AI Phishing Attacks: How Big is the Threat? (+Infographic)

Let's cut through the noise about AI-powered phishing attacks.

Despite the growing number of headlines around AI-enhanced phishing attacks, the reality is more nuanced – and perhaps more interesting than you might think.

To get a full breakdown of 2025's key phishing insights and benchmarks, you can deep-dive into our Phishing Trends Report - packed with original Hoxhunt data.

‍

The current state of AI phishing detection

Our Phishing Trends Report analyzed data collected from millions of real reported malicious emails, sent to 2.5 million users across +131 countries.

We found that of 386,000 malicious phishing emails, only a tiny fraction – between 0.7% and 4.7% – were actually crafted by artificial intelligence.

We've also seen an increase in the overall volume of phishing emails.

So although we may have not seen staggering numbers of completely AI-generated emails, AI may still be playing a role in lowering the threshold to start phishing operations.

And some campaigns are likely being improved by AI, rather crafted by AI entirely (which is near impossible to track).

Despite all the hype around AI-generated phishing attacks, traditional human-created phishing attempts still dominate the cyber threat landscape.

But this may not continue to be the case...

The numbers tell us something crucial: while AI-generated phishing emails might be relatively rare in employee inboxes today, they represent a rapidly evolving threat that's getting smarter by the day.

What we're seeing today may well be the calm before the storm.

These sophisticated attacks are constantly testing and probing our defenses, looking for new ways to bypass email security measures.

‍

Understanding the threat evolution

Remember the QR code phishing surge of 2023?

That's a perfect example of how quickly the threat landscape can shift.

In just six months, these attacks went from being barely noticeable to extremely pervasive.

QR code attacks used to represent just a handful of attacks each year, and then suddenly accounted for over 20% of all campaigns!

What makes AI-powered phishing particularly concerning is its ability to scale sophisticated cyber attacks.

Traditional phishing attacks required careful crafting by skilled attackers, limiting its scope.

But throwing AI into the mix changes this equation dramatically.

Attackers can now generate thousands of highly personalized, contextually aware malicious phishing emails in seconds.

‍

The dark reality of AI-driven phishing

Here's where it gets interesting (and a bit scary).

Modern AI-enhanced phishing attacks aren't just about sending emails.

They're orchestrating multi-channel attacks that combine:

• Email communications that perfectly mimic your organization's tone and style
• Voice synthesis that can clone your CEO's voice for follow-up phone calls
• Video manipulation creating convincing deepfake meetings
• Real-time chat responses

This multi-pronged approach makes traditional security measures increasingly outdated.

When an attacker can seamlessly switch between email, voice, and video while maintaining a consistent impersonation, even trained employees can be fooled.

AI-powered social engineering attacks

The shift from traditional phishing to AI-driven phishing exploits marks a new era of cyber threats.

Attackers are now using advanced language models to craft convincing phishing messages that bypass traditional security measures with alarming accuracy.

These personalized phishing attacks leverage AI’s ability to analyze user behavior, digital communication patterns to create highly targeted spear phishing attacks.

What makes AI-powered social engineering so dangerous?

• Vast amounts of data scraping: Attackers use AI to pull information from social media, corporate websites, and public records to create credible, trust-building narratives.
• Automation capabilities: AI enables cybercriminals to generate thousands of personalized phishing emails within seconds.
• Multi-channel deception: Beyond emails, AI now facilitates deepfake video and voice cloning enabling attackers to impersonate executives, colleagues, and vendors.

‍

Why traditional phishing still dominates (for now)

The cybercrime ecosystem operates like any other market – it's driven by ROI.

Currently, traditional phishing kits remain popular because they're:

• Cheap to acquire
• Easy to deploy
• Proven effective
• Low risk for attackers

But this economic model is shifting.

As AI tools become more accessible and their success rates improve, we're likely to see an evolution in the landscape of phishing attacks.

It's not a matter of if AI-enhanced phishing will become dominant... but when.

Make no mistake: the sophistication of AI-driven phishing campaigns is already remarkable.

These systems can automatically gather intelligence about their targets by scraping:

• Professional networks to understand organizational structures
• Social media to identify relationships and communication patterns
• Corporate websites to mimic official communication styles
• Public records to add convincing personal details

This means that anyone, anywhere, can appear to be anyone else, anywhere else.

Technical knowledge is no longer a requirement to become a cybercriminal.

‍

The AI security arms race

What makes modern AI-driven phishing attacks particularly dangerous is their ability to automate what was once a labor-intensive process.

But AI isn't just a tool for attackers...

It's also a critical defense mechanism for cybersecurity professionals.

As threat actors leverage advanced language models to create increasingly convincing phishing campaigns, security teams are countering with AI-enhanced cybersecurity tools and sophisticated detection systems if their own.

"Generative AI has raised the danger of phishing attacks, but it's also raised the level of phishing training, too. Our research proves that good training protects against evil AI." - Pyry Åvist, (CTO & Co-Founder at Hoxhunt)

‍

The human element is still essential

Despite the rise of AI-enhanced phishing threats, the human element remains crucial.

The key to effective security awareness training isn't just about spotting threats...

It's about building a culture of vigilance where employees feel empowered to report suspicious emails and activities.

This culture of vigilance becomes increasingly important as threat actors ramp up their usage of AI-driven phishing attacks.

Traditional security protocols and conventional detection systems alone aren't enough to protect against advanced tactics.

Organizations need to foster an environment where:

• Employees understand the evolving threat landscape
• Security awareness becomes part of daily business activities
• Reporting suspicious activities is encouraged and valued
• Continuous learning and adaptation are prioritized

‍

Advanced defense strategies for organizations

To ensure defenses are keeping up with the evolution of artificial intelligence, security strategies must evolve beyond traditional spam filters and static detection methods.

Successful protection against AI-driven phishing threats requires...

Proactive defense strategies

Organizations need to implement cutting-edge security solutions that can anticipate and prevent attacks before they reach employees.

This includes advanced AI tools that can:

• Detect and block AI-generated phishing templates
• Identify suspicious patterns in email content
• Monitor for unusual user interactions
• Flag potential social engineering attempts

Continuous training evolution

The future of phishing training lies in its ability to adapt and evolve alongside emerging cyber threats.

Here's what organizations need to be doing:

• Regular training programs that reflect current threat patterns
• Simulation exercises incorporating advanced language generation technologies
• Real-time feedback and assessment of user actions
• Integration of deepfake attack training

‍

Infographic: 2025 phishing stats

Phishing in 2025 is more advanced and dangerous than ever.

Cybercriminals are increasingly targeting organizations over individuals, using sophisticated tactics like realistic fake emails, malicious attachments, and AI-generated phishing attempts.

Traditional security filters struggle to keep up, allowing many threats to slip through.

However, with the right training and awareness, employees can become your strongest defense against these evolving cyber threats.

And although AI-driven phishing attacks still only account for a small percentage of threats, this won't be the case for much longer.

“In the near future, AI will power significantly more phishing attacks - everything from text-based impersonations to deepfake communications will become cheaper, more convincing, and more popular with threat actors." – Mika Aalto (co-Founder and CEO at Hoxhunt)

‍

What will the future of phishing defense look like?

The landscape of phishing attacks is evolving at an alarming rate, but so are our defensive capabilities.

As we move forward, successful organizations will:

• Embrace AI-based email security solutions
• Implement proactive security strategies
• Maintain constant vigilance through continuous training
• Foster a culture where security awareness is everyone's responsibility

By integrating these insights into employee training programs, organizations can better prepare for the next generation of AI-driven phishing threats.

The future of cybersecurity isn't just about having the right tools...

It's about creating an environment where security awareness becomes second nature to every employee.

‍

How we approach human cyber risk at Hoxhunt

We know that AI-enabled phishing attacks and increasingly sophisticated phishing tactics are evolving at an alarming rate.

Cybercriminals are leveraging generative AI tools to craft convincing phishing emails, deepfake videos, and voice synthesis with an unprecedented degree of accuracy.

Traditional security measures alone are no longer enough to combat the rapid advancements in social engineering strategies.

That's why Hoxhunt combines AI and behavioral science to create individualized security awareness and phishing training that employees genuinely enjoy. 

Hoxhunt helps security leaders and employees join forces to prevent data breaches by...

Personalizing phishing training at scale

Create unique risk profiles for every employee based on role, location, and past training performance.

Maximizing learning with gamification

Reward-based training backed up by behavioral science - employees earn stars and badges for unique achievements and compete on an internal leaderboard.

Generating compliance-ready content in minutes

Respond to recent cyber threats and emerging trends with quick, relevant training from a vast library of readily available content.

Showcasing your results with powerful dashboards

Follow how your employees improve in reporting, missing, and clicking on simulations and compare how you stack up to organizations in your industry.

‍

Key takeaways: AI phishing attacks

• AI-generated phishing is evolving: While still a small percentage of attacks, AI-driven phishing is becoming more sophisticated and scalable.
• Technology alone isn’t enough: The best defense is a combination of AI-powered security tools and well-trained employees.
• Building a resilient security culture is critical: Organizations that invest in ongoing phishing awareness and training will be better prepared for emerging threats.
• The threat landscape is changing fast: Cybercriminals are constantly adapting, and businesses must stay ahead with proactive defenses.
• The time to prepare is now: Tomorrow’s threats are already here - organizations must act now to stay secure.