Notifications
Clear all
Topic starter
27/06/2026 2:00 pm
TL;DR: Generative AI is making phishing emails more personalized and grammatically convincing, which weakens traditional red-flag detection and raises the bar for employee awareness training, according to Abnormal AI. Security programmes now need year-round, measurable engagement rather than once-a-year messaging, because human behaviour remains part of the attack surface.
NHIMG editorial — based on content published by Abnormal AI: Generative AI, personal cybercrime, and security awareness training ideas for Cybersecurity Awareness Month
By the numbers:
- Based on insights from more than 300 security and IT professionals, it reveals how organizations are shaping their SAT strategies today.
Questions worth separating out
Q: How should organisations adapt security awareness training for generative AI phishing?
A: Security teams should move from static annual training to continuous, behaviour-focused reinforcement.
Q: Why does generative AI make employee phishing training less effective?
A: Generative AI makes phishing less effective to train against when programmes rely on obvious visual mistakes.
Q: How do you know if security awareness training is actually working?
A: Look at operational behaviour, not course attendance.
Practitioner guidance
- Replace annual awareness bursts with continuous reinforcement Build a year-long calendar that mixes short exercises, peer reminders, guest speakers, and phishing quizzes so the behaviour change survives beyond October.
- Measure reporting behaviour, not just completion rates Track how quickly employees report suspicious messages, how often they escalate through approved channels, and which teams need repeated coaching.
- Teach verification through a second channel Make out-of-band confirmation the default response for sensitive requests, especially where payment, credential reset, or data access is involved.
What's in the full article
Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:
- Specific examples of awareness activities, including BINGO, scavenger hunts, and Kahoot, that you can adapt for your own programme.
- Examples of internal and external speakers, including FBI participation and vendor-led Lunch and Learns, that help sustain engagement.
- Details on Abnormal's AI Phishing Coach and how real-time inbox guidance is positioned for ongoing training use.
- The 2025 State of Security Awareness Training report and the underlying survey base that supports the article's recommendations.
👉 Read Abnormal AI's guidance on generative AI phishing and awareness training →
Generative ai phishing and awareness training: what should change now?
Explore further
27/06/2026 3:33 pm
Personal cybercrime is now an identity-security problem, not just a wellbeing issue. When employees are victims of identity theft or extortion, they bring distraction, urgency, and sometimes compromised credentials into the workplace. That creates a spillover effect from personal accounts to corporate access, especially where password reuse or MFA fatigue still exists. The implication is that human identity programmes need to treat personal risk education as part of enterprise resilience, not a separate benefit initiative.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Should organisations include personal cyber safety in security awareness programmes?
A: Yes, because personal compromise often spills into work through reused passwords, distracted employees, and social engineering that crosses from home into corporate life. Personal safety guidance improves engagement and reduces the chance that a private incident becomes a workplace access problem.
👉 Read our full editorial: Generative ai phishing and awareness training need a new model
