Notifications
Clear all
Topic starter
11/06/2026 11:15 pm
TL;DR: AI now generates 40% of phishing emails targeting businesses and can cut spam campaign costs by up to 95%, making attacks more personalized, scalable, and harder to catch according to JumpCloud and cited research. Old typo-based awareness training is no longer enough; organisations need request validation, layered identity controls, and stronger authentication gates.
NHIMG editorial — based on content published by JumpCloud: AI-generated phishing and the new requirements for cyber defense
By the numbers:
- 40% of all phishing emails targeting businesses are now generated by AI.
- AI saves spammers up to 95% in campaign costs.
Questions worth separating out
Q: How should security teams train users when phishing emails are AI-generated?
A: Train users to validate the request, not the writing style.
Q: Why do AI-generated phishing attacks increase risk even when users are cautious?
A: They increase risk because they exploit trust, timing, and familiarity rather than obvious formatting flaws.
Q: What breaks when phishing training focuses mainly on grammar and bad spelling?
A: It breaks when the attacker can produce polished, role-specific messages at scale.
Practitioner guidance
- Replace typo-based awareness tests Use simulations that mirror real executive, vendor, and payroll requests so staff learn to validate intent, not spelling.
- Mandate alternate-channel verification Require users to confirm sensitive requests through a known separate channel before approving payment, password reset, or access change.
- Harden post-authentication controls Pair MFA with conditional access, device trust, and session controls so a stolen password does not become durable access.
What's in the full article
JumpCloud's full analysis covers the operational detail this post intentionally leaves for the source:
- The full breakdown of AI-enhanced phishing, vishing, smishing, and deepfake fraud patterns used against employees.
- The four-question AI-readiness assessment logic behind the article's security posture quiz.
- Implementation detail on the recommended defence stack, including MFA, advanced threat protection, SEG tuning, and DNS filtering.
- The article's roadmap for retraining staff around behaviour-based verification rather than typo spotting.
👉 Read JumpCloud's analysis of AI-generated phishing and identity defence →
AI phishing: what it means for IAM teams and human defenses?
Explore further
12/06/2026 7:51 am
AI phishing is a human identity problem that now behaves like a scale problem. The article's core finding is not simply that phishing got better, but that attackers can industrialise personalisation faster than defenders can retrain users. That matters because human judgement was always a probabilistic control, and AI lowers the attacker cost of overwhelming it. The implication is that awareness programmes must be treated as one layer in a wider identity assurance model, not as the primary barrier.
A few things that frame the scale:
- From our research: Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security, according to The 2026 Infrastructure Identity Survey.
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: How can organisations reduce the impact of a successful phishing click?
A: Use layered controls that limit what a stolen credential can do. MFA, conditional access, device trust, DNS filtering, and secure email protection should work together so one click does not become persistent access. The goal is to contain the event at authentication and session level, before it becomes an identity breach.
👉 Read our full editorial: AI-generated phishing is breaking old human training models
