AI vs. Humans: The Next Battle in Phishing Defence

Introduction

The Verizon 2025 Data Breach Investigations Report shows that nearly seven in ten breaches still trace back to human error, most often triggered by phishing. What makes this more concerning is the way phishing itself has evolved. Recent trials revealed that AI-generated phishing messages were more successful than those written by expert red teams, tricking users at a 23% higher rate.

These numbers highlight a growing challenge. Attackers now have tools that can outpace and outsmart many of the safeguards organisations rely on. Messages are more convincing, the attacks are more frequent, and the burden of defence often falls on employees making quick decisions.

Understanding the Landscape

AI has given phishing a new edge. It has now been used to produce messages that are polished, context-aware, and tailored to the recipient. Attackers can generate endless variations in minutes, making it harder for traditional filters to keep pace and even harder for busy employees to tell real from fake.

The shift is not only in the quality of these attacks but also in their reach. Email remains the main channel, but phishing has expanded to text messages, collaboration tools, QR codes, and even voice calls powered by deepfake audio. Each of these channels bypasses some of the protections organisations put in place, bringing the threat directly to the individual.

What this means is that the front line of defence is no longer just technology. It is the employee who has to decide whether to click, respond, or report. And while AI makes attackers sharper, the real test is how prepared people are when these messages arrive.

CIL Perspective

One pattern we continue to see is that organisations underestimate how creative attackers have become. AI has changed phishing from a blunt tool into something targeted and adaptive, yet many businesses still believe that a simple awareness session once a year is enough. This creates a dangerous gap: attackers are evolving daily, while defences remain static.

We also notice that employees are often blamed as the “weakest link,” when in reality they are placed in situations where they have little practice and high stakes. Expecting staff to succeed without preparation is unrealistic. Instead of being viewed as the problem, employees should be recognised as an underused resource. With the right approach, they can provide early warning signals that technology alone might miss.

The challenge now is whether organisations are giving employees the consistent practice and support needed to effectively handle phishing attacks.

CIL Solution

The strongest defence against AI-driven phishing is not more policy reminders but continuous, hands-on training. Phishing simulations give employees the chance to experience real phishing attempts in a safe setting and to practise the right response. When someone clicks, the lesson is immediate and contextual; when they report correctly, that action is reinforced and turns into a habit.

This steady cycle of exposure and feedback sharpens instincts over time. Employees stop relying on the memory of a yearly session and instead build the confidence to act decisively when a suspicious message appears. At the same time, organisations gain valuable insight into where their workforce is most vulnerable, whether certain roles fall for specific lures, or if reporting times lag. That knowledge allows training to be targeted where it will have the most impact.

With ongoing phishing simulations, the workforce shifts from being the weakest link to a practised line of defence that is alert, prepared, and responsive in the moments that matter most.

Conclusion

AI has changed phishing into a faster, more convincing, and more persistent threat. But while technology can catch a large share of these attacks, people remain central to defence. The difference between a risky click and a reported threat often comes down to preparation.

Organisations that rely on one-off awareness sessions leave employees exposed. Those that build habits through ongoing phishing simulations and user awareness training create a workforce that recognises threats instinctively and responds with confidence. In the contest between AI-driven deception and human judgment, practice is what tips the balance, and practice is what turns employees into the strongest line of defence.