Attackers Personalize Phishing – How About Your Training?

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo
Updated
June 30, 2026
Written by
Erica Martin
Fact checked by

Attackers personalize phishing by mining the personal data people leave online, then tailoring lures that look believable to a specific target. To defend against this, training itself has to be personalized, so employees practice spotting tailored attacks that reference their real role, relationships, and habits rather than generic templates.

Editor's note: this article was originally published in 2020. The principle that attackers personalize phishing holds, and the threat has intensified as AI now automates that personalization at scale. The 2026 data points below reflect the current picture.

This article walks through the kinds of personal data corporations track every day, the same data that ends up in the wrong hands and powers a highly personalized attack. Realistic phishing simulation training that references an employee’s real role and relationships is how teams learn to spot these tailored lures.

Why haven´t you included personalization in phishing training before?

One reason may be because it was too time-consuming to personalize phishing attacks for each of your employees. If your security awareness program is organized manually with the use of templates, for example, personalization may be something you forego in order to reduce the amount of time your team spends developing a campaign. However, personalization in training can make a big impact on learning.In a previous article, we discuss ways to automate each step of your security awareness program to save your security team´s resources. By increasing the level of automation in your security awareness program, you will be able to deliver personalized training for employees without needing additional staff and resources.Employees also may not like the idea that their personal details would be used in phishing training and there could be some pushback. This may be the reason why your company has not implemented personalization in training in the past. However, personalization in phishing training needs to become normalized.

Attackers are going to personalize attacks

Attackers are going to personalize attacks when they target a specific group of people, and training is the best environment to learn about how hackers may target you and what to look out for.Some good ways to include personalization in training include referencing a co-worker´s name, an employee´s boss, or including information regarding the employee´s main job responsibilities (fake invoices to the Accounts Payable department). Personalization tactics in phishing training do not need to be as detailed as these examples highlighted in this post in order to be effective in educating employees about the risks, but it is good to know what data is out there and know that it could be used against you in a real attack.

This personalization is no longer a slow, manual effort. AI now lets attackers scale believable, tailored lures at volume. Hoxhunt’s 2026 data shows AI-generated phishing surged roughly 14× at the end of 2025, climbing from under 5% to 56% of detected attacks in a single month, and AI-generated campaigns now make up roughly half of all reported attacks (Hoxhunt Phishing Trends Report 2026). That is why training has to prepare employees for personalized attacks rather than generic templates.

Personalization is normal everywhere else, so why not in phishing training?

Corporate surveillance and corporate consumer data collection are all around us and companies use that data primarily to personalize advertising and deliver more relevant content for their customers and users.

Where there is a gold mine of data, attackers are not far behind

There are some protections in place for users to have better control of what companies can do with their data, such as GDPR in Europe. However, the rules behind corporate data collection, use, and sale vary significantly across the world, which is why your personal data could end up in the wrong hands.

Do you know what personal information is tracked online?

It´s probably no surprise that the big giants like Amazon, Google, and Facebook collect a significant amount of personal data from its users. Does knowing this information, stop you from using them? Likely no. If any of these corporations or its partners have a data breach, then that data collected could be used against you in a personalized attack.Tech reporter from Gizmodo, Kashmir Hill tried to cut the big 5 tech giants (Amazon, Microsoft, Google, Facebook, and Apple) out of her life for 6 weeks in January of 2019 and explains the massive disruption to her usual routine and how connected we all are to these large data collecting firms in our daily lives. Digital tracking and profiling, in combination with personalization, are not only used to monitor, but also to influence peoples’ behavior. This chart below shows data visualized by Cracked Labs and highlights some of the data points that can be tracked from our use of Facebook, our phone records, and our typing patterns. This type of information could be accessed by hackers and used in a phishing attack to try to influence our behavior by utilizing personal details about our lives.

Recognizing emotions from the rhythm of keyboard typing patterns

Recognizing emotions from the rhythm of keyboard typing patterns. Source: Cracked Labs 2017

Predicting personal attributes from facebook likes

Predicting personal attributes from Facebook likes. Source: Cracked Labs 2017

Predicting character traits from phone call records and app usage

Predicting character traits from phone call records and app usage. Source: Cracked Labs 2017

Personalized training at scale is exactly what a modern program delivers. Copart in the US ran 963 unique simulation variants across 202,992 completed simulations and doubled its reporting rate from 24% to over 50% (Copart, CSO Award). In Europe, Ramboll has run over 100,000 simulations across 17,000 employees in 35 countries. That breadth lets training mirror the tailored, AI-built attacks employees now actually receive.

Read more about phishing tests

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this