AI Phishing Soars 204%: Malicious Emails Every 19 Seconds

Jan de Vries · 2026-02-20

Let's talk about something that's keeping a lot of us up at night. You know that sinking feeling when you see an email that just seems... off? Well, it's about to get a whole lot more common. We're seeing a terrifying surge in AI-powered phishing attacks. I'm talking a 204% jump. That's not a typo. And the worst part? These aren't your grandma's clumsy scam emails anymore. They're adaptive, they're clever, and they're hitting business inboxes every 19 seconds. That's faster than you can check your phone. It feels like we just got a handle on the old threats, and now the game has completely changed. The bad guys have upgraded their toolkit, and they're using artificial intelligence to craft emails that can slip right past our defenses. They're learning, adapting, and targeting us with a precision that's frankly alarming. ### How AI is Changing the Phishing Game So, what makes these new attacks so different? It's all about personalization and evasion. Old-school phishing was a numbers game—blast out a million poorly written emails and hope a few people bite. AI flips that script on its head. Now, the software can scrape data from social media, company websites, and even previous data breaches. It uses that information to write an email that sounds like it came from your boss, your IT department, or a trusted vendor. The grammar is perfect. The tone is spot-on. It might reference a project you're actually working on or a meeting you had last week. - It analyzes your writing style from public posts and mimics it. - It can generate unique email content for each target, making mass filters useless. - It learns which subject lines get opened and which get ignored, constantly optimizing for success. It's like having a malicious copywriter working 24/7 to trick you. And it's working. ### Why Your Current Defenses Might Not Be Enough Here's the hard truth. Many of the email security systems we've relied on for years are built to spot the old patterns. They look for known malicious links, suspicious sender addresses, and keywords like "urgent" or "password reset." But AI-generated phishing doesn't play by those rules. These emails often contain zero malicious links on first contact. They're just cleverly written messages designed to start a conversation. Once they've built trust—maybe over a few back-and-forth replies—that's when they strike with the malicious payload. It's a slow, patient con, and it's devastatingly effective. As one security expert I spoke to recently put it, "We've trained employees to spot spelling mistakes. Now the mistakes are gone, and we're left with pure social engineering." That shift means we have to shift our thinking, too. Technology alone won't save us this time. ### What You Can Do Right Now Okay, enough doom and gloom. Let's talk about what we can actually do. This isn't about finding a magic bullet. It's about building a culture of healthy skepticism and layered defense. First, we need to retrain everyone. And I mean everyone, from the intern to the CEO. The training can't just be a boring slideshow once a year. It needs to be engaging, continuous, and practical. Run simulated phishing campaigns using this new AI-style approach. Show people what a convincing fake looks like. Second, look at your tech stack. Are your filters using behavioral analysis and anomaly detection, or are they just checking blacklists? Consider solutions that use AI *for* defense, analyzing communication patterns to flag conversations that seem out of the ordinary. Finally, and this is the most important part, create simple, clear protocols for verifying unusual requests. If someone emails asking for a money transfer or a password change, make a phone call using a known number—not the one in the email. Create a culture where double-checking is encouraged, not seen as a waste of time. The landscape has changed. AI has given scammers a powerful new weapon. But by combining updated technology with a sharp, educated team, we can build a human firewall that's much harder to breach. It starts with a conversation—just like this one. Let's keep having them.