A new study has found a 14-fold increase in AI-generated phishing attacks late in the year, suggesting a shift in how threat actors scale social engineering campaigns.
The report analyzed more than 50 million phishing attacks (and simulations) from over four million users across 125 countries. The researchers compared simulated training results with real-world phishing detections to identify user-behavior trends and emerging attack patterns.
For most of 2025, AI-generated phishing represented less than 5% of attacks observed by the company. However, that changed quickly in the final months of the year, when the share of AI-assisted phishing emails jumped dramatically, peaking at 56% of reported attacks in December before declining slightly in early 2026.
“Our research shows that AI-generated phishing went from a trickle to a flood almost overnight,” Mika Aalto, Co-Founder and CEO at Hoxhunt told Expert Insights. “The lesson for security leaders is clear: if attackers can use AI to scale social engineering, defenders must use AI to scale human cyber skills.”
Despite the surge, the researchers stressed that AI is amplifying existing social-engineering techniques instead of replacing them.
“We’re seeing a widespread update to phishing,” Pyry Åvist, Co-Founder and CTO at Hoxhunt told Expert Insights. “AI isn’t creating completely new attacks yet. It is making traditional phishing campaigns more convincing, faster to produce and harder to detect.”
Malicious Attachments and Mobile Attacks Rise
Attackers are also trying new delivery methods. Malicious SVG image files and calendar invites (.ics) are increasingly used to circumvent traditional email filters. Meanwhile, PDF files remain the most common malicious attachment, representing roughly a quarter of attachment-based phishing attempts.
The study also found that mobile users are significantly more vulnerable to phishing. Simulation data showed a 19% failure rate on mobile devices, when compared with about 6% on desktop systems.
Further, impersonation of major technology platforms remains a common tactic. Domains associated with services from companies such as Microsoft and Google frequently appear in phishing campaigns, often exploiting trusted infrastructure to evade detection.
Overall, the report concludes that human-centric defenses, such as phishing awareness training and rapid incident reporting, remain critical, even as attackers adopt AI tools to scale and automate their operations.
“I think the next wave of risk will stem from the broad adoption of agentic AI, systems that leverage the ‘reasoning’ capabilities of LLMs to drive autonomous workflows,” Diana Kelley, Chief Information Security Officer (CISO) at Noma Security told Expert Insights.
“To prepare, organizations should implement agentic risk management, starting with established policies and standard operating procedures and supported by technical controls like cryptographic identity attestation and continuous policy enforcement for AI agents. This will allow enterprises to monitor and constrain agent autonomy to gain the benefits of agentic AI without putting the organization at unnecessary risk.”
