Imagine receiving a perfectly written email that looks just like one from your boss, your bank, or your favorite online retailer, but it was generated by a cybercriminal using AI. It’s unsettling, and a new global survey shows it's happening more often than we realize.
The Eye Opening Survey
In 2025, Yubico commissioned Talker Research to poll 18,000 employed adults across nine countries about authentication habits, phishing experiences, and AI risk.
The results were alarming. Only 46 percent of respondents could correctly identify that a phishing email was written by AI. The remaining 54 percent either thought it was genuine or were unsure. Age made almost no difference, with recognition rates nearly identical across Gen Z, millennials, Gen X, and baby boomers.
Forty four percent of participants said they had interacted with a phishing message in the past year, such as by clicking a link or opening an attachment. Thirteen percent admitted this had happened within just the past week.
Among generations, Gen Z reported the highest phishing interaction rate. Sixty two percent said they fell for a scam in the past year, compared to 51 percent of millennials, 33 percent of Gen X, and 23 percent of baby boomers.
When asked why they were tricked, 34 percent said the message looked like it came from a trusted source, while 25 percent admitted they were simply in too much of a hurry to think critically.
These numbers paint a dangerous picture: even savvy workers are not safe from clever AI driven scams.
How AI Is Supercharging Phishing
Phishing has always been a battle of perception. Attackers used to rely on spelling errors, strange phrasing, or vague tone to trick users. Artificial intelligence changes that completely.
Now messages are flawless in grammar, tone, and style. They can be personalized using publicly available data such as your name, job title, or social accounts, and mimic internal emails or trusted brands almost perfectly.
AI tools also operate at scale and speed, allowing attackers to flood inboxes with convincing bait. The result is that the line between real and fake becomes dangerously blurry.
This is part of a larger shift in the cybersecurity arms race. As threats grow more AI driven, defenders are also deploying AI to detect anomalies, filter phishing attempts, and automate responses. But even with these advances, human vigilance still matters.
The Risk Grows When Work and Personal Life Overlap
One of the survey’s most worrying revelations is how many people mix their work and personal accounts or devices, creating serious cross contamination risks.
Half of respondents admitted they log into work accounts on personal devices, often without their employer’s awareness. Forty percent use personal email on work devices, and 17 percent even access online banking from their work laptops.
Why is this dangerous? Because if an attacker compromises your personal account or device, they can often use that as a stepping stone to access your work environment, especially if you reuse passwords or share devices.
The survey also found that 30 percent of respondents still haven’t enabled multi factor authentication on their personal accounts, and 40 percent said their employer never provided cybersecurity training. Many organizations also rely on inconsistent authentication methods instead of one unified and secure system.
Awareness of newer technologies like passkeys remains low. Nearly half of those who don’t use them said it’s simply because they’ve never heard of them. Security habits clearly haven’t kept pace with the threats.
Defending Yourself Against AI Driven Phishing
Given how convincingly AI phishing can mimic trusted voices, what can you do to stay safe? Here are some essential steps.
1. Enable Multi Factor Authentication Everywhere
Turn on multi factor authentication on all your accounts, especially those tied to email, banking, or work. Use the strongest form available such as authenticator apps, hardware keys, or passkeys. Even if someone steals your password, they’ll need that second factor to break in.
2. Pause Before You Click
Before clicking any link or responding to a message, stop and think. Ask yourself if you requested the message or if it feels unusually urgent. Verify the sender using another channel, like calling or messaging them directly. When in doubt, don’t click.
3. Scrutinize Sender Details
AI can replicate tone, but it still leaves clues. Look closely at email addresses, subtle typos, and inconsistencies in branding or signatures. One extra character or misplaced subdomain can expose a fake.
4. Keep Work and Personal Accounts Separate
Avoid using work accounts on personal devices and vice versa. Keep a clear boundary between professional and personal digital spaces. It limits the damage if one side is compromised.
5. Minimize Your Public Exposure
Phishers often collect personal details from social media or data broker sites to craft convincing messages. Tighten your privacy settings, remove yourself from public databases where possible, and think twice before sharing personal details online.
6. Use Strong Security Tools and Training
Install reputable antivirus or anti phishing software that scans attachments and links. Keep your operating system updated, and make sure your workplace provides regular cybersecurity training. Tools help, but human awareness remains the strongest defense.
7. Stay Informed and Proactive
Keep learning about phishing tactics and AI threats. Test yourself occasionally with phishing simulations, and encourage your organization to adopt phishing resistant authentication methods.
The AI Phishing Age Is Here, Be Prepared
The results of this global survey are chilling. Even experienced, employed adults struggle to tell real emails from AI crafted fakes. No one is immune, not Gen Z, not boomers, not even IT professionals.
The attacks are evolving faster than our instincts. Our best defense lies in strong habits, multi factor authentication, and a healthy dose of skepticism. Staying alert and proactive is the key to keeping your data and your peace of mind safe in the age of AI powered phishing.
