The numbers are jarring: according to Barracuda Networks data, 91 percent of all cyberattacks begin with a phishing email, costing businesses billions of dollars annually. The goal of these attacks hasn’t changed since the mid‑1990s — trick someone into wiring money, sharing sensitive information, or handing over credentials. What has changed, dramatically, is how convincing these emails have become.
Last week, we explored the rise of AI‑powered phishing campaigns. This week, we’re hearing from experts watching this shift unfold in real time — and what they believe MSPs must do to stay ahead.
The consensus is clear: the old playbook is no longer enough.
The telltale signs are changing
For years, spotting phishing attempts came down to clunky grammar, generic greetings, and an uneasy “something feels off” reaction. Artificial intelligence is erasing those tells.
“Scammers are now able to fix grammar mistakes and match textual tone instantaneously with AI,” says Himanshu Agarwal, co‑founder at Zenius Ventures LLP. “Spot‑the‑typo training models have become obsolete. Attackers can use publicly available information to mirror an individual’s communication style or reference real company projects.”
The scale is what alarms him most. “AI can simultaneously scale and personalize scam messages. They can hyper‑personalize messages based on LinkedIn profiles, company websites, job posts — with faster iteration cycles.” Most SMBs, Agarwal notes, simply don’t have security teams that can keep up, which is exactly where MSPs need to step in.
Ray Spangler, CTO at Barge Design Solutions, says the urgency factor behind phishing hasn’t changed — but AI is amplifying it. “The current logic behind AI requires that it presents a response that is perfect and accurate, regardless of whether it is true or not,” Spangler explains. “Does the message appear too perfect or too urgent? Does it follow the expected workflow? Do the communication styles match that of the sender?”
He argues that human intuition is still a powerful defense — if people are trained to apply it. “These systems still rely on logic. Humans have intuition and reasoning, and we must use these to our advantage. A computer might assume an urgent request requires an immediate response. A human should pause and determine whether it’s actually urgent and whether it follows typical workflows.”
The psychological angle
Joel Blackstock of Taproot Therapy Collective acknowledges he’s outside the traditional IT sphere, but he studies the human element in technology — and brings a critical lens rooted in psychology.
“Generative AI has completely changed the phishing landscape because it scales psychological manipulation,” Blackstock says. “Attackers are engineering synthetic urgency. When an employee receives a flawless email that sounds exactly like their stressed‑out CEO demanding an immediate wire transfer, it triggers a biological threat response. The brain drops into a sympathetic survival state — and that’s the moment they click.”
His point is blunt: you can’t train overwhelmed employees to out‑logic machine‑generated manipulation. They need structural support, not just periodic awareness reminders. Every business — and every MSP supporting them — must design a layered support model that accounts for the human brain’s limitations. There is no one‑size‑fits‑all approach.
What MSPs should be doing
All three experts point toward a layered defense strategy — and all agree that relying solely on user training is a losing strategy.
Blackstock says MSPs should counter AI with AI. “Traditional secure email gateways look for known bad links or attachments. Today’s AI phishing is often payloadless and relies entirely on social engineering. MSPs need adaptive, AI‑driven inbox protection that analyzes communication patterns, domain reputation, and behavioral anomalies before the message ever reaches the user.”
He also stresses the importance of zero trust architecture and phishing‑resistant MFA. “If the human fails and hands over a credential, the identity layer has to be there to catch the fall.”
Agarwal agrees, emphasizing that MSPs play a critical role in helping SMBs build layered defenses that speed detection and reduce financial impact.
On the training front, the experts say organizations must move beyond annual checkboxes. Simulated deepfakes and targeted lures — executed safely — are becoming essential tools to build what Blackstock calls ‘cognitive resistance.’
As Spangler puts it, “awareness is more important today than it has ever been. We must force ourselves to become critical of anything that seems out of the ordinary. AI combined with social engineering has allowed attackers to become far more targeted in their approach.”
A new adversary — and a new opportunity
The battle itself hasn’t changed — but AI has turned phishing into a faster, more adaptive, and more convincing threat. Fortunately, the same technology reshaping the threat landscape can also strengthen defense.
For MSPs, the takeaway is simple: AI isn’t just transforming phishing — it’s transforming the entire security equation. The ones who adapt fastest will protect their customers best.
Photo: izzuanroslan / Shutterstock
This post originally appeared on Smarter MSP.