TL;DR

  • AI tools now power over 80% of phishing attacks observed globally in 2025 [1]
  • Security filters are catching a phishing email every 19 seconds — double the rate from a year ago [2]
  • 30% of all cyber intrusions use valid credentials stolen via phishing, not technical exploits [1]
  • Phishing emails delivering malware jumped 204% in 2025 compared to 2024 [2]
  • The practical defence for SMBs is a combination of MFA, email filtering, and one specific kind of staff training — not generic "awareness" tick-boxes

The Email Sitting in Someone's Inbox Right Now

A phishing email reaches a business somewhere in the world every 19 seconds [2]. The person who opens it probably won't know it's fake. The email might reference their company by name, address them correctly, mention a project they're working on, and come from what looks like a legitimate domain. It might even adapt based on what device they're using.​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

This isn't coincidence. It's AI.

A

rtificial intelligence has fundamentally changed what phishing looks like. The misspelled emails from Nigerian princes are a relic. What's arriving in inboxes in 2026 is polished, personalised, and polymorphic — meaning it changes its appearance with every send to avoid pattern detection [2].​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

According to Dataminr's 2026 Cyber Threat Landscape Report, AI-supported phishing campaigns represented over 80% of all observed social engineering activity globally in 2025 [1]. According to Cofense's threat intelligence report "The New Era of Phishing: Threats Built in the Age of AI," security filters detected a phishing email every 19 seconds last year — more than double the rate of 2024, when detection triggered once every 42 seconds [2].

This escalation matters for every business, regardless of size.

Why Phishing Is Still the Biggest Threat (Despite Years of "Awareness Training")

Phishing remains the primary attack vector in 60% of all cyber intrusions [1]. Thirty percent of breaches now occur when attackers simply log in using stolen valid credentials — no technical exploit required [1]. They phish for the password, then walk in the front door.

Security teams have been training employees about phishing for over a decade. So why isn't it working?

The honest answer: because the attacks have improved faster than the training. Generic "don't click suspicious links" training was written for the era of obvious, impersonal phishing. Group-IB's 2026 cybercrime report identifies that AI has enabled what the firm calls the "fifth wave" of cybercrime — where malicious capabilities are now packaged as ready-made services, accessible to criminals with minimal technical skill and a $10 monthly subscription [3].

Cofense found that 76% of initial infection URLs in phishing campaigns in 2025 were unique — meaning each link was different, generated specifically for that target [2]. Traditional URL-blacklist defences block known bad addresses. They can't block addresses that didn't exist until the moment the email was sent.

The same report documented a 105% annual increase in detections of remote access tools (RATs) being used in phishing follow-up [2]. Once an employee is tricked into downloading what appears to be a legitimate IT remote support tool, an attacker has persistent access to the entire machine — no further interaction required.

The Scale of What "AI-Powered" Means in Practice

It's worth being concrete about what AI actually does for attackers, because the capabilities have outpaced public understanding.

Personalisation at scale: AI scrapes LinkedIn, company websites, and social media to build profiles of employees. An attacker can generate thousands of highly personalised emails — each referencing the target's actual employer, role, recent company announcements, or industry context — in minutes [2].

Polymorphic campaigns: Logos, signatures, wording, and URLs change dynamically between sends. The same malicious campaign looks different to every recipient and every security scanner [2].

Deepfake-assisted social engineering: Group-IB analysts found "synthetic identity kits" on dark web marketplaces for as little as $5 — complete with AI video actors, cloned voices, and biometric datasets [3]. A convincing deepfake video call from someone who appears to be your CEO is now a realistic attack vector for business wire fraud.

Multi-channel delivery: Phishing has escaped the inbox. Attacks now arrive via SMS (smishing), voice calls (vishing), WhatsApp, LinkedIn messages, and QR codes — all generated and distributed by AI-assisted infrastructure [2].

Conversational phishing: Cofense found that 18% of phishing emails in 2025 contained no malicious links or attachments [2]. They were pure conversation — starting a dialogue to build trust before the actual attack. These bypass every technical filter because there's nothing technically malicious to detect at first.

What Actually Works: A Practical SMB Defence Stack

The good news is that effective phishing defence doesn't require an enterprise security budget. It requires making a few high-leverage decisions and implementing them properly.

1. Multi-Factor Authentication (MFA) — Non-Negotiable

The 30% of breaches that succeed through stolen valid credentials [1] all fail if MFA is properly implemented. Even if a phishing attack successfully steals a password, the attacker still needs the second factor — which they don't have.

Prioritise MFA in this order: email accounts first, then cloud file storage (Google Drive, SharePoint, Dropbox), then financial platforms and payroll systems. Hardware keys (like YubiKey) are the strongest option. Authenticator apps are a solid second. SMS is better than nothing but should be replaced where possible.

2. Email Security Tooling Beyond the Basics

Your default email provider's spam filter is not enough. Modern AI-powered phishing is specifically engineered to bypass commodity spam filters.

Look for email security tools that include:

  • DMARC, DKIM, and SPF configuration on your own domain (prevents spoofing of your email address)
  • Behaviour-based detection (flags anomalous sending patterns, not just known bad senders)
  • Link sandboxing (follows links before delivery to check what they actually do)
  • Anti-impersonation filters (detects emails impersonating your known contacts)

Microsoft 365 Defender and Google Workspace's Advanced Protection both offer significant upgrades over base-level filtering. For SMBs, the incremental cost is modest and the risk reduction is substantial.

3. Targeted, Scenario-Based Staff Training

This is where most businesses go wrong. They run annual "phishing awareness" courses that cover obvious scenarios and call it done. That approach was outdated five years ago.

Effective training in 2026 looks like:

  • Simulated phishing campaigns — send realistic fake phishing emails to your own team and measure who clicks. Then train specifically on the patterns that fooled people.
  • Industry-specific scenarios — phishing emails targeting your business type look different from generic examples. Train on realistic scenarios, not textbook ones.
  • The one key question: before clicking any link or downloading any file, ask "did I initiate this?" If the action was not something you started — a login request you didn't trigger, a password reset you didn't request, a file someone "needs you to review urgently" — treat it as suspect.
  • Training for authority pressure — the most effective phishing attacks create urgency. "The CEO needs this invoice paid today." "HR needs your tax details by end of day." Train staff to slow down when pressure increases, not speed up.

4. Out-of-Band Verification for Financial Transactions

Business Email Compromise (BEC) — where attackers impersonate a CEO, supplier, or client to authorise a fraudulent wire transfer — is a direct descendant of AI-powered phishing. It is now one of the highest-cost cybercrime categories globally.

Implement a simple rule: any payment instruction received by email is verified by calling the requester on a known, pre-existing phone number before processing. Not a number in the email. A number you already have. This single control has prevented billions in BEC losses.

5. Incident Response: Know What to Do When It Happens

At the rate of one phishing email every 19 seconds [2], the question is not whether a phishing email will reach your business — it's whether someone will act on it. Have a clear, documented process for what happens next:

  1. Don't panic. Don't click anything else.
  2. Disconnect the affected device from the network immediately.
  3. Alert your IT contact or security provider.
  4. Preserve evidence — screenshots, email headers, everything.
  5. Reset passwords for affected accounts from a clean device.
  6. Check whether any data was accessed or exfiltrated.

The Capability Shift: AI Is Also Your Strongest Defence

It's worth noting that the same AI capabilities that have supercharged phishing attacks are also powering the defensive side. According to the World Economic Forum's Global Cybersecurity Outlook 2026, 94% of respondents anticipate that AI will be the most significant driver of cybersecurity changes in 2026 [4]. FIRST's 2026 Vulnerability Forecast further confirms that rapid exploitation of disclosed vulnerabilities — including those in email infrastructure — is accelerating year over year [7].

Email security tools, threat detection systems, and security analytics platforms increasingly use machine learning to detect anomalous behaviour — things that don't match a user's normal patterns — faster than any human analyst could. For SMBs, this means that buying well-made, modern security tooling gives you access to AI-powered defences that were enterprise-only capabilities a few years ago.

Security is not a static state. Attackers improve, defenders improve. ISACA's 2025 research found that keeping pace with AI-driven change is the top professional concern for cybersecurity practitioners heading into 2026 [8]. The businesses that stay current — keeping software updated, maintaining good vendor relationships, training staff on modern scenarios — maintain a resilient posture even as the threat landscape evolves.

FAQ

According to Dataminr's 2026 Cyber Threat Landscape Report, over 80% of observed social engineering activity globally in 2025 was AI-supported [1]. Cofense's report confirms the volume: a new phishing email was detected every 19 seconds in 2025, double the rate of 2024 [2].

Basic spam filters based on keyword matching and known-bad IP lists are increasingly ineffective against AI-generated phishing, which uses unique URLs (76% of infection URLs were unique in 2025 [2]) and personalised, clean-looking content. Modern email security tools with behaviour-based detection and link sandboxing provide significantly better protection.

Conversational phishing is an attack where the attacker sends an email with no malicious content initially — just a message designed to start a conversation. They build trust over one or more exchanges before introducing the actual attack (a link, a request for payment, a file download). Spotting it: did this person initiate contact with you? Is the request unusual? Does the urgency feel manufactured? When in doubt, verify through a different channel.

The costs vary widely. IBM reports the average global data breach cost exceeds $4.5 million [5]. For SMBs, costs include IT incident response, legal fees, customer notification, regulatory fines (under Australian Privacy Act, GDPR, etc.), and business interruption. Business Email Compromise fraud — a phishing-enabled crime — resulted in over $2.9 billion in US losses in 2023 alone, according to the FBI [6].

Enable MFA on email accounts. Thirty percent of all cyber intrusions in 2025 used valid credentials stolen through phishing [1]. MFA makes those stolen credentials worthless to attackers. It is the highest-ROI control available to businesses at any size.

References

[1] Dataminr, "2026 Cyber Threat Landscape Report," Dataminr, Feb. 2026. [Online]. Available: https://resources.dataminr.com/dataminr-for-cyber-defense/dataminr-2026-cyber-threat-landscape-report

[2] Cofense, "The New Era of Phishing: Threats Built in the Age of AI," Cofense Threat Intelligence, 2026. Referenced via: "AI Drives Doubling of Phishing Attacks in a Year," Infosecurity Magazine, Feb. 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/ai-double-volume-phishing-attacks

[3] Group-IB, "Hi-Tech Crime Trends 2026," Group-IB, Jan. 20, 2026. Referenced via: "AI Supercharges Attacks in Cybercrime's New 'Fifth Wave'," Infosecurity Magazine, Feb. 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/ai-supercharges-attacks-cybercrime

[4] World Economic Forum, "Global Cybersecurity Outlook 2026," WEF, Jan. 2026. Referenced via: R. Croft, "Study: 94% of Experts Say AI Will Drive Cybersecurity Changes in 2026," Tech.co, Jan. 2026. [Online]. Available: https://www.weforum.org/publications/global-cybersecurity-outlook-2026/digest/

[5] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[6] FBI, "Internet Crime Report 2023," Federal Bureau of Investigation Internet Crime Complaint Center (IC3), 2024. [Online]. Available: https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf

[7] FIRST, "2026 Vulnerability Forecast," Forum of Incident Response and Security Teams, Feb. 11, 2026. [Online]. Available: https://www.first.org/blog/20260211-vulnerability-forecast-2026

[8] ISACA, "New ISACA Research Identifies What Will Keep Tech Pros Up at Night in 2026," ISACA, Nov. 2025. [Online]. Available: https://www.isaca.org/about-us/newsroom/press-releases/2025/new-isaca-research-identifies--what-will-keep-tech-pros-up-at-night-in-2026

AI-powered phishing is here, and it's improving every month. The businesses that build layered defences now — MFA, smart email security, scenario-based training, and a clear incident process — are the ones that stay resilient. lilMONSTER helps SMBs build exactly that, without the enterprise overhead. Book a security assessment today.

The Short Version

Remember those obvious scam emails full of typos? Those still exist, but they're not the ones your business needs to worry about.

The dangerous emails in 2026 know your name. They mention your company. They might reference a real project your team is working on. And they arrive so regularly that a security tool catches one every 19 seconds [2].

This is what happens when criminals use AI to write their scam emails for them.

What Changed: AI Turned Phishing From Amateur to Professional

Phishing — sending fake emails to trick someone into clicking a bad link or handing over a password — has been around forever. What changed is the quality.

Old-school phishing: "Dear customer, your account need verify. Click here." AI-powered phishing: "Hi Sarah, quick follow-up from the leadership meeting on Tuesday — James in Finance needs you to approve the attached vendor invoice before EOD. Here's the link."

AI can write clean, professional English (or any language). It can scrape LinkedIn to find someone's actual job title, their actual boss's name, and their actual employer. It can generate a unique link for every single email so spam filters don't recognise a pattern.

The result: a new phishing email is caught every 19 seconds globally [2]. The volume has doubled in one year. And that's just what security tools catch — plenty more gets through.

The Sneaky Ones: Emails With Nothing Wrong in Them

Here's the part that surprises most people: nearly 1 in 5 phishing emails in 2025 had no links, no attachments, and no obvious red flags [2].

Just a conversation starter. A simple message. Something that looks like a genuine human reaching out.

Then, once you reply and they've built a little trust — that's when the scam appears. A request for a payment. A "please review this document." A "can you update your login details?"

Because the first email had nothing dangerous in it, no spam filter caught it.

The Most Common Way Businesses Get Breached

Here's a statistic that really matters: 30% of all successful cyberattacks in 2025 didn't involve any hacking at all [1]. The attacker just logged in.

How? They phished someone for their password first. Then they used it.

That's it. No technical wizardry. Just a fake email, a stolen password, and then a normal login.

This is why your staff training matters — but also why training alone isn't enough. Even careful people make mistakes when they're busy and the email looks genuine.

What You Can Do: Three Things That Actually Work

Thing 1: Two-Factor Login (MFA) — Your Most Important Move

If your team uses a password plus a second code (from an app or a text), then even if a phishing attack steals the password — the attacker still can't get in. They don't have the second code.

This one change stops the 30% of breaches that happen through stolen logins [1]. Turn it on for email first. Then your cloud storage (Google Drive, SharePoint, Dropbox). Then your financial tools.

Not sure how to set this up? That's what lilMONSTER is here for — book 30 minutes and we'll walk you through it.

Thing 2: One Question That Catches 90% of Phishing

Before clicking any link or downloading any file, ask: "Did I start this?"

  • Got a login request you didn't ask for? Suspicious.
  • Got a password reset you didn't trigger? Suspicious.
  • Got a "please review urgently" file from someone you don't normally hear from? Suspicious.

Teach your whole team this one question. Urgency and authority are the two biggest tricks phishing uses. "The CEO needs this now." "HR requires this today." When pressure increases — slow down.

Thing 3: Double-Check Any Payment Request by Phone

If your business ever sends money based on an email request, you need this rule: call and confirm using a number you already know — not a number in the email — before any transfer happens.

AI-powered phishing is now being used to impersonate executives, clients, and suppliers in order to redirect payments. This kind of attack (called Business Email Compromise) cost US businesses over $2.9 billion in one year alone [6]. A 30-second phone call stops it.

The Good News: Your Defences Can Use AI Too

The same AI that's making attacks better is also making your defences better. Modern email security tools use machine learning to spot unusual patterns — like an email that looks like your supplier but was actually sent from a different country, or a link that redirects somewhere unexpected.

For SMBs, this means that upgrading your email security (beyond the default settings) gives you access to AI-powered defences that were enterprise-only a few years ago. The cost is much lower than it used to be.

Save Money by Staying Secure

Here's the thing most security companies won't say: getting your basic defences right is not expensive. MFA is often free. One-question staff training is free. A payment verification rule costs nothing.

What is expensive is recovering from a breach — the incident response, the legal fees, the customer notifications, the regulatory fines. A mid-size breach can cost hundreds of thousands of dollars for a business that wasn't prepared.

Investing $0 in smart habits now saves serious money later. And if you want a professional eye on your specific setup, lilMONSTER can assess your email security, staff training, and payment controls in one session — and tell you exactly where your gaps are without the enterprise-size bill.

TL;DR

  • Remember those obvious scam emails full of typos? Those still exist, but they're not the ones your business needs to wor
  • This is what happens when criminals use AI to write their scam emails for them. Phishing — sending fake emails to tric
  • Action required — see the post for details

FAQ

Q: What is the main security concern covered in this post? A:

Q: Who is affected by this? A:

Q: What should I do right now? A:

Q: Is there a workaround if I can't patch immediately? A:

Q: Where can I learn more? A:

References

[1] Dataminr, "2026 Cyber Threat Landscape Report," Dataminr, Feb. 2026. [Online]. Available: https://resources.dataminr.com/dataminr-for-cyber-defense/dataminr-2026-cyber-threat-landscape-report

[2] Cofense, "The New Era of Phishing: Threats Built in the Age of AI," Cofense, 2026. Referenced via: "AI Drives Doubling of Phishing Attacks in a Year," Infosecurity Magazine, Feb. 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/ai-double-volume-phishing-attacks

[3] Group-IB, "Hi-Tech Crime Trends 2026," Group-IB, Jan. 2026. Referenced via: "AI Supercharges Attacks in Cybercrime's New 'Fifth Wave'," Infosecurity Magazine. [Online]. Available: https://www.infosecurity-magazine.com/news/ai-supercharges-attacks-cybercrime

[6] FBI, "Internet Crime Report 2023," Federal Bureau of Investigation IC3, 2024. [Online]. Available: https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation