI has had a hand in making this worse, too. It’s easy enough to send a convincing text; after all, there’s no audio or video to imitate. Today’s cybercriminals are taking smishing to the next level by using AI to scrape social media for personal details and, with enough data, even mimic a target’s writing style — making their scams more personalized and convincing than ever
AI Spear Phishing
Continuing with the theme of complete customization, phishing emails can mimic the same techniques of personalization, tone replication, and style imitation that SMS-based texts can. In spear phishing, attackers can spend weeks researching a target—often an executive—online, crafting a highly convincing attack that’s made even more effective with the power of AI. As the Association of Certified Fraud Examiners explains in response to the question, “What does a spear phishing attempt look like in 2025?”: “The attempt will come from a source that does not seem out of place. The attacker will have done their research, whether alone or with the help of AI, and know what the victim wants or needs.”
A 2024 study on the effectiveness of Large Language Models in spear phishing attacks confirmed that, with a “custom-built tool that automates the entire spear phishing process,” AI was able to gather personal information on targets that was useful in 88% of cases, and that AI-automated spear phishing attacks performed “on par with human experts and 350% better than the control group.” The conclusion? AI can increase the profitability of spear phishing campaigns by up to 50 times for large audiences.
Old SAT: No Match for New Phishing Ploys
These three examples are just the tip of the iceberg; we even touched on how AI is being used in brand impersonation attempts (creating picture-perfect logos and deepfake videos), or to enhance QR code scams. Both of these can bypass traditional email scans and land right in users’ inboxes (unless proper defense are in place). Even without these additional proofs, the point is clear: Users soon will face these AI-crafted phishing ploys, and a basic security awareness training video from 2012 will not do.
Enter: Fortra Security Awareness Training (SAT) with new AI-generated phishing tactics in mind.
Catch that Phish with Fortra Security Awareness Training
Fortra Security Awareness Training prepares users for this next generation of phishing threats. AI is changing the landscape, and Fortra SAT changes with it. Even with advanced, multi-layer email security solutions like SEGs and ICES, it's highly likely that users will encounter an AI-crafted phishing message at some point in their workday or personal life.
Discover how Fortra Security Awareness Training can help your organization’s employees prepare for new, AI-empowered phishing tactics, read Phishing Awareness Training: Beyond the Basics.