TL;DR: AI is making phishing more convincing and more common during holiday shopping, while 82% of respondents still report being phished or nearly phished, according to 1Password’s survey of 2,000 U.S. adults. The real gap is not awareness alone but the outdated signals, impulse buying pressure, and password reuse that scammers continue to exploit.
At a glance
What this is: This is 1Password’s holiday phishing survey, showing that AI is making scams harder to spot and that password reuse still magnifies the damage when people click.
Why it matters: It matters because phishing remains a human identity problem that also exposes downstream IAM and credential hygiene weaknesses across consumer and enterprise environments.
By the numbers:
- 82% of respondents have still been phished, or come dangerously close to it.
- 66% of Americans say they’ve noticed more scammy messages, phone calls, and ads since AI became more prevalent.
- 76% of Americans who've fallen victim to a shopping scam still reuse passwords across multiple accounts.
👉 Read 1Password's survey findings on holiday phishing, AI scams, and password reuse
Context
Phishing is a human identity attack pattern that combines deception, urgency, and credential capture. The governance gap is not just whether people can spot bad grammar, but whether identity and access practices assume users will keep reusing passwords, clicking links under pressure, and authenticating from copycat sites.
Holiday periods increase the attack surface because people are shopping more, tracking deliveries more, and making faster decisions across email, text, phone, and social channels. In that environment, AI-assisted message generation lowers the cost of convincing lures, which means old detection habits are no longer enough on their own.
Key questions
Q: How should security teams reduce phishing risk when AI makes scam messages more convincing?
A: Teams should stop relying on obvious spelling mistakes and train people to verify the sender, destination, and request through a separate channel. The better control is a combination of realistic simulations, password managers, and simple confirmation habits for urgent or payment-related messages. That reduces both click risk and downstream credential theft.
Q: Why do phishing attacks still succeed even when people know the warning signs?
A: Because awareness alone does not overcome urgency, distraction, and channel trust. Attackers use time pressure, delivery anxiety, and bargain hunting to push fast decisions, while AI makes the message itself look legitimate. Knowing the signs helps, but it does not replace verification habits and strong credential hygiene.
Q: What should organisations do when phishing moves beyond email into texts and social media?
A: They should expand detection, training, and reporting to the channels people actually use for shopping and delivery updates. SMS, direct messages, and sponsored social posts need the same scrutiny as email, because users often trust them more than they should. Channel-aware controls are now part of identity defence.
Q: Who is most at risk from holiday phishing scams and why?
A: Anyone who shops quickly, tracks deliveries often, or reuses passwords is exposed, but the survey suggests younger users are not immune and may be more frequently targeted. The practical lesson is that risk follows behaviour and exposure, not confidence. Good defence means reducing impulse, not assuming digital fluency.
Technical breakdown
Why AI-generated phishing is harder to detect
Traditional phishing awareness training leaned heavily on visible mistakes such as poor grammar, awkward phrasing, and suspicious formatting. AI reduces those signals by helping attackers write fluent, context-aware messages that resemble legitimate brand, delivery, or payment communications. That shifts phishing from obvious fraud to believable impersonation. The challenge is not that users are careless, but that attackers now produce higher-quality deception at scale, often tailored to season, platform, and recipient context. Practical implication: security teams need to test user behaviour against realistic lures, not only textbook examples.
Practical implication: Update awareness scenarios to reflect fluent, AI-written lures rather than relying on grammar-based red flags.
Why social media and text scams work so well
Smishing and social media phishing exploit channels where people expect short, actionable, high-velocity interactions. Social feeds also blur the line between marketing, recommendations, and direct buying, which makes fake ads and storefronts feel normal. That is why less traditional phishing channels can be more effective than email in some cases. The technical issue is not just channel choice, but trust transfer: users treat the surrounding platform as an implicit trust signal. Practical implication: organisations should treat social and messaging platforms as credential-risk surfaces, not just consumer convenience channels.
Practical implication: Extend phishing controls and reporting guidance beyond email to social media, SMS, and direct-message channels.
Password reuse turns a single phish into account takeovers
When a user enters credentials into a fake login page, the immediate loss is often not the original account but every other account protected by the same password. Reuse converts one successful phishing event into a multi-account compromise path. That is especially dangerous for shopping, shipping, banking, and rewards accounts because attackers can rapidly validate stolen credentials across services. Password managers reduce this blast radius by creating unique credentials per account and making reuse less likely. Practical implication: credential hygiene remains one of the highest-value controls after a phishing click.
Practical implication: Prioritise unique passwords and password-manager adoption to limit cross-account compromise after a single phishing event.
NHI Mgmt Group analysis
AI-assisted phishing is collapsing the old user-training model. Security programmes that depend on misspellings, clumsy layouts, and obvious spoofing are now built on a fading assumption. When attackers can generate polished messages at scale, the control failure is not user ignorance but a detection model that expects low-quality deception. The implication is that human awareness now has to be paired with stronger identity and verification controls.
Holiday phishing is really a trust-channel problem, not just a messaging problem. Email is only one path. Text messages, direct messages, and social posts all work because they borrow trust from delivery updates, deals, and familiar platforms. That matters because identity programmes often over-index on corporate email protection while leaving consumer-like channels under-governed. Practitioners should treat every high-volume trust channel as part of the identity attack surface.
Password reuse remains the multiplier that turns phishing into programme failure. Even a convincing fake site is limited if credentials are unique and protected by a password manager. But when users recycle passwords across multiple accounts, one successful lure can trigger a cascade of secondary takeovers. This is a classic identity blast radius problem: the initial click is the trigger, reuse is what makes the damage systemic. Teams should measure reuse reduction as a core resilience signal, not a side metric.
Social engineering controls need to reflect how people actually make decisions under pressure. Scammers do not need perfect technical mimicry if they can create urgency, scarcity, and embarrassment fast enough to override caution. That makes “slow down and verify” necessary but insufficient on its own. The stronger programme view is that identity defence has to assume stressed, distracted, and mobile users, then design friction, verification, and recovery paths accordingly.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the same research.
- For teams expanding identity governance beyond humans, see The 52 NHI breaches Report for the recurring failure patterns that turn credential exposure into systemic compromise.
What this signals
Phishing pressure is now an identity resilience issue as much as a user-awareness issue. As AI improves message quality, the gap shifts from spotting bad grammar to proving that a request is legitimate. That means identity teams should treat verification flows, password manager adoption, and recovery paths as part of the control stack, not as user-behaviour footnotes.
Holiday fraud also shows why consumer-style trust channels deserve enterprise-grade governance. The same cognitive tricks that work in shopping scams also shape how users respond to payroll, HR, and vendor messages, which is why identity programmes need to model urgency and channel trust together. If you want a broader map of how identity failure compounds, see 52 NHI Breaches Analysis for recurring compromise patterns across machine credentials and access paths.
A useful concept here is identity blast radius: the distance a single successful phish can travel when credentials are reused or recovery processes are weak. The more accounts that share trust assumptions, the more one click becomes a programme problem. That is why credential uniqueness and recovery discipline matter even in consumer-facing scenarios.
For practitioners
- Refresh phishing simulations for AI-written lures Test users against fluent, context-specific messages that mimic delivery notices, shopping offers, and account alerts rather than only grammar-heavy fraud. Measure whether staff verify sender identity, hover links, and use out-of-band confirmation before engaging with a request.
- Extend controls to SMS and social channels Treat text messages, DMs, sponsored posts, and fake storefronts as part of the phishing defence surface. Create reporting paths and user guidance for non-email scams so people know how to escalate suspicious links and accounts.
- Reduce password reuse across consumer accounts Promote unique passwords for every account and make password managers the default recommendation for staff and customers. Focus on high-value accounts first, including email, banking, shopping, and loyalty programmes, where one reuse event can widen the blast radius quickly.
- Add a second-opinion step for high-pressure requests Build a habit of pausing before acting on time-limited deals, shipping notices, or urgent payment requests. Encourage users to confirm through a known website or trusted person when a message creates urgency or embarrassment.
Key takeaways
- AI-assisted phishing is weakening the old reliance on spelling mistakes and sloppy formatting as warning signs.
- Password reuse is still the force multiplier that turns a single phishing event into multi-account compromise.
- Identity programmes need to expand beyond email and into social, SMS, and pressure-based scam channels.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AT-1 | User awareness and training are directly relevant to phishing defence. |
| NIST SP 800-63 | Credential reuse and password hygiene affect digital identity assurance. | |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Phishing exploits weak identity verification across channels and sessions. |
Pair awareness training with realistic simulations and verification habits users can apply under pressure.
Key terms
- Phishing: Phishing is a deception technique that tricks people into revealing credentials, money, or sensitive information. It usually uses a trusted-looking message or website to trigger fast action, and modern campaigns increasingly rely on AI to improve realism and scale.
- Password reuse: Password reuse is the practice of using the same password across multiple accounts. It turns one successful compromise into a much larger account takeover problem because the attacker can try the stolen credential elsewhere, widening the blast radius beyond the original target.
- Smishing: Smishing is phishing delivered by text message instead of email. It works because users often treat SMS as immediate and legitimate, especially for shipping alerts, deliveries, and offers, which makes it an effective channel for urgent or click-driven deception.
- Identity blast radius: Identity blast radius is the amount of damage one compromised credential or trust relationship can cause across connected accounts and systems. The concept helps teams think about how quickly a single phish, reuse event, or weak recovery path can spread.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
This post draws on content published by 1Password: holiday phishing survey findings on AI-driven scams and password reuse. Read the original.
Published by the NHIMG editorial team on 2025-11-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
