How Hackers Use Agentic AI to Advance Social Engineering
AI-powered phishing is evolving rapidly, making attacks smarter, faster, and harder to detect. Learn how hackers use agentic AI to craft near-perfect phishing lures, bypass security measures, and automate social engineering at scale—and what organizations must do to fight back.
2025-03-14
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Every day, cybercriminals send 3.4 billion phishing emails, designed to mimic trusted sources. (Source) That’s over a trillion phishing emails per year, fueling fraud, breaches, and financial losses.
Now, AI-powered phishing is making these attacks faster, more scalable, and nearly undetectable. Hackers are leveraging agentic AI—a form of AI that autonomously gathers intelligence, crafts hyper-personalized lures, and executes large-scale attacks with minimal effort.
This blog explores how AI is reshaping phishing, why traditional defenses are failing, and what organizations must do to stay ahead of AI-driven threats.
AI vs. Human Phishing: A Game-Changing Reality
A recent study by researchers from Harvard Kennedy School and Avant Research Group tested how effective AI-generated phishing emails are compared to those written by humans. (Source) They sent four types of emails to 101 real participants and measured the click rates:
- Basic scam emails (used as a control group): Only 12% of people clicked on these generic, poorly written emails.
- Phishing emails written by human experts: 54% of people clicked, showing that well-crafted scams are much more convincing.
- Phishing emails written entirely by AI: 54% of people clicked, proving that AI can already match human experts in deception.
- AI-generated phishing emails with minor human edits: 56% of people clicked, slightly outperforming both AI-only and human-written attempts.
Why does this matter?
These results are shocking because they show that AI can now create phishing emails just as convincingly as skilled cybercriminals—and sometimes even better. This means hackers no longer need to be experts at writing scams. Instead, they can use AI to generate unlimited, high-quality phishing emails in seconds, making attacks easier, faster, and more widespread.
So, why is AI-powered phishing so effective? Let’s break it down.
How AI is Revolutionizing Social Engineering
AI is transforming phishing from a manual process into a fully automated, intelligent attack system. Unlike traditional scams, AI-powered phishing continuously learns, adapts, and personalizes attacks at an unprecedented scale. By leveraging automation and advanced data analysis, AI can craft hyper-realistic phishing attempts that are nearly impossible to detect.
1. AI Learns and Self-Improves Faster Than Humans
Traditional hackers refine their tactics through trial and error, but AI can optimize phishing emails instantly by analyzing real-time data. It examines:
- Click rates and response patterns to craft more convincing messages.
- Psychological triggers and linguistic nuances to manipulate targets more effectively.
Since AI learns at machine speed, phishing techniques that fail today can be perfected tomorrow—making attacks constantly evolve and improve.
2. AI Doesn’t Just Write Emails—It Conducts Automated Target Research
AI doesn't just generate emails—it gathers intelligence on targets before launching attacks. Through Open-Source Intelligence (OSINT), AI can:
- Scan social media, company websites, and public records to profile individuals.
- Identify job roles, communication styles, and interests to personalize attacks.
- Mimic familiar language and behaviors, making phishing emails almost indistinguishable from legitimate communication.
With this data-driven targeting, AI phishing is no longer a guessing game—it’s precision-engineered deception.
3. AI Removes Traditional Barriers to Phishing
Phishing once required technical skill, research, and effort—AI has removed these obstacles, making attacks effortless and highly effective.
- AI generates tailored phishing emails in seconds, adapting to a target’s job role, industry, and online activity.
- It scans social media and company directories to insert real details, like colleagues’ names or recent events, increasing credibility.
- It writes fluently in any language, avoiding grammar mistakes that typically expose scams.
- It runs continuously, refining tactics based on response rates, something human attackers can’t do at scale.
AI has transformed phishing into an automated, precision-targeted cyber threat—faster, smarter, and harder to detect.
4. AI Bypasses Security Guardrails
AI models are designed with built-in safety measures to prevent abuse, but cybercriminals have already found ways to bypass them:
- Rewording prompts to trick AI into generating phishing content.
- Using agent-based AI, which autonomously collects target data and launches phishing attacks.
- Altering phishing emails in real time to evade detection by spam filters and security systems.
With these methods, hackers stay ahead of AI safety measures, making AI-driven phishing one of the biggest cybersecurity threats today.
The Economics of AI-Powered Phishing
AI has made phishing cheaper, faster, and more profitable, giving cybercriminals a major advantage.
- AI-driven phishing is up to 50x more profitable than traditional methods by increasing success rates while cutting costs.
- It eliminates the need for technical skills, allowing even inexperienced attackers to launch advanced phishing campaigns.
- Automation enables mass attacks with minimal effort, making phishing more widespread and harder to stop.
As AI continues to lower the barriers to cybercrime, we can expect a surge in phishing attacks across all industries.
AI Enables Multi-Channel Phishing Attacks
Phishing is no longer just about deceptive emails—AI now powers attacks across multiple channels, making scams harder to detect. Cybercriminals use AI to:
- Create fake online personas to manipulate employees, executives, or IT staff.
- Generate deepfake voice and video impersonations to bypass identity verification.
- Develop phishing websites that perfectly mimic real login portals, even bypassing Multi-Factor Authentication (MFA).
This new wave of AI-driven deception is blurring the line between real and fake, making it increasingly difficult for individuals to recognize threats.
The Future of Phishing: What Comes Next?
AI-powered phishing is rapidly advancing, with attacks becoming more personalized, automated, and nearly impossible to distinguish from real communications. Traditional security measures struggle to keep up with the constant adaptation of AI and the generation of new attack strategies. To stay ahead, organizations must embrace AI-driven defenses and rethink how they approach cybersecurity.
1. AI-Powered Attacks Will Become Hyper-Personalized
AI-driven phishing is moving beyond generic scams, evolving into highly targeted attacks that exploit real-time data. Future threats will:
- Analyze live social media activity and business emails to craft ultra-personalized lures.
- Use deepfake technology to impersonate colleagues, executives, or clients in emails and video calls.
- Apply behavioral psychology and AI-generated emotional triggers to manipulate targets more effectively.
2. Traditional Security Measures Will Struggle to Keep Up
Phishing detection tools rely on pattern recognition, but AI constantly generates new attack variations that evade security filters. Organizations will face:
- AI-crafted phishing messages that never repeat, making them harder to blacklist.
- Sophisticated bypass techniques, allowing AI-driven phishing sites to evade web security checks.
- Automated, multi-channel attacks, combining emails, SMS, and voice phishing (vishing) for maximum deception.
3. Organizations Must Use AI to Fight AI
Since AI is driving a new era of cyber threats, security teams must leverage AI-driven defense mechanisms, such as:
- Adaptive phishing detection systems that analyze behavioral patterns instead of fixed rules.
- AI-powered security awareness training, simulating real-world attack scenarios to build employee resilience.
- Beyond-password authentication methods, like biometric verification and continuous identity monitoring, to prevent credential-based attacks.
AI is rewriting the rules of phishing, and organizations must act now to stay ahead of this rapidly evolving threat.
How Keepnet Can Protect Against AI-Powered Phishing
As AI-driven phishing evolves, organizations need advanced simulations, adaptive training, and rapid response solutions. Keepnet’s AI-powered tools provide a strong defense against these threats.
- AI-Driven Phishing Simulations – Keepnet’s Phishing Simulator replicates AI-generated attacks, helping employees detect and avoid sophisticated scams.
- Adaptive Security Awareness Training – Offers 2,100+ training materials from 15+ providers in 36+ languages, using AI-driven phishing simulations and a behavior change model to deliver personalized, multilingual training.
- Automated Threat Response with Incident Responder – Detects, analyzes, and mitigates AI-powered phishing threats in real time, responding 48.6x faster than manual processes.
With AI-driven simulations, tailored training, and automated response, Keepnet helps organizations stay ahead of emerging phishing threats.
Why AI-Powered Phishing Requires a New Defense Strategy
AI-driven phishing is evolving beyond traditional scams, using automation, deepfakes, and real-time data to deceive even the most cautious employees. Standard security measures can’t keep up, making AI-powered defenses essential.
Check out the Keepnet Extended Human Risk Management Platform to simulate real AI-driven phishing attacks, train employees with adaptive learning, and automate phishing response—stopping threats before they cause damage.
SHARE ON