Opinion
The rise of AI-driven phishing attacks: A growing threat and the power of smarter defenses
"AI is rewriting the phishing playbook. Leaving workers unprepared is no longer a gap - it’s a liability," writes Gonen Krak, CTO and Co-Founder of Aironworks.
Imagine this: It’s a typical Tuesday morning, and you’re at your desk when your phone rings. On the other end is your CEO - or at least, it sounds exactly like them. They’re asking you to urgently transfer funds overseas for a confidential deal. The voice is familiar, the request seems legitimate, and there’s a sense of authority that makes you hesitate to question it. But something feels off. You hang up, unsure. Later, you find out it wasn’t your CEO at all - it was a scammer using AI to clone their voice.
This isn’t a scene from a sci-fi movie. In February 2025, scammers targeted Italian security personnel and business leaders with this exact tactic, using AI to mimic the voice of Italy’s Defense Minister. The goal? To trick high-profile figures into transferring funds overseas. And this is just one example of a disturbing trend: AI-driven phishing attacks that exploit human trust rather than technical vulnerabilities.
Attacks have gone personal. CrowdStrike reports nearly 80 percent of detections in 2024 were malware-free, up from 40 percent in 2019. Generative models now spin up deepfake videos, cloned voices, and spear-phishing emails in seconds - often using free, open-source tools. After two decades in cybersecurity (including Israel’s Unit 8200), I’ve watched the pivot: hackers once targeted software; now they target employees—and AI makes this deception effortless and easy to execute.
When scams hit, millions can vanish within minutes, customer confidence crumbles, and incident-response teams are yanked from core work. Employees who clicked “Send” shoulder guilt that erodes morale. Even a single breach can derail M&A talks, shatter brand equity, or trigger fines under regulations like GDPR and PCI-DSS.
So, why is it so tough to prepare employees for these threats? It comes down to a few stubborn roadblocks. First, the tactics keep changing. AI lets attackers tweak their methods on the fly, outpacing static defenses. Second, generic training programs—the kind most companies rely on - just don’t work anymore. They’re too broad, failing to tackle the specific risks that different roles or industries face. And third, building tailored, up-to-date training is a massive undertaking. It takes time, money, and expertise—resources that many organizations can’t spare.
Without the right education, employees remain the weakest link, even though they’re often the first line of defense.
One possible approach to addressing the challenge of human vulnerability in cybersecurity involves automating security-awareness training. For example, a platform could be developed to generate and execute such programs using artificial intelligence. Based on a simple natural language input, the system might create realistic phishing simulations, deepfake voice or video scenarios, and short educational clips. It could also manage the scheduling of training campaigns and monitor key indicators of employee resilience.
An integrated AI assistant might further support employees by helping them investigate suspicious emails in real time, enhancing their ability to respond effectively.
For security teams, this kind of automation could reduce the need for manual content creation, allowing them to allocate more time to broader strategic initiatives and risk management.
AI is rewriting the phishing playbook. Leaving workers unprepared is no longer a gap - it’s a liability. Modern awareness programs must be continuous, personalized, and as dynamic as the attacks they counter. By equipping people with platforms like AironWorks, organizations protect profits, reputation, and, most importantly, the well-being of the teams who keep business running. In today’s cyber battlefield, the strongest shield is a workforce ready for anything.
The writer is the CTO and Co-Founder of Aironworks.
