How AI changes the cybersecurity landscape

Since the launch of ChatGPT, phishing attempts have more than doubled. Modern language models can automate every stage of the attack: they instantly scan vast amounts of public data to learn who you are, where you work, what you care about, and which psychological triggers are likely to influence you — then craft hyper-realistic emails in seconds. Today, everyone is treated like a VIP target — and human error has never been easier to exploit.

Meanwhile, the cost of cybercrime keeps climbing. By 2027, its global financial impact is projected to exceed €20 trillion, driven by relentless attacks in which companies — knowingly or not — help fund the cybercriminal business model through their own vulnerabilities.

Despite this mounting evidence, many organizations continue to pour money into outdated, ineffective solutions. 76% of IT managers still believe that phishing simulations or occasional training sessions are enough to make employees resilient against phishing. It’s an idea ingrained in the industry: every IT team does it, so it must work. And the standards behind compliance frameworks such as ISO and SOC are often too weak to convey the importance of frequent, effective training.

Two major scientific studies (one conducted by ETH Zurich in Europe and one by the University of Chicago in the United States) have now confirmed what we at Phished have been saying for years: the way most organizations approach phishing awareness today is nothing more than a band-aid on a broken system. Traditional phishing training, in its current and commonly deployed form, has no measurable impact — and in the worst cases, it can even backfire.

We need to accept what the data makes painfully clear: the human firewall alone doesn’t prevent cyber incidents. Humans will always make mistakes — especially now that AI has made phishing faster, cheaper, and more sophisticated than ever. The question isn’t whether an incident will occur — it’s when.

Traditional training won’t solve that problem. Only a holistic approach, combined with zero-trust email technology, that protects people as well as trains them can succeed. 

To fix the problem of unreliable spam filters and human error, we’ve built our Zero Incident Mail™ (ZIM) technology that neutralizes risky clicks instantly, ensuring that even when employees make mistakes, no harm reaches your infrastructure. Combined with holistic, risk-based training (including cyber hygiene practices and threat alerts) and behavioral insights from our Behavioral Risk Score™, employees learn safely, effectively, and without disrupting their daily work.

Because human error will always exist — but incidents don’t have to.

Jo Vandebergh 
CEO, Phished