Researchers at Hoxhunt have found that AI agents can now outperform humans at creating convincing phishing campaigns.
The researchers state that in 2023, AI-powered phishing was 31% less effective than humans. In November 2024, it was 10% less effective than humans. Then in March 2025, the AI was 24% more effective than humans.
“This public finding could be considered an inflection point for the threat landscape,” the researchers state. “AI’s superiority in social engineering will transform cybersecurity risks, attacks, and defenses. Advances in AI Large Language Models are simultaneously disrupting the social engineering landscape and the cybersecurity training category. The co-evolution of attacks and protections must be considered when evaluating the rising threat of blackhat generative AI applications.”
Currently, these types of sophisticated AI-powered attacks are limited to targeted spear phishing campaigns. However, commodity phishing kits will likely incorporate these features at some point in the near future.
“It is only a matter of time until AI agents disrupt the phishing landscape,” the researchers write. “For now, there are many anecdotal media accounts of highly targeted, sophisticated AI spear phishing attacks that leveraged AI. These are typically bespoke campaigns. Soon, the phishing-as-a-service market will shift to mass adoption of AI Spear Phishing Agents. Once that happens, the baseline quality and effectiveness of mass phishing campaigns will rise to a level we currently equate with targeted spear phishing attacks.”
Organizations should begin preparing now for unskilled cybercriminals to gain access to these sophisticated AI capabilities.
“Disruption happens gradually and then all at once, to paraphrase Clayton Christensen,” the researchers write. “We must be prepared for when the inevitable disruption to the phishing-as-a-service market occurs, as AI-generated phish become more effective, easier to adopt, and ultimately more lucrative for criminals.”
New-school security awareness training can help your employees keep up with evolving social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Hoxhunt has the story.