New Study Shows AI Is Supercharging Phishing Scams

The newly released Zscaler ThreatLabz 2025 Phishing Report reveals a troubling evolution in phishing tactics, fueled by the rapid adoption of generative AI (GenAI).

The report analyzes more than 2 billion blocked phishing attempts on the Zscaler Zero Trust Exchange™ platform from January to December 2024 and highlights a shift from widespread spam campaigns to highly targeted, AI-crafted scams.

AI Supercharges Sophistication of Phishing Scams

Phishing attacks have become more brilliant and more dangerous. Cybercriminals are increasingly using GenAI to craft convincing, personalized lures, replacing the broad, generic approaches of the past. These precision attacks manipulate victims by mimicking trusted sources with uncanny accuracy across email, text, and voice communication.

HR, payroll, and finance departments are at risk, as attackers tailor messages to exploit trusted business processes and weak points in human behavior.

Despite a reported 20% global drop in overall phishing volume in 2024, this decrease conceals a pivot toward fewer but far more effective campaigns, specifically targeting high-value individuals and organizations.

Phishing threats are evolving beyond traditional boundaries, with attackers adopting increasingly sophisticated methods to bypass even AI-based security defenses:

• Voice phishing (vishing) has surged, with fraudsters posing as IT staff to steal credentials in real time.
  
• CAPTCHA misuse now helps disguise phishing sites, giving them false legitimacy and avoiding automated detection.
  
• Cryptocurrency scams are on the rise. They use fake wallets and exchanges to dupe victims into handing over sensitive data.
  
• Fake AI agent websites exploit the AI boom, impersonating trusted platforms to harvest personal information.
  

The education sector, particularly, has seen a 224% spike in phishing attacks, attributed to underfunded defenses and predictable academic cycles. Meanwhile, tech support and job scams, often spread through social media and live chat, have hit over 159 million users.

Interestingly, while phishing in the U.S. dropped 31.8% in 2024, thanks to stronger email authentication like DMARC and Google’s sender verification, the country remains the most targeted globally.

Zscaler’s Zero Trust Approach Offers Critical Protection

Amid the growing threat landscape, Zscaler’s Zero Trust Exchange is a key defense against AI-powered phishing.

The platform inspects encrypted TLS/SSL traffic in real time, blocks malicious content, and isolates suspicious websites in secure browser sessions, preventing zero-day attacks and drive-by downloads.

Zscaler’s architecture eliminates lateral movement by enabling direct user-to-application connections. AI-driven segmentation ensures breaches are confined to isolated environments, while context-aware access policies, MFA, and deception technologies quickly shut down compromised accounts and detect insider threats.

Real-time data loss prevention (DLP) further secures sensitive information across applications, email, and GenAI tools, helping stop unauthorized data exfiltration before it occurs.

The report emphasizes that phishing has moved far beyond inbox spam; it’s now a sophisticated psychological attack on human trust. However, with Zero Trust frameworks, organizations can strengthen their defenses and stay ahead of the evolving threat landscape.