Phishing isn't new, but delivery methods have changed. What once required technical expertise is now an accessible business model that anyone can use.

Beyond sheer volume, phishing techniques and how fast they evolve should be of concern. Attackers operate like professional software teams, investing in development and testing to evade detection. For organizations using traditional security measures, this is a real problem.

Industrialized Phishing

Phishing-as-a-Service (PhaaS) kits have made phishing a turnkey operation. Someone with minimal technical skill can launch attacks that needed real expertise only a few years ago. The kits come with ready-made phishing emails and websites which mimic legitimate brands, dashboards to launch and track campaigns, and step-by-step instructions. Some even offer customer support.

The business model looks like legitimate SaaS: monthly or per-campaign fees, subscription tiers, premium features, dashboards showing click rates and stolen credentials. Because credentials can be sold or used for ransomware and business email compromise, even small investments turn a profit.

Even the most advanced kits include features that once required serious expertise – phishing pages that capture MFA tokens or session cookies, automation to evade security filters, obfuscation techniques and tailored content. This democratization of cybercrime is driving PhaaS expansion.

Competition among threat actors is accelerating evolution. Groups often reverse engineer existing kits, add new features and resell or reuse them. This creates a feedback loop where capabilities improve quickly and spread across the criminal ecosystem.

It’s crucial to remember that traditional kits remain extremely dangerous and that the established players are not disappearing.

AI and Automation Multiply the Threat

AI is being used as a force multiplier across the entire attack lifecycle, improving scale, quality and evasion.

Content quality has improved dramatically. AI generates phishing emails that match the tone, style and branding of legitimate services. Poor spelling and grammar – traditional red flags for phishing – have largely disappeared. Payment and invoice scams now use generative AI to produce convincing ‘overdue invoice’ emails and payment requests. Voicemail scams leverage AI to generate multiple variations of emails and scripts, helping them bypass detection while increasing believability.

The skill barrier for attackers has dropped. AI makes it easier to generate phishing pages and scripts, test and modify code, and automate processes. In kits like GhostFrame, large portions of the code are now written or assisted by AI tools. This means more people can participate in attacks, and experienced attackers can operate at greater scale.

On top of this, evasion techniques have become more sophisticated. Our research found that 48% of attacks used obfuscation to hide URLs from detection and inspection. Attackers add open redirects and human verification steps to make phishing URLs appear authentic and harder to block. MFA bypass techniques, also seen in 48% of attacks, steal session cookies to get around authentication. CAPTCHA appeared in 43% of attacks, providing both authenticity and concealing suspicious destinations.

This level of sophistication shows that attackers understand defensive tooling. Techniques including CAPTCHA gating, conditional payload delivery, MFA-token theft and browser fingerprinting show that attackers know how endpoint detection, sandboxing and phishing detection systems work.

They test their kits against real security products and tailor attacks to execute only when a real human victim is detected. This insight usually comes from experience, tooling and sometimes stolen or leaked defensive research.

That said, it's worth being realistic about AI's current role. Most phishing kits aren't using cutting-edge autonomous AI. Much of the AI is applied in content generation, automation and decision support, while human operators still control targeting and monetization. The danger comes from how accessible and effective AI has become, not from fully autonomous attacks.

Traditional Defenses are no Longer Enough

The professionalization of phishing demands a shift in defensive strategy. Signature-based detection that looks for known patterns can't keep up with threats that constantly change and adapt. Organizations need to move to behavior-based detection, which is much harder to obfuscate than code.

Identity has become the primary security perimeter. Phishing-resistant multifactor authentication like FIDO2 and passkeys should be standard. But it's not enough to protect passwords anymore –session protection and token binding are now equally important. Attackers are specifically targeting session tokens and authentication cookies to bypass MFA, so these need active protection.

Traditional MFA methods such as SMS codes or push notifications are increasingly vulnerable. Organizations need methods that resist real-time phishing attacks, where an attacker proxies between the victim and legitimate service.

User training needs realistic scenarios – convincing invoice scams, urgent HR notices, authentic document requests, and more. Generic examples that don't reflect what people encounter will no longer cut it.

Indeed, cyber resilience matters as much as prevention. Some attacks will succeed despite robust preventative efforts. Organizations need incident response plans, backup systems and clear protocols in place. The focus can't only be on keeping attackers out.

AI-powered security platforms with 24/7 oversight are becoming essential. The volume and sophistication of attacks make human-only analysis impractical. Platforms need to combine detection, analysis and response based on current threat intelligence.

The phishing threat has entered a new phase. The industrialization of phishing through PhaaS kits, combined with AI and automation, means attacks are more numerous, more convincing, and more technically sophisticated than we’ve seen. Organizations still relying on traditional defences are at serious risk.

Adapting to match the threat requires investment in new technologies, new approaches to authentication and identity, and a realistic understanding of what modern phishing really looks like.