AI Has Become the Default Tool for Phishing Campaigns

Phishing emails no longer look like scams, and that’s the problem. Security researchers warn that AI-powered attacks have become so convincing that they now form the foundation of modern cybercrime, with even worse tactics expected in 2026.

According to Kaseya’s latest email security research, attackers shifted in 2025 from occasionally using AI to relying on it by default when creating phishing emails. This marked a turning point where AI stopped being an enhancement and became the baseline for phishing operations.

Industry data referenced by Kaseya shows that roughly 83% of phishing emails use AI in some form. Moreover, around 40% of business email compromise (BEC) attacks involve generative AI. This reflects how deeply AI tools are embedded in modern cybercrime workflows.

How AI improves the success rate of phishing campaigns

AI-written phishing emails are far more effective than traditional scams, which achieve click-through rates of about 54%, compared with roughly 12% for older-style malicious emails. The higher success rate is linked to better language quality, stronger personalization, and timely references to real-world events.

Security systems have historically relied on red flags such as poor grammar, suspicious domains, or repeated templates. AI-generated phishing removes many of these clues, which force defenders to assess context and intent rather than simple technical indicators.

How AI is making phishing more scalable and stealthy

According to the report, AI allows criminals to generate large volumes of unique messages instead of reusing templates, and spam filters and pattern-based detection tools face greater difficulty identifying malicious campaigns. This makes phishing more scalable and stealthy.

Kaseya warns that as generative AI tools continue to improve and become more accessible, phishing attacks will grow even more convincing and harder to defend against. This increases pressure on organizations to modernize their security strategies.

This report notes that security teams are increasingly deploying AI-driven detection tools that analyze behavior, context, and intent. It helps organizations respond faster to sophisticated phishing attempts.

Preparing for the next wave of AI-driven phishing

Organizations are advised to move beyond legacy email security assumptions and adopt defenses that can assess context and intent. AI-generated phishing emails are now well-written, personalized, and free of obvious errors, and companies should invest in AI-driven detection tools that analyze behavior, message intent, and anomalies across communication patterns rather than relying on static rules or signature-based filters. This change helps security teams identify sophisticated attacks that blend seamlessly into normal business workflows.

At the same time, employee awareness and response readiness remain important in enterprise environments. Organizations should provide regular, realistic phishing training that reflects modern AI-powered tactics, teaching staff to question unexpected requests, payment changes, or urgent messages even when they appear legitimate. It’s also recommended to combine human vigilance with adaptive, AI-assisted security technologies to reduce risk, respond faster to threats, and better prepare for the increasingly convincing phishing campaigns expected to intensify in 2026.