Reuters recently published a joint experiment with Harvard, where they asked popular AI chatbots like Grok, ChatGPT, DeepSeek, and others to craft the “perfect phishing email.” The generated emails were then sent to 108 volunteers, of whom 11% clicked on the malicious links.
With one simple prompt, the researchers were armed with highly persuasive messages capable of fooling real people. The experiment should serve as a stern reality check. As disruptive as phishing has been over the years, AI is transforming it into a faster, cheaper, and more effective threat.
For 2026, AI phishing detection needs to become a top priority for companies looking to be safer in an increasingly complex threat environment.
The emergence of AI phishing as a major threat
One major driver is the rise of Phishing-as-a-Service (PhaaS). Dark web platforms like Lighthouse and Lucid offer subscription-based kits that allow low-skilled criminals to launch sophisticated campaigns.
Recent reports suggest that these services have generated more than 17,500 phishing domains in 74 countries, targeting hundreds of global brands. In just 30 seconds, criminals can spin up cloned login portals for services like Okta, Google, or Microsoft that are virtually the same as the real thing. With phishing infrastructure now available on demand, the barriers to entry for cybercrime are almost non-existent.
At the same time, generative AI tools allow criminals to craft convincing and personalised phishing emails in seconds. The emails aren’t generic spam. By scraping data from LinkedIn, websites, or past breaches, AI tools create messages that mirror real business context, enticing the most careful employees to click.
The technology is also fuelling a boom in deepfake audio and video phishing. Over the past decade, deepfake-related attacks have increased by 1,000%. Criminals typically impersonate CEOs, family members, and trusted colleagues over communication channels like Zoom, WhatsApp and Teams.
Traditional defences aren’t getting it done
Signature-based detection used by traditional email filters are insufficient against AI-powered phishing. Threat actors can easily rotate their infrastructure, including domains, subject lines, and other unique variations that slip past static security measures.
Once the phish makes it to the inbox, it’s now up to the employee to decide whether to trust it. Unfortunately, given how convincing today’s AI phishing emails are, chances are that even a well-trained employee will eventually make a mistake. Spot-checking for poor grammar is a thing of the past.
Moreover, the sophistication of phishing campaigns may not be the main threat. The sheer scale of the attacks is what is most worrying. Criminals can now launch thousands of new domains and cloned sites in a matter of hours. Even if one wave is taken down, another quickly replaces it, ensuring a constant stream of fresh threats.
It’s a perfect AI storm that requires a more strategic approach to deal with. What worked against yesterday’s crude phishing attempts is no match for the sheer scale and sophistication of modern campaigns.
Key strategies for AI phishing detection
As cybersecurity experts and governing bodies often advise, a multi-layer approach is best for everything cybersecurity, including detecting AI phishing attacks.
The first line of defence is better threat analysis. Rather than static filters that rely on potentially outdated threat intelligence, NLP models trained on legitimate communication patterns can catch subtle deviations in tone, phrasing, or structure that a trained human might miss.
But no amount of automation can replace the value of employee security awareness. It’s very likely that some AI phishing emails will eventually find their way to the inbox, so having a well-trained workforce is necessary for detection.
There are many methods for security awareness training. Simulation-based training is the most effective, because it keeps employees prepared for what AI phishing actually looks like. Modern simulations go beyond simple “spot the typo” training. They mirror real campaigns tied to the user’s role so that employees are prepared for the exact type of attacks they are most likely to face.
The goal isn’t to test employees, but to build muscle memory so reporting suspicious activity comes naturally.
The final layer of defense is UEBA (User and Entity Behaviour Analytics), which ensures that a successful phishing attempt doesn’t result in a full-scale compromise. UEBA systems detect unusual user or system activities to warn defenders about a potential intrusion. Usually, this is in the form of an alert, perhaps about a login from an unexpected location, or unusual mailbox changes that aren’t in line with IT policy.
Conclusion
AI is advancing and scaling phishing to levels that can easily overwhelm or bypass traditional defences. Heading into 2026, organisations must prioritise AI-driven detection, continuous monitoring, and realistic simulation training.
Success will depend on combining advanced technology with human readiness. Those that can strike this balance are well positioned to be more resilient as phishing attacks continue to evolve with AI.
Image source: Unsplash
