Solutions overview
Account take over (ATO)
Digital Impersonation
Credit card data theft
SEO poisoning
Credential stuffing
For security teams
For fraud/risk teams
For digital business teams
Library
Blog
Partner Up
About
News
Events
Careers
Contacs
It’s all over the news: GenAI will fuel a rise in scams and fraud.
That’s a big claim, so let’s unpack what it means through the lens of one threat vector in particular: phishing.
Shock Phishing News (That’s No Longer Shocking)
Security leaders subscribed to any major cybersecurtity publication may have encountered some of these stories. Sadly, these scenarios are so common that they’re unsurprising – and that desensitization is part of the problem.
AI-Powered Spear Phishing Research (November 2024)
-
Research by Hoxhunt and others in late 2024 found that AI-powered spear phishing tools can automate the entire attack process: gathering information, profiling targets, and generating messages
-
By November 2024, AI-generated spear phishing attacks performed nearly on par with human experts, and by early 2025, even surpassed them in effectiveness.
FBI Warnings on GenAI and Fraud (December 2024)
In December 2024, the FBI issued a warning about GenAI in fraud. Two key callouts for phishing:
-
“Criminals use generative AI tools to assist with language translations to limit grammatical or spelling errors for foreign criminal actors targeting US victims.”
-
“Criminals create messages to send to victims faster, allowing them to reach a wider audience with believable content.”
You get the picture and there ‘s no end of examples I could reference. Most of this is news to few, but all of it is of acute relevance to anyone whose job is it to keep scammers out of customer accounts.
The bottom line is that AI is industrializing highly personalized, seemingly credible phishing at scale – and the bad actors behind AI-assisted scams are getting younger, with zero technical expertise.
No matter where you’re sitting, if you’re responsible for customer account security, that’s a huge problem – one that won’t solve itself. AI-powered phishing isn’t a trend, it’s a defining feature in the new threat landscape.
Ok, point made. To set up the narrative, let’s go back to basics.
Phishing’s Primary Goal: Credential Theft and Malware Drops
Everyone reading this knows that phishing typically aims to:
-
Trick users into entering credentials on a fake website
-
Trick users into downloading malicious code
Here we’ll focus on the first, since it’s the main driver behind the monumental surge in account takeover (ATO).
Why Credential Theft Is Still in Fashion
Despite increased digital security spending, most user authentication still hinges on weak factors:
-
A password
-
A one-time passcode (OTP)
Both can be phished.
Today’s fraudsters don’t just trick users into entering credentials, they follow up with real-time social engineering to intercept OTPs. Some even use OTP phishing kits-as-a-service, making full credential theft scalable and repeatable.
That’s how phishing leads directly to account takeover.
The Modern Attack Chain
Let’s break it down:
Step 1: AI-Powered Reconnaissance
Fraudsters purchase stolen email accounts and use GenAI to research the owner—language, geography, recent purchases, etc.
Step 2: Hyper-Personalized Phishing
GenAI generates tailored phishing emails in the target’s native language and tone.
Step 3: Scalable Distribution
Fraudsters send these emails en masse using infrastructure optimized for deliverability.
Step 4: Phishing + OTP Scam
Users click through to replica sites and enter their credentials. Fraudsters follow up with a spoofed call or text to trick users into sharing the OTP.
Step 5: Account Takeover
Armed with credentials and OTP, the fraudster logs in and takes over the account, whether banking, crypto, or healthcare.
What CISOs Need to Focus On
Phishing isn’t just an email problem anymore. It’s an adaptive, AI-fueled attack vector spanning SMS, social media, and fake websites. As attacks evolve, CISOs must shift from simply detecting threats to disrupting them before customers are exposed.
Here’s what now matters most:
-
Preemptive protection – Can you stop phishing before the user clicks?
-
Predictive intelligence – Can you tell which users will be targeted next?
-
Proactive disruption – Can you prevent or neutralize credential use mid-attack?
Ask Yourself: How Ready Are You?
If you can’t confidently answer yes to these questions, your business is at serious risk from AI-driven phishing.
-
How fast can you detect phishing sites?
-
How many minutes before you’re alerted that customers entered data?
-
Can you warn customers at the moment of interaction?
-
Can you detect in real time that your customers have been phished?
-
Do you know which customers have been affected?
Addressing these gaps with real-time monitoring, phishing intelligence, and proactive defense strategies can significantly reduce exposure.
Want to Assess How Your Defenses Stack Up?
Download our free Capability Maturity Scorecard to benchmark your readiness across people, process, and technology—and see if your solution truly delivers on the promise of being predictive, preemptive, and proactive.
Final Word: Assess to Adapt
AI-powered phishing isn’t just more dangerous. It’s more evasive, more scalable, and harder to trace than anything security teams have dealt with before.
It’s time to evaluate whether your defenses can stop phishing before it escalates.
Use the scorecard to benchmark your current posture and uncover the gaps AI-powered attackers are already exploiting.
