The rate of phishing attacks is accelerating, with spam filters flagging one email every 19 seconds last year, up from 42 seconds the previous year.
A major driver of this uptick is artificial intelligence, which has rapidly become a core component of fraud operations. In addition to speeding the deployment of phishing campaigns, AI is enabling cybercriminals to create highly adaptive messages to capture users’ attention.
AI can personalize logos, phrasing, signatures, and links for specific victims, and can even compose messages in multiple languages with grammatical accuracy. In a study by Cofense, over three-quarters of malicious URLs found in phishing emails were unique links.
Peppering the Message
Phishing attempts have mimicked major brands and entities since their inception, but the convergence of new technologies has made impersonation scams more effective than ever. Bad actors can now scrape data from the web and use it to pepper messages with personal details.
Much of this data is readily disclosed by consumers on social media. At the same time, social platforms themselves have become alternative channels that criminals can exploit to reach victims. For example, LinkedIn messages have become a common phishing avenue because many professionals access the platform on company devices, while many organizations have yet to implement stringent filtering for LinkedIn communications comparable to email security controls.
The Primary Vector
Although phishing has become the primary attack vector for cybercriminals, these messages are often just the first step. The Cofense report found a 204% year-over-year increase in phishing emails that delivered malware last year.
Malware like infostealers or remote access trojans (RATs) can have significant consequences. RATs allow bad actors to gain control of all or part of a user’s system, while infostealers can collect vast amounts of behavioral data that go well beyond login credentials.
AI can also play a role in malware management and data extraction once systems are compromised. However, current use cases may only be the tip of the iceberg. Credit bureau Experian recently identified AI agents as the top fraud threat this year, warning that agentic AI could soon autonomously handle many aspects of fraud operations.
