teissTalk: Securing against AI-driven phishing attacks

On 12 June 2025, teissTalk host Thom Langford, was joined by Derek Hanson, VP Solutions Architecture and Alliances, Yubico; Jay Vinda, Global CISO and Cyber Risk Engineering Lead, Mosaic Insurance; and Lee Munson, Principal Research Analyst, Information Security Forum.

Views on news

Phishing is a method where cyber criminals trick unsuspecting users into giving away their information. In a new study by secure payment experts Dojo, 1,800 employees were tested with scam emails. A worrying 64 per cent of the workforce was unable to identify phishing scams, after being shown six emails, four of which were scams and two of which were legitimate. Until 3 years ago, phishing training focussed on typos and detecting names that may be spoofed or email headers. With the rise of AI, users can no longer rely on these as phishing emails look much more convincing now. Cybersecurity should take responsibility out of users’ hands to prevent phishing, otherwise there will be no trust for anything online. Although their quality has improved, phishing emails, with few exceptions, have the same tone of urgency and authority about them as before. The irony at Infosecurity Europe was that there were lots of QR codes displayed by organisers, which are widely leveraged for phishing. 

Detecting AI in phishing emails

Rather than blaming the user, businesses should invest in technology that can empower them by closing doors to threat actors.  However, many people are opposed to using biometrics instead of passwords as they don’t like the idea of their biometric data being stored in a corporate database, while being perfectly comfortable with using biometrics on their phones or in other aspects of their private lives. In a survey of 500 companies, about 98% of all AI attacks used enhanced phishing emails that were written using LLMs. Also, the game-changer is how gen AI enables criminals to push out targeted phishing emails at scale in no time. Telling whether an email is phishing is also the harder because businesses started using gen AI extensively to write legitimate emails too. 

Another challenge is that businesses must need to deploy their own email fraud detection systems as they may not want to feed all their company emails into a third party’s external system. When it comes to AI use, there are a couple of things that you can definitely verify only if you use cryptographic signatures. As a result, signature-based authentication is likely to return, because everything else is susceptible to spoofing. Verification systems are expected to emerge that can prove that a document was written by a human. There are quite a few tools that are available, yet the majority of businesses still doesn’t use them to protect their networks, such as DMARC or DKIM or zero trust architecture. 

The panel’s advice

• The biggest challenge of the next few years is not AI but identity.
• Get your security basics right.
• Demonstrate to colleagues how easy it is to generate a phishing email based on a Linkedin profile to make them understand the risk better.