I’m thrilled to sit down with Rupert Marais, our in-house security specialist with deep expertise in endpoint and device security, cybersecurity strategies, and network management. With the rapid evolution of AI-driven threats, particularly in phishing, Rupert’s insights are more critical than ever as we look toward the cybersecurity landscape of 2026. In this conversation, we dive into the growing dangers of AI-powered phishing, the tools criminals are using to outsmart traditional defenses, and the multi-layered strategies needed to stay ahead of these sophisticated attacks.
Can you start by explaining what AI phishing is and why it’s becoming such a critical issue in cybersecurity?
Absolutely, Sebastian. AI phishing refers to phishing attacks that leverage artificial intelligence to create highly convincing and targeted scams. Unlike traditional phishing, where emails might have obvious red flags like bad grammar, AI can craft messages that are almost indistinguishable from legitimate ones. It’s becoming a critical issue because AI makes these attacks faster, cheaper, and more effective. Criminals can generate thousands of personalized emails or even deepfake audio and video in minutes, tricking even the most cautious individuals. The scale and sophistication we’re seeing now are unprecedented, and it’s only going to grow as we head into 2026.
How does AI specifically make phishing attacks more dangerous compared to older methods?
AI takes phishing to a whole new level by automating and personalizing attacks at scale. Older methods relied on generic templates—think “urgent bank alert” emails sent to thousands of people. Now, AI can analyze data from social media, past breaches, or public websites to tailor messages to specific individuals. It can mimic someone’s writing style or even replicate a CEO’s voice in a deepfake call. This personalization, combined with the ability to churn out variations that bypass traditional filters, makes it incredibly hard to detect and stop these attacks before they cause damage.
The concept of Phishing-as-a-Service, or PhaaS, is gaining traction. Can you break down what that means for someone who might not be familiar with it?
Sure, PhaaS is essentially a subscription-based model for cybercrime, often found on the dark web. Platforms like these offer ready-made kits that allow even low-skilled criminals to launch sophisticated phishing campaigns. Think of it as a criminal version of a software-as-a-service platform. For a fee, you get access to tools that can clone login pages for major services like Google or Microsoft, generate convincing emails, and even provide hosting for phishing sites. It lowers the barrier to entry so much that almost anyone with a laptop and a credit card can become a cybercriminal overnight.
How easy is it for someone with minimal technical know-how to launch a phishing attack using these services?
It’s disturbingly easy. These PhaaS platforms are designed to be user-friendly, with step-by-step guides and pre-built templates. You don’t need to know how to code or understand the intricacies of cybersecurity. In under a minute, someone can set up a fake login portal that looks identical to the real thing and start sending out emails. The automation handles everything from hosting the phishing site to tracking stolen credentials. It’s plug-and-play crime, which is why we’re seeing such a massive uptick in phishing attacks worldwide.
Generative AI is being used to create incredibly convincing phishing emails. Can you explain how criminals are using these tools to deceive people?
Generative AI is a game-changer for phishing because it can produce emails that feel personal and relevant. Criminals use these tools to scrape data from places like LinkedIn or public websites to learn about their targets—things like job titles, recent projects, or even personal connections. Then, the AI crafts emails that mimic real business communication, referencing specific details to build trust. For example, an email might look like it’s from your boss, mentioning a project deadline you’re working on, with a link to a “shared document” that’s actually malicious. It’s incredibly deceptive because it feels so authentic.
Deepfake audio and video phishing attacks are also on the rise. How do these work, and why are they so hard to detect?
Deepfake phishing involves using AI to create fake audio or video that impersonates someone the target trusts, like a CEO or a family member. Criminals might generate a voice recording that sounds exactly like your boss, urgently asking you to transfer funds, or a video call on platforms like Zoom where the person looks and sounds real but isn’t. They’re hard to detect because our brains are wired to trust familiar voices and faces. Even subtle flaws in deepfakes are often overlooked in the heat of the moment, especially if the request seems urgent. The technology has improved so much that it’s often impossible to spot without specialized tools.
Traditional email filters seem to be struggling against AI-powered phishing. Why are these older defenses falling short?
Traditional email filters often rely on signature-based detection, which looks for known patterns like specific malicious domains or subject lines. The problem is that AI-powered phishing constantly evolves. Criminals can rotate domains, tweak email content, or create entirely new attack vectors in hours, rendering static filters obsolete. Once an email slips through, it’s up to the employee to spot it, and with AI making messages so convincing, even well-trained people can be fooled. These older defenses just aren’t built for the speed and adaptability of today’s threats.
The sheer volume of phishing attacks, with thousands of new domains popping up, seems overwhelming. How does this scale make the problem even harder to tackle?
The volume is a huge challenge because it creates a whack-a-mole situation. Criminals can spin up thousands of phishing domains or cloned sites in a matter of hours, targeting hundreds of brands across the globe. Even if security teams manage to take down one batch, another wave pops up almost immediately. This constant churn overwhelms traditional response mechanisms and stretches resources thin. For companies, it means you’re always playing catch-up, and the odds of an employee encountering a fresh, undetected threat increase dramatically.
Let’s shift to solutions. The idea of a multi-layered approach to fight AI phishing keeps coming up. Can you walk us through what that looks like in practice?
A multi-layered approach is about combining technology and human readiness to cover all bases. First, we need advanced threat analysis using AI tools like natural language processing to detect subtle anomalies in emails—things like unusual phrasing or tone that might not be obvious to a human. Second, employee training is crucial. Simulations that mimic real AI phishing attacks help build muscle memory so staff can spot and report suspicious activity instinctively. Finally, tools like User and Entity Behavior Analytics, or UEBA, act as a safety net by flagging unusual behavior post-click, like a login from a strange location. It’s about layering defenses so no single failure leads to a full breach.
Looking ahead, what’s your forecast for the future of AI-driven phishing and cybersecurity as we approach 2026?
As we move toward 2026, I expect AI-driven phishing to become even more sophisticated and pervasive. Criminals will likely integrate AI with other emerging tech, like augmented reality, to create even more immersive scams. At the same time, the democratization of AI tools will further lower the barrier for entry, meaning more attackers and more frequent campaigns. On the defense side, I’m optimistic that AI-driven detection will mature, with better real-time analytics and predictive models to stay ahead of threats. But success will hinge on organizations prioritizing both technology and human training. Those who adapt quickly and strike that balance will be in a much stronger position to weather the storm.
