AI-Powered Phishing

Offensive AI

LLM-generated spearphishing, voice cloning in vishing, and scaled social engineering.

Phishing has always worked because human attention is finite and trust is cheap to imitate. Generative AI did not invent the attack, it changed its economics. A skilled attacker who used to spend an hour crafting one believable spearphishing email can now produce hundreds of personalized variants in the same time, each tailored to a specific target's job, employer, recent activity, and writing patterns. The result is a class of phishing that reads like genuine business correspondence, scales like spam, and bypasses the surface-level cues that defenders and email filters have spent two decades learning to detect.

What you'll learn

Key takeaways from this topic.

Explain how generative AI changes the economics and scale of phishing rather than just its surface text quality.
Identify the stages of an AI-assisted phishing campaign, from reconnaissance to credential capture.
Recognize why traditional content-based filters and grammar-based user training have lost most of their detection value.

At a glance

Fast mental model before you dive in.

Core concepts

LLM-generated content
OSINT-driven targeting
Polymorphic variants

Techniques

Spearphishing at scale
Business email compromise
Multi-channel impersonation

Defenses

Email authentication
Out-of-band verification
Behavioral training

Core idea

The defining shift is not that phishing emails sound more fluent. It is that the cost of crafting a high-quality, personalized phishing email collapsed from "an hour of skilled writing" to "a single prompt." When a skill that used to be scarce becomes free, the supply of attacks that depend on that skill explodes. This is what happened to phishing between 2023 and 2025.

The second shift is that AI removed the most reliable signal defenders relied on for years: language quality. Spelling mistakes, awkward grammar, and stilted phrasing once flagged the majority of phishing attempts to a trained reader. A modern LLM produces text that matches the tone, vocabulary, and formality of legitimate business correspondence on the first try. The grammar-checking heuristic that every awareness program built around is no longer a useful filter, because the attackers stopped failing that test.

What remains exploitable is human psychology, urgency, authority, and the impulse to be helpful, not the surface form of the message. The mental model defenders need is that AI did not invent any new social-engineering technique. It just made every existing technique cheaper to execute and harder to spot at the level of "does this email look weird."

How it works

A modern AI-driven phishing campaign typically follows four stages. First, reconnaissance: the attacker scrapes LinkedIn, company websites, conference recordings, podcast appearances, and social media to build a profile of the target. This includes job role, reporting lines, recent projects, writing style from public posts, and ongoing business activity that would make a fraudulent request plausible. LLMs accelerate this step by summarizing large amounts of public data into compact target dossiers.

Second, content generation: the attacker prompts an LLM, either a mainstream model accessed through jailbreaks or a purpose-built underground tool such as WormGPT or FraudGPT, to produce a message that references the target's specific context. The prompt typically specifies the impersonated sender, the desired action, the level of urgency, and the writing style to mimic. Polymorphic generation produces dozens of variants from the same template, each phrased differently enough to slip past content-similarity filters.

Third, delivery: the message is sent through compromised accounts, spoofed domains, or look-alike domains registered specifically for the campaign. Increasingly, attackers chain channels. An initial email establishes context, a follow-up SMS or voice call reinforces urgency, and the final credential capture happens on an AI-generated clone of the legitimate login page. Each channel makes the next one more believable.

Fourth, capture and pivot: when the target clicks a link or makes a transfer, the attacker harvests credentials, session tokens, or funds, and often uses the compromised account to launch the next stage internally. This is when a single successful phish becomes a foothold that the attacker can use to phish other employees from a trusted internal address, which is far more effective than any external campaign.

Real-world impact

The scale numbers are now consistently high across independent sources. Microsoft's Cyber Signals 2025 reported a 46% year-over-year rise in AI-generated phishing content. KnowBe4's analysis of phishing emails between September 2024 and February 2025 found that more than 80% contained some AI-generated component. The FBI's 2025 Internet Crime Report documented that direct phishing and spoofing losses tripled in a single year, from roughly $70 million in 2024 to over $215 million in 2025, the sharpest single-year increase in IC3 history.

The effectiveness numbers are equally consistent. Controlled studies from Harvard, IIT Jammu, and a real-world 9,000-person university deployment converged on the same finding: LLM-generated phishing achieves credential-submission rates of around 10%, statistically indistinguishable from carefully crafted human spear-phishing campaigns, while requiring a fraction of the time and skill from the attacker. In other words, the AI is not better than an expert human, it is as good as one, available to anyone, and able to operate at machine scale.

The threat actor population also changed. Tools like WormGPT and FraudGPT, advertised on dark-web forums since 2023, removed the safety guardrails that mainstream LLMs use to refuse malicious requests. Mandiant has documented purchases of these tools by nation-state actors, including North Korea's APT43, confirming that AI-assisted social engineering is no longer just a low-skill commodity, it is a capability that sophisticated groups have adopted as part of their standard toolkit.

Warning signs

Patterns worth investigating further.

Email content references real internal projects, colleagues, or business activity that should not be known to external senders.
A message uses your organization's tone and vocabulary precisely but arrives from a sender domain that does not match your usual mail authentication chain.
An urgent request from a senior executive arrives outside business hours, mentions confidentiality, and pressures the recipient to act without verifying through another channel.

DEEP DIVE

▾

LLM economics changed the attack model

The single most important shift to understand is economic, not technical. Before generative AI, the bottleneck for high-quality phishing was the attacker's time. Mass campaigns relied on volume and generic templates that converted at low single-digit rates. Targeted spearphishing converted at much higher rates but required hours of research and careful writing per target, which limited how many high-value people any attacker could realistically pursue.

Generative AI removed that bottleneck. The same attacker can now produce hundreds of individually targeted messages per hour at a cost of pennies per message in API fees. Research from late 2024 and 2025 estimates that LLM-assisted campaigns reduce per-message labor cost by around 95% while raising click-through rates from roughly 12% (traditional phishing) to over 50% in controlled tests. This is not a minor efficiency gain. It is a structural change that makes spearphishing economically viable against ordinary employees, not just executives.

The strategic consequence for defenders is that the comfortable assumption "we're too small to be individually targeted" no longer holds. When targeting one person costs about the same as targeting a million, attackers will target everyone. This is why phishing volumes have risen dramatically since 2023 even though the underlying techniques have not fundamentally changed.

OSINT and the personalization pipeline

The most dangerous AI-assisted phishing emails are not the ones that look generic. They are the ones that reference details only an insider should know. LLMs make this kind of personalization easy because they are excellent at synthesizing scattered public information into a coherent narrative the attacker can use.

A modern reconnaissance pipeline scrapes LinkedIn for the target's job title, manager, and direct reports. It pulls press releases and earnings calls for the company's current strategic priorities. It harvests the target's own posts, conference talks, and podcast appearances to learn their writing style and vocabulary. It cross-references this with breach data and credential dumps to identify which colleagues the target has worked with. The output is a structured target profile that an LLM can use to write a message referencing real projects, real colleagues, and plausible business context.

The defensive implication is that public information is not neutral. Every employee social-media post, every executive podcast appearance, and every corporate press release is also raw material for a targeting profile. This does not mean organizations should go dark publicly. It means defenders should assume that whatever is public about an employee will appear in attacks against that employee, and should design verification procedures that do not rely on "an attacker couldn't possibly know this detail."

Polymorphism and the death of pattern-based filters

For two decades, email security gateways relied heavily on pattern matching. Hashes of known-malicious attachments, signatures of phishing kits, fingerprints of recurring message templates. This worked because attackers reused infrastructure and message bodies across thousands of victims, which gave defenders something to fingerprint.

LLM-generated content breaks this model because it is trivial to produce semantically equivalent messages that are textually distinct. The same attacker can ask an LLM to rewrite a single phishing template into a hundred variants, each with different sentence structures, different vocabulary choices, and different formatting. To a hash-based or pattern-based filter, these are a hundred unrelated messages. To a human reader, they are the same scam.

Microsoft and SlashNext have documented that AI-generated phishing has materially increased the rate at which messages bypass traditional content filters. Defenders are moving toward intent-based detection, asking "what is this message trying to make the recipient do?" rather than "does this message match a known-bad pattern?" The same generative capability that powers the attack is now being used on the defender side to interpret message intent, but the asymmetry favors the attacker because they only need one variant to succeed against a given recipient.

Multi-channel attacks and BEC evolution

Business email compromise (BEC) has been a top-loss fraud category for years, with the FBI's IC3 reporting billions in annual losses. AI did not create BEC, but it has made it significantly harder to detect. The traditional BEC pattern, a fraudulent email from a spoofed executive requesting an urgent wire transfer, is increasingly being upgraded with multi-channel reinforcement.

The pattern looks like this: the target receives a written request that appears to come from a senior executive. When the target hesitates or asks to verify, a follow-up arrives on a different channel, a phone call, a Teams message, an SMS, that reinforces the request with the executive's familiar voice or writing style. This second channel makes the first one feel verified, even though both are fraudulent and produced by the same campaign. The voice-cloning component is covered in detail under the Deepfakes & Social Engineering topic, but it is increasingly inseparable from text-based phishing in the wild.

The defensive principle that survives this evolution is out-of-band verification, never confirming a request through the same channel that delivered it. If an executive emails asking for a transfer, verification must happen through a phone number the recipient already has, not a number provided in the message. If a phone call asks for credentials, verification must happen through a written channel the recipient initiates. This breaks the multi-channel attack pattern because the attacker would need to compromise multiple independent channels simultaneously, which is much harder than producing convincing content on each.

The new defensive baseline

Defenses against AI-assisted phishing are layered, and no single control is sufficient. Email authentication, SPF, DKIM, and DMARC properly configured with a reject policy, prevents the most basic spoofing of legitimate domains and remains a high-value control even though it does not stop look-alike domains. Content-based filtering still catches the easy cases but is no longer the primary detection layer. Behavioral and contextual analysis, looking at sender patterns, message timing, link reputation, and recipient interaction history, is becoming the dominant approach.

Training has shifted from "spot the grammar mistake" to "verify the request regardless of how plausible the message looks." The most effective training programs run frequent, short simulations using AI-generated content that resembles what attackers actually send, and measure reporting rates rather than click rates. The goal is not zero clicks, that is impossible against modern phishing. The goal is fast reporting so the security team can contain the campaign before it spreads internally from the first compromised account.

The most important cultural change is to make verification a normal, low-friction part of the workflow rather than something that signals distrust. When asking "can you confirm this on a call?" is routine for any unusual financial or access request, the cost of being phished drops sharply, because the attacker's pressure tactic, urgency without verification, stops working.