Email Security

Q&A: Phished CTO Arnout van de Meulebroucke on AI-Driven Phishing and Empowering Employees to Combat Cyber Threats

Expert Insights interviews Arnout van de Meulebroucke, CTO of Phished.

Arnout Van de Meulebroucke

“The problem with traditional security awareness training is that it often doesn’t align with employees’ skill levels or contexts, and it fails to reflect the reality of actual cyber threats. AI has become the tool cybercriminals use to bypass security measures, manipulating employees so effectively that they act without thinking and click the wrong link,” says Arnout van de Meulebroucke, CTO of Phished.

Phishing tactics are evolving rapidly, with cybercriminals using AI and social engineering to exploit vulnerabilities in even the most fortified organizations. Phished is a Security Awareness Training provider that leverages AI to provide training tailored to specific skill levels, so employees genuinely change their behavior.

In this Q&A, Arnout, shares his insights on the current cybersecurity landscape, his predictions for 2025, and explains how Phished’s training addresses these emerging needs.

Q. What are the biggest challenges customers face in the phishing space today, and how are threats evolving?

The phishing landscape is constantly evolving, and one of the biggest challenges is the increasing sophistication of attacks. Threat actors are leveraging AI and social engineering techniques to bypass traditional security measures. Additionally, the rise of remote work has expanded the attack surface, making it easier for cybercriminals to exploit vulnerabilities. Human error remains a significant factor, as employees may still click on malicious links or download harmful attachments.

Moreover, with the increasing regulatory landscape, particularly with the implementation of NIS2, organizations are facing stricter compliance requirements. This means that they need to be more vigilant in their cybersecurity practices, including phishing prevention and response.

Q2. How does the Phished platform help address these challenges, and how do you differentiate yourselves from competitors?

Traditional security awareness training is often too infrequent, too generic, and fails to engage employees effectively. Phished takes a holistic approach – combining phishing simulations with training sessions, threat alerts, cyber hygiene videos… – to make employees aware of every risk and threat they might face. These trainings and simulations are conducted regularly and tailored to the employee’s specific context and skill level. This approach helps employees change their behavior and proactively report threats. Only through this behavioral change can cyber incidents caused by human error be prevented.

Additionally, Phished uses a Behavioral Risk Score, a metric that reflects your organization’s cybersecurity status based on the progress of individual employees, departments, and the company as a whole.

The phishing campaigns, training, and customization run on autopilot, meaning there is no additional workload for IT, while employees also gain maximum benefit with minimal time investment.

Q3: What are your top recommendations for CISOs in the process of looking for a phishing solution?

Placing employee education at the forefront is crucial. Regular and effective training goes beyond raising awareness; it fosters meaningful behavioral change. This approach can reduce phishing incidents by as much as 97%. Equally important is ensuring that threats can be easily identified and reported, enabling employees to respond effectively.

When evaluating potential solutions, it is essential to assess the provider’s reputation and reliability. Do they adhere to required standards and regulations? What level of customer support do they offer? A reputable vendor with a demonstrated track record provides not only technical expertise, but also timely support for addressing incidents or inquiries—critical elements for a secure and seamless implementation.

Q4: What trends do you expect to see in the phishing space in 2025?

By 2025, we anticipate an even sharper rise in AI-driven phishing attacks, making them more sophisticated and highly targeted. Mobile devices are likely to become a primary focus for cybercriminals, while Business Email Compromise (BEC) schemes—like those leveraging new 2FA phishing services targeting Microsoft 365 accounts—will remain a serious threat, particularly for larger organizations.

As regulatory pressures grow, we also foresee an increased emphasis on phishing prevention and response, especially in industries directly or indirectly impacted by NIS2.

Q5: In your view, what should organizations’ top phishing planning priorities for 2025 be?

Organizations must continue to invest in frequent training for their employees to stay ahead of evolving threats. A robust solution to protect the business against phishing is crucial, as is staying informed about emerging threats within the relevant industry. Regular security testing can help identify vulnerabilities and improve overall security posture.

In light of NIS2, organizations should also prioritize developing a comprehensive cybersecurity strategy that includes robust phishing prevention and response measures. This may involve conducting regular risk assessments, implementing clear policies, and having a well-defined incident response plan.


Further reading