AI-Powered Phishing: Why Your Staff Training Is Already Outdated

For two decades, phishing awareness training has been built around a particular kind of email. Bad spelling. Suspicious sender address. Vague greeting. Too good to be true. The training taught staff to spot those signals and report.

That email is gone. The phishing message your team will see this week was written by an AI that has read your company website, scanned your team's LinkedIn profiles, and patterned itself on the writing style of an actual supplier or client. It does not have spelling errors. It does not look suspicious. It looks like a normal day at work.

If your awareness program is still running on slides from 2022, your staff are training to recognise a threat that no longer exists. Here is what changed, and what to do about it.

What AI changed about phishing

Three shifts have happened in roughly two years.

Quality of writing. The grammatical errors and awkward phrasing that used to give phishing emails away have disappeared. A modern AI-generated phishing message reads as well as anything an internal staff member might write. It uses correct industry terminology, current events, and a tone matched to the supposed sender's role.

Personalisation at scale. Attackers no longer have to choose between a high-volume generic campaign and a hand-crafted spear phishing message. AI lets them produce thousands of tailored messages in the time it used to take to write one. The "spray and pray" tier and the targeted tier have merged.

Multi-channel and follow-up. A modern phishing campaign is not a single email. It is an email followed by a Teams or Slack message, a follow-up SMS, sometimes a voice call using a synthetic voice, all coordinated to reinforce the same fake context. The earlier patterns where a single suspicious email could be reported and discarded are over.

Awareness of your business. The reconnaissance phase has shifted from cheap to free. Public LinkedIn profiles, the case studies on your website, the vendors named in your blog posts, and the org chart implied by your contact page are all input data for the AI that crafts the message. The result is an attack that knows who reports to whom, who handles invoices, and what client names will not raise an eyebrow.

Why your training is now insufficient on its own

Awareness training was always partial. It is a single layer of defence against a problem that needs many. The problem now is that the layer has become measurably weaker.

Spotting a phishing email used to require recognising a few telltale signs. Today it requires the staff member to question something that looks normal in every way they have been taught to check. The cognitive demand has gone up at the exact moment phishing volume has gone up. That is not a winning combination.

This does not mean training is useless. It means training is necessary but no longer sufficient. The same hour in the calendar that used to deliver most of the protection now delivers a smaller fraction of it.

What to update in your training

If you do not retire your existing program, at least update it.

Replace "look for these signs" with "verify before you act". The new mental model your team needs is not pattern recognition on the email itself. It is a workflow rule: any request that involves money, credentials, sensitive data, or unusual urgency requires a second verification step before action, regardless of how legitimate the email looks.

Train on multi-channel attacks. Use scenarios where the email is followed by a Teams message and a phone call. Make staff comfortable asking "are you sure" even when the answer comes back via three different channels.

Use real, recent examples. Generic phishing samples from a vendor library are no longer representative. Use actual messages your team has reported. If you do not have a stream of those, that is a signal that reporting culture also needs work.

Train the people most targeted. Finance and accounts payable staff, executive assistants, and senior leaders are disproportionately targeted because the payoff is higher. They need more frequent and more specific training, not the same annual refresher as everyone else.

Train on what to do after a click. Modern attacks are designed so that even careful staff will eventually click. The training that matters most is the response: report it, change your password, contact IT, do not delete the evidence. Speed of reporting is the single biggest factor in containing a successful phishing incident.

What to update in your technical controls

The controls that catch what training misses become more important, not less.

Conditional Access for high-risk operations. Sign-ins from new devices, unusual locations, or impossible-travel patterns should require additional verification. This is the difference between a stolen credential being immediately useful and being immediately blocked.

Phishing-resistant MFA where you can deploy it. App-based MFA defeats most password-only attacks but can be defeated by real-time phishing. FIDO2 keys and passkeys cannot. For your highest-privilege accounts, including IT admins and finance leaders, this is becoming the new baseline.

Email authentication and anti-spoofing. Your SPF, DKIM, and DMARC records should be configured and enforcing. A surprising number of Australian SMBs still have permissive or missing records, which is the single biggest enabler of look-alike domain attacks.

Banner warnings for external email. A simple "this email is from outside your organisation" banner remains one of the highest-leverage controls available. Almost every internal phishing scenario depends on the recipient not realising the sender is external.

Anti-impersonation and link rewriting. Modern email security tools can detect emails that pretend to be from your CEO, sandbox suspicious attachments, and rewrite URLs so that they are inspected at click time rather than at delivery time. If your tenant is on Microsoft 365 Business Premium or above, much of this is included and only needs to be turned on.

What to update in incident response

The first thirty minutes after a successful phishing click are where the damage is contained or made worse.

Make sure you have a runbook that covers who to contact, what to say, and what to do, written in a way an ordinary staff member can follow under pressure. Keep it short, keep it accessible, rehearse it.

When a credential is suspected compromised, the response should be a coordinated set of actions: immediate password reset, MFA token revocation, sign-out of all sessions, audit log review for the suspect window, mailbox forwarding rule check, and review of any sensitive content that was accessible to that account. None of those steps are difficult individually. The difficulty is doing them all, in order, under stress, while also looking for other affected accounts.

If your current incident response plan is "we'll work it out at the time", that is the gap to close before the next quarter ends.

What this looks like in practice

For a fifty-person Australian SMB, a sensible upgraded posture looks like this. Quarterly awareness training updated for AI-powered attacks, with monthly simulated phishing campaigns to keep the muscle memory active. MFA on every account, with FIDO2 or passkeys for finance, IT admins, and the executive team. Email authentication fully configured. External email banner enforced. A documented incident response runbook accessible to anyone, rehearsed at least once a year.

That is achievable in a quarter of focused work. It will not stop every attack, because nothing will. It will reduce the volume of successful attacks substantially, and it will reduce the damage of the ones that do succeed.

If you would like an outside view on where your business stands, our free IT health check includes a phishing readiness review. We assess your training, your technical controls, your incident response readiness, and your email security configuration, and we give you a straight answer on what to fix first.

Learn more about our cybersecurity services