AI can now write a personalised phishing email in under a second — perfect grammar, correct company branding, your CEO's name, your HR system's logo. Your employees have never been less prepared for what's coming at them.
For years, the advice was simple: look for bad grammar, generic greetings, and suspicious sender addresses. "Dear Valued Customer" from a Nigerian prince. A misspelled domain. A logo that looked like it was stretched in MS Paint. These tells worked because most phishing attacks were mass-produced, template-driven, and lazy. Attackers were fishing with a wide net and didn't particularly care that the bait looked cheap.
That era is over.
Modern AI language models write flawlessly — indistinguishable from human prose. They can adopt the tone of a specific person, match corporate email style guides, and construct contextually plausible scenarios on demand. When you combine that capability with automated data scraping from LinkedIn, company websites, social media, and leaked datasets, you get something that is categorically different from the phishing of five years ago.
According to threat intelligence researchers, AI-assisted phishing emails achieve click rates 4x higher than traditional template-based attacks — and credential harvest rates up to 6x higher when personalisation is combined with brand impersonation.
The mechanics are worth understanding because they inform what you need to defend against. A modern AI-assisted phishing campaign typically runs in three phases.
Automated scrapers pull data from LinkedIn (job titles, reporting lines, recent posts, project announcements), company websites (executive names, office locations, product names), and social media profiles. They cross-reference against breach databases for email formats and existing credential leaks. In minutes, an attacker has a rich dataset on every employee at your company — their role, who they report to, what they're working on, and what tools they use.
An LLM (or a fine-tuned model purpose-built for social engineering) takes that data and generates individualised emails for each target. The email references real projects, uses the correct internal terminology, mimics the writing style of a known colleague or executive, and includes context that could only come from someone genuinely familiar with the organisation. The model produces hundreds of these in seconds.
Emails are sent through compromised legitimate accounts or lookalike domains that have been aged and warmed up to avoid spam filters. Some campaigns include adaptive follow-ups — if the target doesn't click, a second email arrives with a different angle. Some systems even engage in limited back-and-forth conversation to build trust before delivering the payload link.
Abstract descriptions don't convey how convincing these emails are. Here are three real-world scenarios that security teams are actively dealing with in 2026.
Your finance manager receives an email that appears to come from your CFO — the right name, the right email signature format, even a reference to a real acquisition rumour that was discussed in last week's all-hands. The email asks for an urgent wire transfer to close a deal before end of quarter. The domain is off by one character, but who's checking? The context is too convincing. This type of attack cost businesses $2.9 billion in 2025 alone.
An employee gets an email that looks exactly like a notification from your HR platform — correct logo, correct sender name format, correct footer. It says their direct deposit details need to be verified before the next payroll run. The link goes to a pixel-perfect clone of your HR portal login page. The attacker harvests credentials and updates the bank account details before the employee even notices anything was wrong.
Your accounts payable team receives what looks like a legitimate invoice from a long-standing supplier. The email references the correct contract number (scraped from a public tender notice), the correct contact name, and the real bank details — with a note that they've switched banks and to use the new account going forward. By the time the legitimate vendor follows up about non-payment, the money is gone.
Most organisations do some form of security awareness training — a 20-minute annual video, a PDF of do's and don'ts, or a slide deck presented at the all-hands. This is not useless, but it is not sufficient. Here's why.
Reading about phishing and experiencing a convincing phishing attempt are completely different cognitive events. Training tells people what to watch for. Simulation teaches them what it feels like to almost be fooled — and that muscle memory is what actually saves them when a real attack arrives.
The problem with awareness training is that it teaches people to look for the old tells — the bad grammar, the generic greeting, the suspicious domain. Those tells no longer reliably exist. AI-generated emails pass every heuristic that awareness training teaches. The employee who completed their annual training module and feels confident may actually be more vulnerable, because they believe they know what a phishing email looks like.
The second problem is recency. Security knowledge decays. An employee who completed training six months ago has a very different vigilance level than one who clicked a simulated phishing link last Tuesday, got caught, and went through a 3-minute micro-lesson explaining exactly what they missed. That recent, visceral experience sticks in a way that a video module does not.
A phishing simulation programme sends realistic, harmless phishing emails to your own employees — without their prior knowledge — and measures who clicks, who enters credentials, and who reports the email. Employees who are caught receive immediate, contextual feedback explaining what they missed and why the email was a threat. Those who report correctly get positive reinforcement.
The data from multiple organisations running continuous simulation programmes is consistent: baseline click rates of 25–35% drop to 5% or below within six months of regular simulations. More importantly, reporting rates — employees actively flagging suspicious emails — increase dramatically, turning your workforce into an active detection layer rather than a passive vulnerability.
Organisations running monthly phishing simulations see an average 82% reduction in credential-harvesting success rates within one year, compared to organisations relying on annual awareness training alone.
The key is that simulations need to reflect what attackers are actually doing — not the outdated templates of five years ago. In 2026, this means using AI-grade templates that reference real job titles, use plausible internal context, and impersonate the vendors and platforms your employees actually use. A simulation that uses obviously bad emails doesn't train anyone for the threats they'll actually face.
Phishing simulation addresses the human layer — which is the layer most attacks now target. But it works best alongside technical controls. A complete defence includes email authentication (SPF, DKIM, DMARC at p=reject) to prevent your own domain from being spoofed, advanced email filtering that can flag lookalike domains and suspicious links, and endpoint detection that catches credential-harvesting pages.
None of those technical controls, however, prevent an attacker who has compromised a legitimate email account. When the attack arrives from a real, trusted address — from your actual CFO's email, or from a real supplier's compromised account — technical filters won't catch it. At that point, the only thing standing between your organisation and a successful breach is an employee who has been trained to pause, question the request, and verify through a separate channel. That's what simulation builds.
Practical tips, new threat intel, and product updates. No spam — unsubscribe anytime.
PhishSim by EdgeIQ Labs includes 20+ AI-grade phishing templates covering executive impersonation, vendor fraud, HR scams, and IT alerts. Your instance is provisioned instantly — no setup calls, no long onboarding. Send your first simulation today and see your baseline click rate.
Launch PhishSim Free →