TL;DR: AI-enhanced phishing is now more effective, more frequent, and cheaper to run than traditional campaigns, with the source article citing FBI, Verizon, SlashNext, Hoxhunt, and Harvard Business Review findings that show both the operational scale and the financial impact. The governance gap is no longer user awareness alone; identity and access controls must assume convincing, high-volume deception.
NHIMG editorial — based on content published by Bitwarden: AI-enhanced phishing attacks and how to protect credentials
By the numbers:
- According to the FBI, phishing scams were the top cybercrime in 2024.
- Verizon reports that 60% of cybersecurity breaches are caused by human error.
- SlashNext says phishing attacks have increased by 4151% since ChatGPT was released in 2022.
Questions worth separating out
Q: How should security teams reduce the impact of AI-generated phishing attacks?
A: Start by assuming the lure will look convincing.
Q: Why do AI phishing attacks create more risk than traditional phishing?
A: AI lowers the cost, time, and skill needed to produce personalised lures, so attackers can run more campaigns and iterate faster.
Q: What do organisations get wrong about phishing defence?
A: They often treat phishing as a user-awareness problem instead of an identity protection problem.
Practitioner guidance
- Harden account recovery flows Remove recovery paths that depend only on knowledge factors or easily phished personal data.
- Deploy passkeys and phishing-resistant authentication Prioritise passkeys for high-value accounts and reduce password reuse where possible.
- Limit reusable secrets in user workflows Use trusted autofill, browser launch controls, and credential vaulting so users are less likely to paste secrets into hostile sites.
What's in the full article
Bitwarden's full article covers the practical user-facing guidance this post intentionally leaves for the source:
- Built-in phishing protection features, including passkey storage and trusted website autofill, described in operational terms
- Guidance on recognising AI-enhanced phishing cues such as odd links, unnatural speech, and urgency signals
- Advice on using a separate trusted channel when a message, call, or video cannot be verified
- Examples of where the Bitwarden application helps reduce credential exposure during login and launch
👉 Read Bitwarden's analysis of AI-enhanced phishing attacks and credential risk →
AI phishing attacks are getting harder to spot, what should teams do?
Explore further
AI-enhanced phishing is an identity governance problem before it is a messaging problem. The attacker is not trying to win a debate with the user, but to bypass the point at which identity trust is formed. That shifts the centre of gravity from awareness alone to authentication design, recovery controls, and credential exposure reduction. Practitioners should treat phishing as an identity control failure path, not just a training deficiency.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who is accountable when phishing leads to account takeover or fraud?
A: Accountability sits with the identity and security controls that allowed a phished secret to become usable access. That includes authentication design, recovery assurance, privileged access rules, and secrets handling. If those controls are weak, the organisation has built fragility into the path from deception to compromise.
👉 Read our full editorial: AI-enhanced phishing is raising the cost of credential theft