How effective is AI-generated phishing compared to human-written?

AI-generated spear phishing achieves a 54% click rate compared to 12% for human-written campaigns, according to Hoxhunt's 2026 research. This 4.5x improvement is due to AI eliminating grammatical errors, generating contextually appropriate content, and automating personalisation at scale. 82.6% of all detected phishing emails now use AI.

How much have deepfake phishing attacks increased?

Deepfake vishing (voice phishing) surged 1,633% in Q1 2025 according to Keepnet's 2026 trend report. Overall vishing attacks increased 442% (Hoxhunt). Deepfake fraud caused over $200 million in losses in Q1 2025 alone, and losses are projected to reach $40 billion annually by 2027.

Can AI clone someone's voice for phishing?

Yes. Modern AI voice cloning requires as little as 60 seconds of audio to create a convincing voice replica. Attackers source audio from earnings calls, conference presentations, social media videos, and public appearances. The technology can generate real-time speech, enabling live phone conversations that impersonate specific individuals.

How do you defend against AI-powered phishing?

Key defences include: phishing-resistant MFA (FIDO2/passkeys) that renders stolen credentials useless, AI-powered email security gateways that detect AI-generated content, out-of-band verification protocols for all financial requests, updated security awareness training covering AI-generated content, and strict multi-person approval workflows for transactions above defined thresholds.

Deepfake vishing surged 1,633% in Q1 2025

AI-Powered Phishing in 2026: How AI Is Making Attacks Cheaper and More Effective

82.6% of phishing emails now use AI. AI spear phishing achieves 54% click rates vs 12% for human-written. Voice cloning from 60 seconds of audio. This is the biggest shift in phishing economics since email.

Updated 15 April 2026

82.6%

Phishing emails using AI

Hoxhunt 2026

+1,633%

Deepfake vishing surge (Q1 2025)

Keepnet 2026

54%

AI spear phishing click rate

Hoxhunt 2026

$200M+

Deepfake fraud losses (Q1 2025)

Deepstrike 2025

$40B

Projected deepfake losses by 2027

Keepnet 2026

60 sec

Audio needed to clone a voice

Multiple sources

+53.5%

YoY increase in AI phishing

Hoxhunt 2026

12%

Human-written spear phishing click rate

Hoxhunt 2026

The AI Phishing Landscape in 2026

Artificial intelligence has fundamentally changed the economics of phishing. The cost to produce a sophisticated, personalised phishing campaign has dropped from thousands of dollars to near zero. What previously required skilled social engineers spending hours on reconnaissance and message crafting can now be automated in seconds.

The result is a dramatic increase in both the quality and quantity of attacks. 82.6% of detected phishing emails now use AI, representing a 53.5% year-over-year increase (Hoxhunt 2026). AI-generated spear phishing achieves a 54% click rate versus just 12% for human-written campaigns. The traditional indicators of phishing, such as spelling errors, awkward grammar, and generic greetings, have been eliminated.

The voice channel has been transformed even more dramatically. AI voice cloning from just 60 seconds of publicly available audio enables near-perfect impersonation of executives and trusted contacts. Deepfake vishing surged 1,633% in Q1 2025. Deepfake-as-a-service platforms are now widely accessible, lowering the barrier for attackers who previously lacked the technical skills to execute voice-based social engineering.

Most concerning is the emergence of multi-channel AI attacks combining email, voice, and SMS in coordinated campaigns. Each channel reinforces the others, creating attack sequences that are extremely difficult to detect even for well-trained employees.

Cost Impact of AI Phishing

$200M+

Deepfake fraud losses in Q1 2025 alone. This figure represents only reported cases; actual losses are estimated to be significantly higher.

Source: Deepstrike 2025

$40B

Projected annual losses from deepfake-enabled scams by 2027. The exponential growth trajectory is driven by improving technology and decreasing costs.

Source: Keepnet 2026

$14M

Average annual loss from vishing attacks per organisation. AI voice cloning has made vishing the fastest-growing and most cost-effective attack for criminals.

Source: CrowdStrike 2025

AI Attack Types: Threats and Defences

AI-Generated Email Phishing

Critical Threat

Large language models eliminate spelling errors, generate contextually appropriate lures, and create personalised messages at scale. 82.6% of detected phishing emails now use AI, a 53.5% year-over-year increase. AI-generated phishing emails are virtually indistinguishable from legitimate business communications, defeating traditional indicators like grammatical errors and awkward phrasing.

Cost Impact

AI has increased the average success rate of email phishing campaigns from 3.4% to an estimated 8-12% for AI-enhanced campaigns. At scale (3.4B phishing emails daily), even small increases in success rate translate to billions in additional losses.

Recommended Defences

▸AI-powered email security gateways that detect AI-generated content
▸Behavioural analysis (sender patterns, timing anomalies)
▸DMARC/DKIM/SPF email authentication
▸Zero-trust approach to all email requests

Deepfake Voice Cloning (Vishing)

Critical Threat

AI voice cloning from just 60 seconds of audio enables near-perfect impersonation of executives, colleagues, or trusted contacts. Deepfake vishing surged 1,633% in Q1 2025. Attackers use publicly available audio (earnings calls, conference talks, social media) to clone voices and make real-time phone calls requesting wire transfers or credential resets.

Cost Impact

$200M+ in deepfake fraud losses in Q1 2025 alone. $40B projected losses from deepfake-enabled scams by 2027 (Keepnet). Average annual loss from vishing attacks: $14M per organisation (CrowdStrike). Engineering firm Arup lost $25M to a deepfake video conference call in 2024.

Recommended Defences

▸Out-of-band verification for all financial requests (call back on known number)
▸Verbal code words for executive-level authorisation
▸AI-powered voice authentication that detects synthetic speech
▸Multi-person approval for transactions above threshold

AI-Powered Spear Phishing

High Threat

AI automates the entire spear phishing workflow: OSINT reconnaissance (scraping LinkedIn, social media, corporate sites), target profiling, and message crafting. What previously took hours of manual research now takes seconds. AI spear phishing achieves a 54% click rate versus 12% for human-written campaigns, a 4.5x improvement.

Cost Impact

The cost to produce a sophisticated spear phishing campaign has dropped from thousands of dollars (manual OSINT + crafting) to near zero. This democratises advanced attacks that were previously limited to nation-state actors and well-funded criminal groups. IBM reports spear phishing-initiated breaches average $4.88M.

Recommended Defences

▸Advanced security awareness training specifically covering AI-generated content
▸Phishing-resistant MFA (FIDO2/passkeys) renders stolen credentials useless
▸Email gateway rules flagging first-time senders with executive names
▸Limit publicly available employee data on LinkedIn/social media

Multi-Channel AI Attacks

High Threat

Coordinated attacks combining AI-generated email, deepfake voice calls, and SMS in a single campaign. An attacker sends a spear phishing email, follows up with a deepfake voice call 'confirming' the request, and sends a fake 2FA code via SMS. Each channel reinforces the others, making the attack extremely convincing and difficult to detect.

Cost Impact

Multi-channel attacks have the highest success rates (estimated 60-70% against untrained targets) and typically target high-value transactions. The MGM Resorts attack ($100M+) demonstrated how a single well-executed vishing call can cascade into massive damage.

Recommended Defences

▸Verification protocols that require out-of-band confirmation on a different channel
▸Training that covers coordinated multi-channel attack scenarios
▸Strict transaction approval workflows with multiple approvers
▸Real-time threat intelligence sharing across security tools

Deepfake Video Conferencing

Emerging Threat

Real-time deepfake technology enables attackers to impersonate multiple people simultaneously in video calls. In 2024, Arup lost $25M when a finance employee joined a video call where every other participant was an AI-generated deepfake, including the company's CFO. This attack vector is in its early stages but advancing rapidly.

Cost Impact

The Arup case ($25M) is the most prominent example, but security researchers have demonstrated that current deepfake technology can sustain real-time video impersonation for meetings lasting 30+ minutes. As the technology improves and costs decrease, this vector will become more common for high-value corporate fraud.

Recommended Defences

▸Require in-person or verified video verification for transactions above threshold
▸Use of authenticated video conferencing with participant verification
▸Post-meeting confirmation workflows for any financial decisions
▸Employee training on deepfake indicators (lighting anomalies, lip sync)

Calculate Your Risk

Factor AI threats into your cost model

Traditional vs AI Attacks

Compare all attack type costs

AI-Specific Defences

Prevention ROI calculator