Phishing remains the most common entry point for cyber attacks. Anyone considering security measures today cannot ignore awareness. But what used to be considered a tedious chore in the form of annual e-learning has evolved and is now an important defence mechanism against attacks, most of which are now AI-supported.
Attacks are often only noticed when it is too late. Although companies are becoming increasingly digital and integrating artificial intelligence (AI) into business processes, this also means they are expanding their attack surface. Attackers are operating on a technological level playing field, as they too have long been relying on AI. They no longer attack via email alone, but use all digital channels such as social media and messenger services, text messages, LinkedIn requests and Slack. Training measures must cover each of these platforms and raise awareness that attacks take place across platforms. Phishing continues to be cited as the most common form of attack: according to the "Cybersecurity 2025" study by the German TÜV Association, 84 per cent of affected companies reported this. This represents an increase of twelve percentage points compared to the previous year. Most of these attacks are said to have been generated using AI.
By 2024, 37.5 million phishing attempts had already been detected and blocked in Germany, reports security provider Kaspersky. This represents an increase of 15.7 per cent over the previous year. However, 2.6 million malicious email attachments still made it into German inboxes. British SQ Magazine estimates that around 3.4 billion phishing emails will be sent worldwide every day in the current year.
Perfection through AI
While phishing was once an obvious scam that was easy to spot, AI has radically changed this and made it much more sophisticated. Personalised and linguistically perfect, these messages are difficult to distinguish from genuine ones. AI-generated emails are so convincing that even trained employees fall for them. Classic awareness patterns such as critically examining the sender's address are no longer sufficient. In addition, analyses show that many attackers resort to ready-made toolkits, known as phishing toolkits. These enable even less technically savvy individuals to automatically generate large numbers of deceptively genuine phishing emails and websites.
Awareness training must adapt to the changed situation resulting from the use of AI. This means continuing to recognise old patterns, but also learning to recognise new ones. For awareness measures to be truly effective, companies must permanently integrate awareness campaigns into their processes, including regular, realistic training and phishing simulations. Content should be adapted to new forms of threats such as AI-supported attacks and cross-platform phishing attempts. A security culture is needed in which employees are constantly alert and critical. In particular, they should develop warning signals for the new forms.
Effective awareness looks different today
According to a report by awareness campaign provider KnowBe4, continuous training reduces the willingness to click on phishing links by 86 percent within twelve months. However, this only applies if the measures are carried out regularly. With consistent repetition and updating of training, awareness can bring about lasting behavioural change.
The key to this is a modern training design based on behaviour, recognition patterns, situational thinking and real-life simulations. At the same time, it must be adapted to current AI phishing methods, in particular the artificial generation of emotions. These include urgency, authority, sympathy, fear and promises of reward. Awareness training must convey the corresponding psychological patterns: a message that triggers stress, pressure or euphoria should be met with increased vigilance. Such effects are reliable warning signals. Effective training must aim to achieve precisely this emotional effect. To do this, it should use the same technologies as the attackers and generate deceptively real phishing emails with varying writing styles and tones using generative AI. The simulation should be implemented on all platforms relevant to attackers. This will teach employees to pay attention to inconsistencies in content rather than aesthetic clues. They should ask themselves whether the request makes sense in a professional context or whether the timing of the message is completely inappropriate. The tone used can also provide clues if it does not really suit the person in question. If, for example, unusually high pressure is exerted or unusual data is requested, alarm bells should ring.
What is crucial in awareness programmes
Modern awareness programmes can automatically adapt to the target audience. For example, those who frequently fall for simulations receive different content than experienced users. Those who work in accounting receive different scenarios than those in IT. In addition, the difficulty increases as users become more confident after several training measures. This trains cognitive flexibility and promotes the ability to not only read emails, but also to question their intentions.
Experience has shown that continuity is more important than the scope of the training measures. Providers recommend, for example, monthly micro-training sessions lasting 5–10 minutes and quarterly simulations, supplemented by annual in-depth modules.
However, companies still need to establish clear reporting processes. It is unacceptable for an employee to recognise a suspicious message but not know what to do about it. Reporting buttons in email clients or special reporting addresses are therefore often used. Feedback on the results of the analysis, i.e. whether or not it was an attack, is also important for the learning process. A culture of awareness requires positive reinforcement with thanks for the report. Blaming others is considered counterproductive.
Those who are not vigilant today are taking unnecessary risks, whether it be with personal data, company secrets or digital infrastructure. Those who are vigilant, on the other hand, can play a crucial role in cyber defence. Cybersecurity awareness is not an option, but the foundation of IT security.
