AI-Generated Phishing Campaigns Achieve 60% Higher Click Rates Than Human-Written Lures

New research from Proofpoint and Hoxhunt reveals that AI-generated spear-phishing emails now outperform human-crafted attacks by 60% in click-through rates. The campaigns leverage real-time OSINT data to generate hyper-personalized lures at industrial scale.

via Proofpoint·January 10, 2025·4d ago

SHARE:𝕏 IN

#AI#phishing#social engineering#LLM#spear-phishing

A joint research report from Proofpoint and Finnish security awareness firm Hoxhunt has quantified what security professionals have long feared: AI-generated phishing emails are measurably more effective than those written by human threat actors—and the gap is widening fast.

The Research

The study analyzed over 1.5 million phishing simulation emails sent to employees across 100 organizations between Q3 2024 and Q4 2024. Half were crafted by experienced human social engineers; the other half were generated by AI systems—including fine-tuned large language models and agentic AI pipelines—that gathered real-time context from social media, corporate websites, LinkedIn, and public data sources before composing each email.

The results were stark: AI-generated emails achieved a 60% higher click rate than human-crafted ones. For spear-phishing campaigns, AI-generated emails were 73% more likely to be opened and acted upon.

Why AI Phishing Succeeds

Researchers identified several factors behind AI's superiority:

1. Hyper-personalization at scale: AI systems research and personalize thousands of targets simultaneously

2. Real-time context injection: AI pipelines monitor LinkedIn activity and company news, referencing recent events to establish immediate credibility

3. Tone matching: LLMs match the writing style expected in business communications with uncanny accuracy

4. Language barrier elimination: AI-generated phishing is equally effective in any language

Real-World Deployment

Proofpoint has confirmed multiple criminal groups operating Phishing-as-a-Service (PhaaS) platforms with AI generation pipelines. One platform charges $150 per month for an AI pipeline capable of generating and sending 10,000 personalized phishing emails daily.

Defensive Recommendations

Organizations should move beyond click-rate metrics as sole measures of phishing training effectiveness. Hardware security keys (FIDO2/passkeys) as primary authentication and privileged access management (PAM) solutions are increasingly essential. Employee training should shift from grammar-spotting to behavioral cues and process verification—call-back verification for financial or credential requests.

Source attribution: via Proofpoint. HackWire aggregates and contextualizes publicly reported cybersecurity news for informational purposes.

AI-Generated Phishing Campaigns Achieve 60% Higher Click Rates Than Human-Written Lures

The Research

Why AI Phishing Succeeds

Real-World Deployment

Defensive Recommendations

New 'Zombie ZIP' technique lets malware slip past security tools

New BeatBanker Android malware poses as Starlink app to hijack devices

APT41 Resurfaces With Novel Malware Framework Targeting Defense Contractors in 12 Countries