Phishing has long been cybercriminals’ weapon of choice — and the numbers remain sobering. In 2024, the FBI recorded 193,407 phishing complaints in the U.S. alone, while Business Email Compromise schemes caused $2.77 billion in losses. And when a breach occurs — something no MSP wants happening on their watch — the average cost has climbed to $4.88 million, according to IBM.
A new era of phishing
The nature of the threat, however, is shifting quickly thanks to AI. Generative AI is amplifying the danger: phishing volume has surged 1,265 percent since AI tools became mainstream, and credential phishing jumped 703 percent in the second half of 2024.
One of the first widely reported cases showing AI’s role in phishing emerged in early 2024. A finance employee at Arup — the global engineering firm known for the Sydney Opera House — received an email appearing to come from the company’s UK-based CFO. After initially hesitating, the employee joined a video conference where the CFO and several senior colleagues appeared on screen, their voices and faces indistinguishable from the real people. All were AI‑generated deepfakes. The employee ultimately authorized multiple wire transfers totaling $25 million before the fraud was uncovered. This was an early example — but far from the last.
As AI‑enabled attacks evolve, so do the tools designed to counter them. Barracuda Networks, for example, provides impersonation protection technologies to help organizations defend against these threats.
What can MSPs do to combat AI-infused phishing?
For MSPs on the front lines, the old playbook is no longer enough, says Stanislav Kazanov, head of big data and software development at the IT consulting firm Innowise.
The long‑standing belief that people are the weakest link in security is still true. However, relying on security awareness training as the first line of defense is no longer sufficient.
“If an evil email makes it into someone’s inbox, you’ve already failed at security,” Kazanov says.
“For the past decade, we’ve taught people to look for typos, poor grammar, strange formatting, or suspicious sender addresses,” Kazanov explains. “But generative AI has flipped this advice on its head.” Attackers now use large language models to analyze corporate blogs and LinkedIn profiles, mimicking an executive’s language, style, and tone.
“No more generic wire transfer requests — attackers reference real events like last week’s earnings call or a new vendor partnership,” Kazanov says. These phishing emails are now precise, convincing, and contextually relevant.
“If your security plan depends on someone spotting a typo at 4:45 p.m. on a Friday when they’re buried in work, you’re already in trouble,” he adds.
Kazanov recommends shifting from basic spam filtering to full-scale threat protection. His guidance includes:
1. Move beyond legacy security gateways
Legacy Secure Email Gateways can only detect known malicious IPs or file patterns. But AI‑powered spear phishing typically includes no attachments — the text itself is the attack. MSPs should deploy API‑based cloud email security that focuses on behavior. For example, if finance receives an email claiming to be from the CEO but sent from an unusual network provider and inconsistent with the CEO’s normal communication patterns, it should be quarantined automatically.
2. Use phishing‑resistant MFA
Traditional MFA is increasingly vulnerable to Adversary‑in‑the‑Middle (AitM) proxy attacks.
“If clients are relying on SMS codes or push notifications, they’re exposed,” Kazanov warns. MSPs should guide customers toward FIDO2 hardware tokens or passkeys. These are credentials that cannot be phished because the user must physically possess them.
3. Expect clicks—and build a safety net
When someone inevitably clicks a malicious link, MSPs need strong backup controls.
Robust DNS filtering and endpoint segregation are essential. If the link attempts to execute a script or download malware, endpoint detection and response should immediately stop the activity before it reaches a command‑and‑control server.
Phishing, Kazanov emphasizes, should no longer be treated as a human resources issue.
“It is an engineering problem, and MSPs must build the technical barriers that keep users safe — even when they make mistakes.”
AI‑driven phishing has outpaced traditional defenses, leaving MSPs with little room for error. The organizations that adapt now — building layered, engineering‑focused protections — will be the ones best positioned to keep their customers safe. The threat is evolving quickly, but so are the tools to stop it.
This post originally appeared on Smarter MSP.