Is AI-powered phishing outsmarting your employees?

Workplace phishing attempts are becoming harder to detect compared to just the past year thanks to artificial intelligence (AI) – adding to the challenge human resources professionals already face as the technology’s boom continues.

Over 7 in 10 (72%) U.S. desk‑based workers say phishing attempts are more convincing than a year ago because AI‑written language improves the polish and realism of fraudulent messages, according to a Sagiss report.

Nearly 2 in 3 (64%) respondents believe an AI‑generated message could likely impersonate someone they work with, and 57% say AI makes phishing harder to spot because it feels more professional. Concern is not theoretical: 59% say they are moderately, very or extremely concerned about AI being used to imitate a co‑worker’s writing style or tone, with a further 28% slightly concerned.

“That level of concern aligns with a broader shift in how suspicious messages are perceived,” the technology company reports. “The issue is not merely that more phishing attacks exist. It is that the content may now look more polished and more believable inside ordinary workplace communication.”

More personalized messages

Sagiss notes a qualitative shift in how suspicious messages feel:

• 42% of workers say they have trusted a message because it sounded like a co‑worker or someone they regularly work with at least once
• 33% say they have noticed better grammar and writing in suspicious messages over the past year
• 27% report more personalised content
• 26% say the tone feels more natural or human

“AI is changing the way phishing looks and feels, but the deeper issue is that employees are making decisions under constant pressure,” said Sagiss President Travis Springer. “Employers need to think beyond awareness alone… Taking these factors into consideration has become a cyber security essential."

Employment scams experienced a dramatic increase in 2023, as criminals leveraged artificial intelligence to exploit unsuspecting job seekers, according to experts. In 2025, advisory firm Gartner warned earlier that one in four job candidates globally will be fake by 2028.

Employees still act first and verify later

Despite years of awareness campaigns, Sagiss reports that risky behaviour remains widespread. In the past 12 months, 63% of respondents clicked a work‑related link and later felt they should have double‑checked it first, including 42% who say this happened multiple times. Another 45% say they have replied to a work email or chat message and later questioned whether it was legitimate.

The pattern extends to verification, finds the February survey of 500 desk‑based workers who use email or chat as part of their jobs: a further 58% report verifying a request only after taking action, with 36% saying they have done so multiple times, and about 41% admit they have ignored initial suspicion at least once because a message seemed urgent.

“These results suggest that awareness alone has not solved the problem,” Sagiss reports. “Workers have spent years hearing the same guidance about suspicious messages, but many still fall into patterns of quick response and delayed verification. The challenge is not simply whether employees know phishing attacks exist. The challenge is whether they can consistently apply good judgment in the middle of a busy workday.”

What’s driving workers’ mistakes?

The Sagiss survey highlights everyday work pressures as key drivers of mistakes. When asked which situations make errors most likely, 55% of workers cite rushing between tasks or meetings and 48% point to multitasking. 

When it comes to verifying suspicious messages, 37% say it is hardest when the message looks legitimate or well written. However, 28% blame too many messages or notifications and 27% point to time pressure. Only 7% say the issue is not knowing how to verify.

Inbox overload compounds the risk, according to the report. With a high number of unread emails or chats, 22% of respondents say they skim more quickly and 15% say they prioritise urgency over verification. 

The risk window also extends beyond the workday. A combined 69% say they check work email or chat outside normal business hours at least sometimes, and 56% feel pressure to respond after hours at least sometimes. About 34% have responded to a work message after hours and later felt they should have verified it more carefully; 31% say they respond outside hours to stay caught up and reduce future workload, while 21% cite urgency.

“Together, these findings suggest that workplace phishing risk is being shaped by more than awareness alone,” according to the report. “Employees are making fast decisions in high-pressure environments, while AI is making fraudulent messages harder to spot. That combination is forcing security leaders to rethink how phishing risk shows up in day-to-day work.”

A previous study have shared the same sentiment about workload’s impact on workers and cybersecurity.

“In the highly competitive landscape of the contemporary business environment, personnel across a vast array of corporate structures are grappling with substantial workloads. This results in an escalated mental and physical strain on employees, stemming from an accumulation of onerous responsibilities in their professional roles,” reads part of the Mitigating the Impact of Work Overload on Cybersecurity Behaviour: The Moderating Influence of Corporate Ethics—A Mediated Moderation Analysis report, published in the MDPI journal.

“From a practical standpoint, our findings serve as a clarion call for organisations, urging them to acknowledge and address the ramifications of work overload. In an era where cyber threats loom large, the significance of understanding and mitigating human‑induced vulnerabilities is paramount,” the authors wrote.

How can employees prevent AI-powered phishing attacks?

Beyond managing workload, here are some things HR professionals and business leaders can do to better equip employees in the fight against AI‑powered phishing attempts, according to employee onboarding and training firm TechClass:

• Update training with real examples of AI‑generated phishing emails, deepfake videos, and fake voice calls, stressing that polished, personalised, or urgent messages can be just as suspicious as poorly written ones.
• Encourage “healthy scepticism” for any unsolicited request, no matter how legitimate it appears.
• Run phishing simulations using AI‑generated emails and AI‑cloned voice messages to create realistic mock attacks and use any failures as coaching opportunities.
• Provide repeated, hands‑on practice so employees’ instincts and detection skills improve over time.
• Teach and standardise verification procedures, such as confirming unusual requests via a second channel (phone, in person, known contact number) before acting.
• Make clear that no executive or senior staff member is allowed to pressure employees to skip verification, and highlight simple two‑factor checks (like callbacks or code words) as ways to block AI impostors.
• Build a no‑blame reporting culture so employees feel safe quickly reporting suspected phishing, deepfakes, or mistakes such as clicking on a malicious link.
• Reward vigilance and prompt reporting to strengthen engagement and overall security culture.
• Issue clear guidelines for safe use of AI tools, warning staff not to input sensitive company data into external AI systems without approval.
• Educate employees about “shadow AI” and unsanctioned plug‑ins, and instruct them to consult IT or security before adopting any new AI‑based tools for work.

Nearly 4 in 10 (39%) Canadians feel confident they can recognise an AI-powered scam today, but 68% believe AI will eventually make scams impossible to detect, finds a previous RBC study.