AI is now better at phishing emails than humans

Everything is about to change

As usual with AI, things happen slowly and then very quickly. It has been obvious for a while that AI would one day be used in phishing emails. But it was always just over the horizon - it’s coming next year, the experts would always say.

Well people: that year has finally come. And I’m not sure we’re ready for it.

Cybersecurity people are worried because we’re still absolutely useless at dealing with old fashioned, poorly written, impersonal phishing messages. (About a third of all hacks actually start that way). With AI-generated phishing emails, I worry we’ll have no chance.

Why? There are two types of phishing email. Generic phishing is spray and pray: criminals automatically send out millions of identical emails to millions of users. Jamie, congratulations you have won a prize. Click here to claim it. This is a numbers game – only a handful need to click for it to make economic sense. Spear-phishing is where a specific individual is profiled and targeted with personalised and tailored messages. Jamie, it’s Polly here. I’m not in the office today - but hoping for a quick favour x

AI can merge the two. Spray and pray – except each one is highly tailored and personalised to your unique personality, network, interests. And written by an AI, capable of drafting the most persuasive emails ever produced.

Just in the past few months alone, a series of alarming studies suggest that machine-generated phishing is no longer theoretical. It’s here, it’s effective, and it’s spreading.