Phishing attacks amplified by AI
Phishing isn’t new. What’s changed is efficiency and accuracy, driven by artificial intelligence. In the past, phishing used to look clumsy. Misspelled subject lines. Strange formatting. Today, AI handles the writing. It mimics tone. It analyzes patterns. It adapts to industries, companies, user behavior. Not surprising then, that 70% of people surveyed in Yubico’s 2025 Global State of Authentication believe AI makes phishing more successful. And 78% think attacks are becoming more sophisticated.
We should trust that response. These aren’t just casual users. The survey polled 18,000 employed adults, people who interact with digital tools every day. Half the respondents couldn’t confidently recognize a phishing email. That’s a real concern. If users can’t reliably tell the difference between fake and real communications, the boundary between secure systems and exposure is dangerously thin.
Companies cannot afford to default to legacy methods for identifying and blocking phishing. Email filters won’t catch every AI-crafted threat. And awareness programs alone aren’t enough now. That means businesses need to evolve faster, integrate smarter defenses that use AI to spot AI-driven scams. No room for delay here.
The shift also pushes responsibility higher in the organization chart. Executives who understand that threat models have changed will prioritize anti-phishing strategies that keep up. That’s essential to protect intellectual property, infrastructure, and brand credibility. If you’re still thinking this is an IT problem, you’re behind.
High engagement with phishing content indicates broad vulnerability
Almost half, 44%, of the global workforce reported interacting with phishing content last year. These are users clicking links they shouldn’t, opening attachments they thought were safe. And 62% of Gen Z said they engaged with phishing content. That’s your youngest talent base, fastest adopters of digital tools, also the group most exposed to these attacks.
Now, here’s where it gets interesting. The ability to identify phishing isn’t that different across age groups. Gen Z, millennials, Gen X, and boomers all hover around the same level of recognition, around 45-47%. What does that tell us? That this is a universal issue. More education won’t hurt, but the bigger opportunity is to rethink how we protect users across the board, regardless of age, department, or device.
That matters because phishing isn’t random anymore. It’s smart. It’s personal. It mimics real workflows. The attackers know your company structures and your software stack. If your team isn’t up to date, or if your systems still depend on people making the “right click”, you’re exposed.
Executives focused on operational resilience should pay attention. When nearly half your workforce is a click away from compromising critical systems, you’re not just dealing with a user error problem. You’re dealing with a structural weakness. Fixing that requires a layered response: smarter training, modern authentication tools, and AI-backed threat detection. Cyber threats evolve fast. Systems and leadership need to evolve faster.
Widespread reliance on traditional authentication methods despite security concerns
We have a lot of talk in cybersecurity about moving on from usernames and passwords. Everyone agrees they’re outdated. Only 26% of people in Yubico’s survey consider them a secure option. That’s low confidence. But somehow, they’re still the go-to method, used by 56% for work accounts, 60% for personal.
That gap between what we know and what we do is where problems get worse. Stronger authentication methods exist, multi-factor authentication (MFA), device-bound passkeys, and physical security keys. They’re available now. But only 48% of respondents said their organizations apply MFA across all business systems. That’s not strategic security. That’s convenience at the cost of exposure.
Passwords are easy to deploy. They’re familiar. But they come with high maintenance and high risk. And they scale poorly in a modern threat environment. If phishing is accelerating due to AI, as the data shows, authentication systems that rely on user memory and behavior can’t keep up.
Executives responsible for security strategy need to ask the right questions here. If your system still depends on credentials that attackers can manipulate or steal with one message, your business is standing still. The threat landscape won’t wait. Investing in phishing-resistant, hardware-backed methods doesn’t just secure your systems, it future-proofs your access control. The faster the adoption of user-friendly, secure authentication, the stronger your digital ecosystem becomes.
Lack of cybersecurity training exacerbates organizational vulnerabilities
One clear takeaway from the data: 40% of employees have never received cybersecurity training at work. Not basic awareness. Not phishing simulations. No training at all. That’s a big number when human error accounts for a large percentage of security breaches. It also reflects a missed leadership opportunity.
We’ve reached a point where tech alone isn’t going to fix the problem. Companies that don’t invest in training are building around assumptions. They assume that users know what to look for. That they can recognize suspicious links. That they’ve heard of newer threats. The data says otherwise.
Cybersecurity isn’t just about infrastructure. It’s about how people behave while interacting with infrastructure. Well-trained teams don’t eliminate risk, but they reduce the frequency and severity of incidents. When you stop training users, you introduce unnecessary variables into your risk model. That has real financial and operational consequences.
If you’re a C-suite leader responsible for protecting data or customer trust, this is an area you control. Training is one of the most direct, cost-effective ways to strengthen your security posture. It’s also a clear message to your workforce: we take this seriously, and we expect you to do the same. Elevating your human layer of security starts with clarity, repetition, and leadership follow-through.
Global shift toward improved authentication practices and AI concern
The global security landscape is changing, and faster than many expected. We’re seeing real shifts in how people think about account protection and the role AI plays in threats. Look at France. MFA use for personal accounts jumped from 29% in 2024 to 71% in 2025. That’s not a small cultural shift. That’s adoption at scale. You also see AI-related concern climbing across key digital economies. In Japan, worry about AI-driven breaches more than doubled, from 31% to 74% in a year. Same in Sweden, where concern rose from 37% to 68%. In the UK and US, it jumped from around 60% to over 75%.
Executives leading global operations should take note. These shifts suggest that users are not just more aware, they’re expecting stronger security. They understand that AI changes the equation. They’re looking for companies, products, and platforms that take their digital safety seriously. That expectation cuts across industries, regions, and demographics.
What’s useful here is the direction. Regions typically slow to adopt new security tools, like France, are making rapid progress. So for companies taking a “wait and see” approach, that’s a signal. By the time your organization gets around to upgrading, the market will have already moved forward. Competitive edge won’t just come from product features, it will come from trust, particularly around how secure your authentication really is.
Security improvements should follow global behavior, not lag behind it. Teams responsible for enterprise transformation, compliance, or customer experience should be aligning strategy to this momentum. Investing in modern identity solutions will matter, not just internally, but across partner ecosystems, user interactions, and regulatory alignment.
Growing confidence in hardware-based authentication methods
Users are moving toward hardware-based security. In the UK, confidence in physical keys and passkeys jumped from 17% to 37% in a year. In the US, from 18% to 34%. These are people who see the limitations of passwords and token-based systems and want something more secure, without extra complexity.
This doesn’t happen unless users understand the value. Hardware-based methods like YubiKeys don’t depend on what you know, they prove what you have. And that makes phishing virtually ineffective. Attackers can’t replicate a physical key stored on your device. That’s where confidence comes from: fewer points of failure, stronger control, and reduced user error.
For C-level leaders, the shift signals a clear direction. Adoption of hardware-based authentication won’t stay limited to tech-savvy users. As confidence builds, expectations rise. Employees will want better authority over their own security. Customers will expect platforms to adopt safer login systems. The market will define what’s secure, whether or not your organization is ready.
This is also a rare case where IT and users align naturally. People want solutions that are faster, safer, and don’t require them to remember or manage multiple codes. Hardware-backed authentication delivers that. Teams responsible for digital transformation, cybersecurity, or authentication architecture should be moving now, not iterating slowly. Because if external users already believe physical keys are the best way to safeguard access, it’s only a matter of time before regulators and attackers adjust accordingly.
Key executive takeaways
- Phishing is advancing rapidly through AI: AI is making phishing attacks more successful and harder to spot, with 70% of users acknowledging their increased effectiveness. Leaders should invest in AI-backed detection tools and rethink email security layers.
- Human error remains a critical weak point: 44% of employees interacted with phishing content last year, with Gen Z reporting the highest engagement. CISOs must prioritize stronger user education and implement enforcement-based phishing simulations.
- Legacy authentication is still too common: Despite low confidence in passwords, they remain the dominant authentication method. Security leaders should fast-track MFA and eliminate username-password logins where possible.
- Cybersecurity training is widely neglected: 40% of workers have never received cyber training, leaving organizations highly exposed. Executives should mandate ongoing, role-specific training across departments to close this gap.
- Global behavior is shifting toward stronger security: Countries like France and Japan are adopting MFA and recognizing AI threats at scale. Firms operating globally should align security standards with high-performing regions to stay competitive.
- Trust in hardware-based security is rising: UK and US users are rapidly moving toward physical security keys and passkeys. Decision-makers should support enterprise rollout of hardware-backed authentication to harden identity systems.
