AI-generated phishing cost: $4.91M per incident, the 54% click-through reality

For two decades, defender economics in phishing rested on an implicit assumption that sophisticated lures were expensive to produce. A credible spear-phishing lure required 30 to 90 minutes of human research and writing time, at attacker labour rates of approximately $50 per hour in mature criminal markets. The unit economics floor was approximately $300 per successful compromise, which capped the attacker's willingness to deploy sophisticated phishing at low-value targets and produced a defender expectation that sophisticated phishing was rare relative to bulk phishing.

The 2024 large language model wave broke that assumption. Hoxhunt 2026 measured AI-generated lures at under one cent of model-inference cost per lure with a 54 percent click-through rate against the 12 percent baseline for human-written lures. The unit economics floor for sophisticated phishing collapsed from approximately $300 per compromise to under one cent. The attacker can now produce sophisticated, personalised lures at bulk-phishing volume and unit cost, which is a five-order-of-magnitude shift in the economic balance between attacker and defender.

The defender implication is structural. The historic mental model of phishing as a category with a bulk-low-value tail and a sophisticated-high-value head has collapsed into a unified high-conversion category where every lure carries the personalisation and grammatical perfection that used to mark spear-phishing. Defenders should now assume that every phishing attempt is sophisticated-grade, that the conversion rate against any given user is approximately the 54 percent figure, and that defences which depended on the historic bulk-versus-spear distinction are no longer effective.[Hoxhunt 2026 State of the Phish + corroborating NCSC UK + CISA assessments 2024-2025]

The 54 percent click-through rate on AI-generated lures is materially higher than even sophisticated human-written spear-phishing (which historically achieved 8 to 14 percent click-through). Three structural factors drive the elevated conversion.

First, grammatical perfection. The typical tells of human-written phishing lures (subject-verb agreement errors, awkward phrasing, non-native-speaker word choices, register mismatches) are absent from current-generation LLM output. The grammar-and-style pattern recognition that English-native readers used as a phishing-recognition heuristic does not fire on AI-generated content because there are no anomalies to fire on.

Second, personalisation at scale. The attacker can integrate OSINT-derived context (recent LinkedIn posts, conference appearances, project references from corporate communications, code-commit history from public GitHub) into the lure at near-zero marginal cost. Pre-AI, this level of personalisation required 30 to 90 minutes of human research per target; the attacker reserved it for high-value targets only. Post-AI, the same personalisation is bulk-volume available, which means every recipient gets a lure tuned to their specific work context.

Third, register matching. The LLM can produce text that matches the linguistic register of the impersonated sender, whether that is C-suite formal, peer-casual, vendor-business, or attorney-letterhead. A human attacker operating across many target organisations cannot consistently match register because they lack the per-organisation context. The AI attacker can match register because the LLM has been trained on enough text to produce credible variation across registers on demand. The combined effect of all three factors is that current-generation AI-generated phishing produces lures that are, in measurable terms, indistinguishable from genuine messages in the recipient's everyday inbox.[Hoxhunt 2026 detailed click-rate analysis + ENISA AI Threat Landscape 2024]

The grammatical-perfection effect produces a particularly consequential strategic shift in attacker economics: the polyglot grammar advantage. Pre-2024, phishing operators based in non-English-native jurisdictions (a substantial share of the global criminal phishing population) produced English-language lures with subtle grammar tells that English-native recipients could often recognise. Defenders in English-speaking markets had a structural recognition advantage rooted in the language asymmetry.

AI-generation eliminates this asymmetry. A non-English-native operator can produce grammatically perfect English lures at near-zero marginal cost. The same operator can also produce grammatically perfect French, German, Spanish, Japanese, Korean, or Portuguese lures at the same near-zero cost, which expands the attacker's addressable target market dramatically. The defender advantage of native-language recognition has evaporated globally, not just in English markets.

The implication for global defender architecture is that language-of-recipient is no longer a meaningful targeting filter for attackers. Multi-national organisations should expect their non-English operations to face the same intensity of sophisticated phishing as their English operations, where previously the non-English operations enjoyed some natural protection from the language barrier. The implication for awareness-training programs is that grammar-and-style anomaly recognition should be deprecated as a training emphasis because it is no longer a reliable signal.[ENISA AI Threat Landscape 2024 + multi-lingual phishing analysis by Microsoft Threat Intelligence 2024-2025]

The IR and pivot-containment lines are larger than the cross-vector average because higher click-through means more compromise events per attempted attack, and the forensic attribution for AI-generated lures is more difficult because the typical content-based signature analysis is less informative when every lure is grammatically perfect.[IBM 2025 AI-vector cohort + Hoxhunt 2026 + Mandiant M-Trends 2025]

The strategic shift in defender response is the move away from controls that depend on user lure-recognition (awareness training, content-based gateway scanning) and toward controls that work regardless of lure quality. The new control set has three pillars.

The three pillars together produce a defence that is structurally robust against the AI-phishing economics inversion. Awareness training and content-scanning remain useful as supporting layers but are no longer sufficient as primary defences. Organisations whose phishing-defence spending is heavily weighted toward awareness training and gateway-style scanning should rebalance toward the three pillars over a 12-to-24-month investment window.[CISA Phishing-Resistant MFA guidance 2023 + Microsoft Identity Threat Defense 2024]

The argument that awareness training is no longer sufficient as primary defence does not mean it is worthless. Training reduces click rates against AI-grade lures by approximately 15 to 20 percent over 24 months of sustained program use (Hoxhunt 2026 measurement), compared to 30 to 50 percent reduction against human-written lures. The 15 to 20 percent reduction is real and produces measurable ROI against the modelled $4.91M per-incident cost, but it is not the 50 to 70 percent reduction that defenders relied on for a decade.

The pragmatic implication is that awareness training should be repositioned in the phishing-defence portfolio. Where it was previously the primary defence for many organisations (typically the first-budgeted phishing-defence line item), it should now be one of several layered defences, with the three structural pillars (FIDO2, behavioural-AI email security, out-of-band confirmation) carrying more of the load. The total phishing-defence budget may need to grow to fund both the existing training program and the new pillars; in many organisations the budget reallocation requires explicit board-and-executive buy-in because the historic spend pattern is well-established.

The training-program-content emphasis should also shift. Pre-AI training emphasised grammar-and-style anomaly recognition, which is now a deprecated signal. Post-AI training should emphasise behavioural patterns (out-of-pattern requests, urgency-language even when grammatically perfect, context-mismatch with the recipient's actual work) and procedural responses (always verify high-value requests out-of-band, never approve unfamiliar MFA prompts, treat unexpected QR codes as suspicious). The shift in training emphasis is happening across major awareness-training vendors but is not always reflected in legacy training-content libraries.[Hoxhunt 2026 + Cofense 2024 + KnowBe4 industry benchmarks 2024-2025]

• Spear phishing cost (AI-spear-phish economics)
• BEC cost
• AitM cost
• Deepfake vishing cost
• Abnormal Security cost (behavioural-AI defence)
• Hoxhunt cost (AI-defensive training)
• Phishing cost for enterprise
• AI threats hub
• databreachcost.com
• zerotrustcost.com