4

AI Phishing Attacks Now 24% More Effective Than Humans: Here’s How to Fight Back

How Hoxhunt’s research team built and tested agentic AI spear phishing agents and what happened when those AI-generated attacks went head-to-head with elite human red teamers

Listen on Apple Podcasts buttonListen on Spotify buttonWatch on Youtube button
Show Notes

Eliot Baker sits down with Hoxhunt CTO and Co-founder ⁠Pyry Åvist⁠ to expose what’s actually happening at the front lines of the AI-powered phishing threat. No speculation. Just real research, real data, and real implications for your defense strategy.

Together, they unpack how Hoxhunt’s research team built and tested agentic AI spear phishing agents and what happened when those AI-generated attacks went head-to-head with elite human red teamers. The result? A 24% higher failure rate for AI phishing emails, across 50,000+ real-world simulations. This is more than just a stat. It’s a signal: AI threats are getting smarter, faster than most training programs can adapt.

This episode is both a behind-the-scenes look at the largest AI phishing benchmark ever run and a tactical guide for what to do next.

Here’s what you’ll learn in this episode:

  • How AI spear phishing attacks crossed a key threshold in spring 2025 and why that changes everything
  • Why traditional training templates and static simulations are now a liability
  • What “agentic” AI really means and how it’s enabling scalable, personalized phishing at unprecedented speed
  • The common weaknesses attackers exploit (and how to pressure-test your own workforce against them)
  • How training programs can use AI to fight back, with individualized simulation paths that actually evolve with the threat

Timestamps:

(00:38) Hoxhunt's AI-Powered Approach

(01:13) The Evolution of AI in Phishing

(02:21) AI's Dual Purpose: Good vs. Evil

(04:08) The Rising Cost of Phishing

(05:50) Human vs. AI in Phishing Attacks

(08:45) The Skynet Moment: AI Surpasses Humans

(16:15) The Future of AI in Phishing

(17:55) Conclusion and Final Thoughts

To get future episodes and the latest threats sent straight to your inbox, join the All Things Human Risk Management Newsletter:⁠⁠⁠⁠ https://hoxhunt.com/all-things-human-risk⁠⁠⁠⁠

Resources:

Host links:

Eliot Baker:⁠⁠ ⁠https://www.linkedin.com/in/eliotebaker/⁠⁠⁠

Pyry Åvist:⁠ ⁠https://www.linkedin.com/in/pyryavist/⁠

Full Conversation Breakdown

In this episode of the All Things Human Risk Management Podcast, Eliot Baker is joined by Pyry Åvist, Hoxhunt CTO and Co-Founder, to explore a milestone that quietly redefined the cyber threat landscape: AI spear phishing agents now outperform elite human red teamers - by 24%.

This isn't theoretical. Drawing from 50,000+ real-world phishing simulations, Pyry walks through how Hoxhunt’s AI benchmark project revealed a seismic shift: agentic AI isn’t just imitating phishing tactics - it’s exceeding human capability at scale, speed, and personalization.

The moment AI outperformed human red teams

A March 2025 research milestone marked the turning point: agentic AI attacks, trained to operate autonomously within constraints, became more effective than those created by expert human adversaries.

“This wasn’t just GPT writing a fake invoice. These agents adapted, iterated, and manipulated based on context and beat the best human-crafted phish.”

The failure of static training in a dynamic threat landscape

Legacy phishing simulations rely on prebuilt templates. But AI doesn’t use templates - it engineers deception in real time, at scale, with context.

“CISOs are still using playbooks from 2018. Meanwhile, AI is sending believable phishes customized to each recipient’s role, tools, and even personality.”

Why checkbox training is no match for agentic attacks

Most security awareness programs still focus on completion rates and click metrics... not behavioral reinforcement or real detection capability.

Pyry explains how these metrics fail to measure true resilience, and how AI-generated attacks exploit exactly that surface-level engagement.

“If your KPIs are ‘less than 5% clicked,’ you’re measuring avoidance - not readiness.”

Attackers are optimizing for failure - are you?

The benchmark found AI was especially good at generating emails that almost look safe - just enough ambiguity to trigger failure without obvious tells.

These edge-case scenarios are exactly where human training breaks down, and where most simulations fall short.

“Attackers aren’t making noise. They’re making near-misses. And that’s where your people fail.”

Gamification, friction, and engagement: What actually works

One of the surprising takeaways from Hoxhunt’s customer deployments: users were highly engaged - even competitively so - when training included real-time feedback, meaningful friction, and leaderboard visibility.

“The top 100 users had 100% detection but fought for speed. People cared. They wanted to win. That’s when training works.”

Recognition over retribution

Rather than punishing failures, customers saw better results when they shifted focus toward positive recognition - even symbolic rewards.

From internal security champions to challenge coins and security month shout-outs, Pyry shares how incentivizing engagement built lasting behavioral change.

“Security isn’t about scaring people into compliance. It’s about building a culture that wants to fight back.”

What defenders need to do now

Pyry outlines a new playbook for the age of AI threats:

  • Swap generic templates for evolving, adaptive simulations.
  • Benchmark training against AI-generated attacks, not historical ones.
  • Use behavior, not fear, as the foundation for engagement.
  • Prepare for October and beyond with creative campaigns - not more click-rate charts.
“This is no longer a game of checkboxes. It’s a game of readiness. And AI is raising the bar.”

Final thoughts: Outthink, out-train, out-evolve

The attackers are evolving. Your people can too but only if the training evolves with them. Static isn’t safe anymore. Personalized, adaptive, behavior-focused training is now the bare minimum.

“AI has changed the threat. Don’t let your training stay the same.”
See Hoxhunt in action

Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.