AI has changed phishing, not the importance of human judgment

As cyberattacks grow smarter, critical thinking remains the strongest line of defence

Last updated:
Dr. Martin Kraemer, Special to Gulf News
Research indicates that AI-generated spear-phishing campaigns are three times as effective as generic phishing and can be operated at scale by drawing on public information.
Research indicates that AI-generated spear-phishing campaigns are three times as effective as generic phishing and can be operated at scale by drawing on public information.
Gulf News archives

AI has made phishing attacks faster, cheaper, and far more convincing, reshaping the global cybersecurity landscape. What was once driven by volume has evolved into a precision-driven threat, where attackers can craft highly convincing, context-aware messages at scale. From a regional perspective, the UAE Cybersecurity Council recently noted that AI-powered phishing is now linked to more than 90% of digital breaches, underscoring how deeply these techniques are embedded in today’s threat environment.

This shift is prompting organisations to rethink how they view the human element, moving beyond traditional awareness programmes toward a more proactive approach to secure the entire workforce. Effective efforts to manage the associated risk provide organisations with a strategic and data-driven way to identify, measure and reduce the risks associated with human behaviour. Rather than focusing solely on awareness and education, organisations recognise the importance of shaping behaviour. Continuous assessment, targeted interventions and personalised guidance help organisations better understand, manage and reduce cyber risk over time.

The challenge becomes even clearer when looking at the effectiveness of these attacks. Research indicates that AI-generated spear-phishing campaigns are three times as effective as generic phishing and can be operated at scale by drawing on public information. Findings like these have intensified concerns across the cybersecurity community, driving a growing narrative that security awareness training is losing relevance and that the human element has become the weakest link in modern defence strategies.

Human judgment remains a critical control point

A closer look tells a different story. About 54% of users clicked on AI-generated phishing emails in a research study. Crucially, 46% did not. In other words, nearly half of the recipients paused, questioned, or reported the interaction. It suggests that human judgment, far from collapsing under AI pressure, continues to disrupt even highly sophisticated attacks.

This reflects what happens when people are trained to recognise warning signs and empowered to report rather than engage. When employees, for instance, know how to spot and report suspicious emails, security teams gain earlier visibility into phishing campaigns and can respond before attacks spread across the organisation. Behavioural signals give security teams the data they need to identify where risk is concentrated and direct interventions accordingly. This is the foundation of securing the digital workforce: understanding who presents risk, why, and how that risk changes over time, then using those insights to build a workforce that is measurably harder to deceive

No matter how sophisticated the attack, most cybersecurity incidents still hinge on a single human action: a link clicked, a request approved, access granted. This is why the traditional model of people, process, and technology is evolving. Organisations and cybersecurity experts must treat human behaviour as a dynamic risk that can be measured, managed, and meaningfully reduced.

In this context, the moment of human decision, the split second between impulse and action, stands as the final and most critical control point in security architecture. It is where even the most sophisticated attack can be stopped. Strengthening human judgment and equipping individuals to think critically in high-pressure situations is therefore no longer a supporting measure, but a core requirement for effective cybersecurity.

AI is changing how attacks work and how we respond

Traditional phishing once relied on clear warning signs such as poor grammar, suspicious formatting, or generic messaging, but AI has largely removed these cues. Today’s phishing emails are polished, highly personalised, and often indistinguishable from legitimate communication. In the UAE, for instance, this is evident in a surge of attacks that exploit context, urgency, and emotion, with messages appearing to come from government entities or trusted organisations. AI enables this level of precision at scale, making attacks more convincing and significantly harder to detect.

As a result, security awareness must evolve. The focus should shift from simply identifying red flags to strengthening decision-making. Employees need to be equipped to pause when something feels unusual, even if they cannot immediately explain why. That instinctive hesitation is critical in interrupting attacks, reflecting an understanding of manipulation techniques such as urgency, authority, and social engineering.

This response is developed through training, experience, and repeated exposure to realistic scenarios. Even in an environment where traditional warning signs have diminished, human intuition remains a powerful and necessary line of defence.

To reinforce this, organisations must introduce real-time support mechanisms that guide users at the point of risk. Security prompts and behavioural nudges can help shape decisions in critical moments. Phishing simulations should evolve to reflect current AI-driven tactics, enabling employees to build confidence in handling increasingly sophisticated scenarios. At the same time, reporting mechanisms must be simple and accessible to ensure that suspicious activity is quickly surfaced and addressed.

The core principle, however, remains unchanged: pause, assess, and verify. These simple actions have significant impact.

AI is increasing the scale and sophistication of cyber threats, but human judgment remains essential. As attacks advance, human decision-making will remain a critical defence. In a world increasingly shaped by machines, cybersecurity will not be defined by how systems think, but by how people decide.

Dr Martin Kraemer
Dr Martin Kraemer
Dr Martin Kraemer

Dr Martin Kraemer is CISO Advisor at KnowBe4

Related Topics:

Get Updates on Topics You Choose

By signing up, you agree to our Privacy Policy and Terms of Use.
Up Next