Notifications
Clear all
Topic starter
11/06/2026 11:10 pm
TL;DR: AI is making phishing more convincing and more common during holiday shopping, while 82% of respondents still report being phished or nearly phished, according to 1Password’s survey of 2,000 U.S. adults. The real gap is not awareness alone but the outdated signals, impulse buying pressure, and password reuse that scammers continue to exploit.
NHIMG editorial — based on content published by 1Password: holiday phishing survey findings on AI-driven scams and password reuse
By the numbers:
- 82% of respondents have still been phished, or come dangerously close to it.
- 66% of Americans say they’ve noticed more scammy messages, phone calls, and ads since AI became more prevalent.
- 76% of Americans who've fallen victim to a shopping scam still reuse passwords across multiple accounts.
Questions worth separating out
Q: How should security teams reduce phishing risk when AI makes scam messages more convincing?
A: Teams should stop relying on obvious spelling mistakes and train people to verify the sender, destination, and request through a separate channel.
Q: Why do phishing attacks still succeed even when people know the warning signs?
A: Because awareness alone does not overcome urgency, distraction, and channel trust.
Q: What should organisations do when phishing moves beyond email into texts and social media?
A: They should expand detection, training, and reporting to the channels people actually use for shopping and delivery updates.
Practitioner guidance
- Refresh phishing simulations for AI-written lures Test users against fluent, context-specific messages that mimic delivery notices, shopping offers, and account alerts rather than only grammar-heavy fraud.
- Extend controls to SMS and social channels Treat text messages, DMs, sponsored posts, and fake storefronts as part of the phishing defence surface.
- Reduce password reuse across consumer accounts Promote unique passwords for every account and make password managers the default recommendation for staff and customers.
What's in the full article
1Password's full blog post covers the survey detail this post intentionally leaves for the source:
- The full breakdown of survey methodology, including the 2,000-adult U.S. sample and field dates.
- Channel-by-channel phishing findings across email, SMS, phone calls, and social media.
- Dave Lewis's holiday phishing tips in the source article's full wording and context.
- The complete demographic split showing how susceptibility varied across generations.
👉 Read 1Password's survey findings on holiday phishing, AI scams, and password reuse →
AI-driven phishing: are your holiday scam defenses keeping up?
Explore further
12/06/2026 7:43 am
AI-assisted phishing is collapsing the old user-training model. Security programmes that depend on misspellings, clumsy layouts, and obvious spoofing are now built on a fading assumption. When attackers can generate polished messages at scale, the control failure is not user ignorance but a detection model that expects low-quality deception. The implication is that human awareness now has to be paired with stronger identity and verification controls.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the same research.
A question worth separating out:
Q: Who is most at risk from holiday phishing scams and why?
A: Anyone who shops quickly, tracks deliveries often, or reuses passwords is exposed, but the survey suggests younger users are not immune and may be more frequently targeted. The practical lesson is that risk follows behaviour and exposure, not confidence. Good defence means reducing impulse, not assuming digital fluency.
👉 Read our full editorial: AI-driven phishing is weakening holiday scam defenses
