Notifications
Clear all
Topic starter
27/06/2026 1:54 pm
TL;DR: AI-generated phishing is making deceptive messages cleaner, more contextual, and harder for employees to spot, with 98.4% of security leaders saying attackers are already using AI and BEC losses reaching $2.8 billion last year, according to Abnormal AI. Generic annual awareness training is now outpaced by daily-changing lures and role-specific risk.
NHIMG editorial — based on content published by Abnormal AI: AI Phishing Coach and the human risk of AI-generated deception
By the numbers:
- 98.4% of security leaders report AI is already widely used by attackers against their organizations.
- 40% of organizations had a security incident tied to an avoidable user action in the past year.
Questions worth separating out
Q: How should security teams train employees against AI-generated phishing that looks legitimate?
A: Security teams should move from annual awareness modules to continuous, behaviour-based reinforcement.
Q: Why do generic phishing simulations fail against modern AI deception?
A: Generic simulations fail because they train people to spot old warning signs such as bad grammar or awkward formatting, while AI-generated lures now copy real tone, context, and relationships.
Q: What breaks when employees make rapid decisions on AI-crafted vendor emails?
A: What breaks is the assumption that a suspicious message will look suspicious.
Practitioner guidance
- Replace annual training with continuous reinforcement Use real-time coaching for suspicious email interactions so employees get immediate feedback while the decision is still fresh.
- Segment training by communication risk Differentiate employees who handle vendor requests, payment approvals, executive mail, or external coordination.
- Measure risky actions, not course completion Track avoidable user actions, report rates, and post-interaction escalation patterns to see whether awareness is changing behaviour.
What's in the full article
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- The example workflow for AI Phishing Coach and how it adapts simulations to real inbox behaviour.
- The behavioural signals the platform uses to tailor training to different employee roles.
- The practical difference between generic annual awareness and continuous, real-time reinforcement.
- The product framing for pairing behavioural AI with human coaching in daily mail handling.
👉 Read Abnormal AI's analysis of AI phishing and employee training risk →
AI phishing coach and the human risk gap teams are missing?
Explore further
27/06/2026 3:26 pm
AI phishing is now a human identity governance problem, not just an awareness problem. The article shows that attackers have moved beyond obvious social engineering and into credible, role-aware deception. That means the control gap is no longer whether people have seen phishing examples before, but whether identity programmes treat human judgement as a governed access decision. Practitioners should stop framing awareness as a side activity and treat it as part of identity assurance.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- 46% confirmed and 26% suspected a breach of non-human identities in the same research, which shows how often identity exposure remains partially unobserved.
A question worth separating out:
Q: How do organisations reduce business email compromise risk without overloading users?
A: Organisations reduce BEC risk by combining targeted controls with just-in-time human reinforcement. That means role-based simulations, clear reporting paths, and immediate coaching when someone opens or acts on a suspicious message. The objective is to make verification a normal part of work, especially in teams that handle payments, approvals, and vendor communications.
👉 Read our full editorial: AI phishing training must adapt to clean, contextual deception
