Artificial intelligence (AI) is making phishing harder to spot because it removes the old clues staff were taught to look for, then personalises the message at speed. Research by Keepnet Labs and VIPRE Security Group (zensec.co.uk) reveals that 82.6% of phishing emails detected between September 2024 and February 2025 utilised some form of AI generation, representing a 53.5% year-over-year increase.
Microbyte has been operating since 1992, and we’re Cyber Essentials Plus certified. Since 2022, we’ve seen client conversations move from “can staff spot a bad email?” to “can our checks survive a flawless fake?”
This guide explains what changed, what the numbers show, and what to put in place before one click becomes a business problem.
How Phishing Changed From Spray and Pray to Personalised Fraud
Historically, phishing campaigns relied on a “spray and pray” methodology, characterised by mass distribution of generic emails with obvious grammar errors and suspicious domains. Those old signs still exist, but they are no longer enough for a finance manager in Peterborough, a legal partner near London Bridge, or a director travelling between Dubai and the United Kingdom (UK).
Research now suggests that criminals are using sophisticated large language models (LLMs) to automate and refine the reconnaissance, drafting and deployment phases of spear-phishing campaigns. An attacker can input a single prompt, then use a tool to scrape LinkedIn, corporate websites and recent press releases to build personalised vulnerability profiles with up to 88% accuracy.
The evidence points to the same direction: phishing has become cheaper, faster and more convincing.
Criminal Tools Are Cheap and Accessible
FraudGPT and WormGPT reporting (alloy.com) shows how low the barrier has become. WormGPT emerged in 2023 and is built on the 2021 GPT-J open-source model developed by EleutherAI.
FraudGPT is a subscription-based large language model operating without safety guardrails. This gives inexperienced criminals help with Business Email Compromise (BEC), where an attacker impersonates a trusted person to trigger a payment or data release.
The data suggests a clear shift where tooling is no longer a theoretical threat but the primary engine of modern cybercrime. The trend is not just more phishing, but phishing that adapts to people, timing and process.
Why Standard Security Awareness Falls Short
Standard security awareness falls short because staff are being asked to detect messages that no longer look obviously wrong. The wording can be clean, the timing can match a real project, and the request can arrive through email, voice or chat before anyone has time to think.
Microsoft’s 2025 Digital Defence Report (paubox.com) found a 54% click-through rate for AI-generated phishing messages, noting that AI makes phishing attacks up to 50 times more profitable due to higher engagement and greater automation efficiency. The average time for a user to click a malicious link has dropped to merely 21 seconds.
In 2024, 76.4% of phishing attacks possessed polymorphic features, rendering signature-based pattern recognition obsolete. Polymorphic means the message, link or file changes shape from one attempt to the next, so a filter cannot rely on one fixed pattern.
Why The Old Clues Keep Failing
Old training told staff to look for bad spelling, but AI can produce polished, localised writing. Old filters looked for repeated links, but polymorphic attacks can change domains, wording and attachments. Old approval habits trusted sender names, but attackers can mirror executives, suppliers and helpdesk teams.
Three weak points show up again and again:
- Language checks fail: polished grammar no longer proves a message is real.
- Pattern checks fail: links, files, and sender details can change from one attempt to the next.
- Trust shortcuts fail: staff still respond quickly when a request sounds like a director, supplier, or IT team member.
Reporting Speed Matters More Than Suspicion Alone
Old phishing simulations trained suspicion, but modern security awareness must train verification and fast reporting. A delayed report creates a response problem, which is why fast phishing response matters as much as prevention.
A 2025 Abnormal Security figure (stationx.net) claims that over 80% of all social engineering tactics currently employ AI technology. When that gap meets real money and customer data, the risk becomes a board issue.
The Costs Are Climbing in the United Kingdom
The Cyber Security Breaches Survey 2025 (gov.uk) confirmed that 43% of UK businesses and 30% of charities experienced a cyber breach in the past year. Of those, phishing was the predominant attack vector, affecting 85% of businesses and 86% of charities.
Certain sectors demonstrate higher exposure. The survey reports that 69% of Information and Communications businesses reported attacks, which matters because those firms can become stepping stones into wider supply chains.
Only 40% of UK businesses enforce two-factor authentication (2FA), which leaves passwords exposed when a fake login page looks real. Qualitative interviews also revealed a “growing consciousness that increasingly sophisticated methods, such as AI impersonation, were becoming mainstream”.
Where The Exposure Lands First
For directors, the exposure usually lands in three places:
- Payments: invoice fraud, bank detail changes, and urgent transfer requests.
- Accounts: stolen Microsoft 365 sessions, mailbox access, and password resets.
- Operations: downtime, supplier confusion, customer notifications, and recovery work.
One Compromised Mailbox Still Spreads Fast
The World Economic Forum (WEF) Global Cybersecurity Outlook figure (vectra.ai) identified that 73% of organisations were directly affected by cyber-enabled fraud recently. For a 20-person business, one stolen mailbox can mean invoice fraud, data exposure and days of disruption.
Numbers make the risk visible, but real cases show why trust itself is now part of the attack surface.
Deepfakes and Multi-Channel Scams Are the New Proof Problem
A polished email is only one part of the problem. Criminals can now add a cloned voice, a fake video call, a WhatsApp message and a matching invoice, which makes the request feel normal from several directions at once.
The proof problem is no longer limited to inboxes. Microsoft, CrowdStrike, the World Economic Forum and the UK Government Office for Science have all reported cases or patterns where AI-driven impersonation crossed channels, making separate confirmation more important than visual or audio confidence.
What Recent Cases Show
The cases below show how quickly a fake request can become a finance, leadership or helpdesk incident. They also show why controls need to cover email, phone calls, video meetings, websites and internal IT prompts, not just the inbox.
The lesson is uncomfortable but useful. Once trust can be copied across email, voice and video, the answer has to move from spotting clues to verifying actions.
Which Security Controls Should Businesses Prioritise?
The best defence is to assume a convincing fake will eventually reach someone, then make sure one click cannot turn into a breach. That means stronger identity checks, clear payment approval rules, fast reporting and monitoring that continues outside office hours.
In April 2026, the National Cyber Security Centre guidance on passkeys (ncsc.gov.uk) fundamentally altered its authentication guidance, advising a shift away from traditional passwords to passkeys. Passkeys tie access to a trusted device and use cryptographic key pairs, so criminals cannot steal a password from a fake page and reuse it elsewhere.
Move key systems to passkeys where possible, starting with Microsoft 365, finance software and director accounts. Replace text-message codes with phishing-resistant multi-factor authentication (MFA), such as Fast Identity Online 2 (FIDO2) hardware keys or biometric passkeys.
Process Rules Stop The Fastest Losses
Keep security awareness training, but focus it on behaviour: payment urgency, account changes, unexpected secrecy and pressure. Create verification protocols for changes to bank details, new suppliers, password resets, and executive requests.
The first control set should be simple:
- Move high-risk accounts to passkeys or phishing-resistant multi-factor authentication (MFA).
- Require a second approval path for bank changes, supplier updates, and urgent payments.
- Give staff one clear reporting route for suspicious emails, calls, and IT prompts.
Monitoring and Response: Finish the Job
Monitor sign-ins, devices and mailboxes 24/7, because a stolen password is often used outside normal working hours. Text-message codes are vulnerable to AI-aided man-in-the-middle attacks, where a criminal sits between the user and the real service to steal the session.
That is the practical shape of Stamp Out Support: fewer incidents, faster containment and less dependence on perfect human judgement.
How Microbyte Builds This Into Support Services
Our Stamp Out Support model is based on proactive prevention rather than reactive break-fix. We would rather stop the incident than win praise for cleaning it up later.
As a Microsoft Gold Partner and Direct Cloud Solutions Provider (CSP), we can license, configure and support Microsoft 365 and Azure directly. That matters when identity controls need changing quickly.
Most small firms already have IT blindspots around old accounts, shared passwords and unsupported devices. Those answers set the context for the common questions business owners ask before changing their controls.
FAQ
Use these answers as a plain-English reference for directors, finance teams and anyone who approves payments or account changes. The same logic applies across Peterborough, London, Lincoln, Woking, Dubai and remote teams.
Why Are AI-generated Phishing Emails Difficult to Detect?
AI-generated phishing emails are difficult to detect because they remove the obvious clues: poor grammar, generic greetings, odd sender names and clumsy wording. The message can mirror your supplier, your finance process and your usual tone, so staff need verification steps rather than another lesson in spotting spelling mistakes.
How Does AI Affect Phishing Attacks?
AI reduces the time, cost and skill needed to create believable messages. It can research staff, draft messages, translate cleanly and adjust wording for each target, which means smaller criminal groups can run targeted campaigns that once needed more people and better language skills.
Why is the Phishing Attack Hard to Detect?
A phishing attack is hard to detect because it often uses trusted context rather than obvious malware. A message may refer to a real project, a known supplier or a senior person, and a familiar-looking login page can hide the theft until access has already been taken.
What is the 30% Rule for AI?
There is no formal cybersecurity standard called the 30% rule for AI. As a practical business rule, treat AI output as untrusted until it is checked through a known process, especially when a request affects money, access or data.
Should My Business Move to Passkeys Now?
Yes, start with your highest-risk accounts. Director mailboxes, finance systems, Microsoft 365 administration and remote access should come first because passkeys reduce the value of stolen passwords.
What to Do Now
A sensible first step is a short review of how a fake request would move through your business today. Follow the money, the passwords and the people with authority.
Check who can approve payments and supplier bank changes. Check which accounts still rely on passwords and text-message codes. Check how quickly staff can report a suspicious message to a real person.
A Sensible First Pass
Start with this order:
- Audit high-risk accounts, mailboxes, finance tools, and approval routes.
- Tighten identity controls around Microsoft 365 and any remote access system.
- Document the response path so staff know exactly who to call and what to do.
Talk to Microbyte in Peterborough about a phishing readiness review. We’ll tell you what’s working, what isn’t, and what it would cost to fix the gaps before attackers test them for you.
