📰 Originally published on SecurityElites — the canonical, fully-updated version of this article.
The phishing email that tricked your security awareness training had obvious grammar errors, a suspicious sender address, and “Dear Customer” as a greeting. The AI-generated version that’s targeting your CFO right now uses their name, references their current Q4 project from LinkedIn, arrives from a spoofed domain registered last Tuesday with valid SPF records, and reads like it was written by someone in their industry. Your email filter is passing it. Your CFO can’t spot the difference. I’ve tested this.
Last year I ran a phishing simulation for a client — AI-generated emails personalised from LinkedIn data, referencing real project names I pulled from their press releases. The click rate was 34%. The same campaign using generic templates: 8%. That gap is what AI does to social engineering economics.
What I want to give you here is the full technical picture of how these attacks are built, why traditional defences fail against them, and the specific process-level controls that actually work. Because the answer isn’t better spam filtering. The answer is understanding that AI eliminated the effort barrier, which means your defences need to shift from content inspection to process verification.
Has your organisation been targeted by AI-generated phishing or vishing?
Not that we know of We suspect some recent attacks were AI-generated We’ve confirmed AI-generated attacks against us We don’t have the visibility to know
🎯 What You’ll Learn
How LLMs improve phishing across scale, quality, and personalisation simultaneously
The OSINT-to-LLM spear phishing pipeline used in documented attacks
AI vishing — LLM-assisted phone attacks and voice cloning fraud
Why traditional phishing detection training fails against AI-generated content
Process-level defences that work regardless of content quality
⏱️ 30 min read · 3 exercises ### 📋 AI-Powered Social Engineering 2026 – Contents 1. Three Ways AI Improves Phishing 2. The OSINT-to-LLM Spear Phishing Pipeline 3. AI Vishing and Deepfake Voice Fraud 4. Why Traditional Detection Fails 5. Process-Level Defences That Actually Work 6. Updating Security Awareness Training ## Three Ways AI Improves Phishing Scale without quality loss. Traditional spear phishing required hours of manual research and writing per target. LLM-assisted phishing generates personalised emails in seconds. An attacker who could previously send 20 personalised spear phishing emails per day can now send thousands while maintaining the same quality. The effort economics have inverted: mass personalised phishing is now cheaper per-target than generic phishing was.
Language quality in any target language. Generic phishing campaigns were historically limited by language quality — campaigns targeting non-English speakers often betrayed their non-native origin through grammar errors. LLMs produce native-quality text in all major languages and many minor ones. The grammar-checking heuristic that security awareness training emphasised is now unreliable: AI-generated phishing may have better grammar than a legitimate email from a non-native English speaker colleague.
Contextual personalisation from OSINT. The most sophisticated AI-assisted phishing chains OSINT gathering with LLM content generation. LinkedIn profile data, company website content, recent news about the organisation, GitHub repositories, and social media activity feed into a prompt that generates an email referencing real context: the target’s actual job title, a real project they’re involved in, a real colleague they work with. This contextual accuracy dramatically increases click and response rates.
securityelites.com
Generic Phishing vs AI Spear Phishing — Side by Side
❌ Generic Phishing (2020)
From: noreply@paypa1-secure.com
Subject: Urgent: Account Suspended
Dear Customer,
Your account have been suspend. Please verify your informations immediately to avoid permanent closure.
Click here to verify: [suspicious-link.ru]
Detection: 3+ red flags visible
✓ AI Spear Phishing (2026)
From: j.hartley@acmecorp-it.com
Subject: Q2 Security Audit — Action Required
Hi Sarah,
Following up on the Phoenix project security review that Mike mentioned in last week’s all-hands. IT needs you to verify your MFA settings by Friday before the audit. Takes 2 minutes:
[legitimate-looking link]
Thanks, James
References real project, real colleague, real context
📸 Generic phishing (2020) vs AI spear phishing (2026). The right panel references a real project name (Phoenix), a real colleague (Mike), and a real upcoming event (Q2 security audit) — all sourced from LinkedIn posts and company all-hands recordings. There are no visible grammar errors, no suspicious sender red flags (the domain acmecorp-it.com was registered last week and passes basic domain checks), and the request (verify MFA settings) is entirely plausible. Security awareness training that taught users to check for grammar errors and generic greetings provides essentially zero protection against the right panel.
The OSINT-to-LLM Spear Phishing Pipeline
Documented AI-assisted spear phishing operations follow a consistent pipeline: OSINT gathering, LLM content generation, delivery infrastructure, and payload. The OSINT phase uses tools like theHarvester, LinkedIn scraping, and company website analysis to build a profile of the target and their organisational context. This takes seconds with automated tooling for most targets.
The LLM generation phase takes the gathered context and generates email content with a specific objective: credential phishing, wire transfer request, malware attachment download, or callback to a vishing number. The prompt specifies the target’s name, role, organisation, and contextual references; the LLM generates contextually appropriate content in the target’s language with the specified goal. Multiple variants can be generated and tested for quality in minutes.
📖 Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites →
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)