Phishing emails are now so convincing, most people can’t spot them

A study reveals that nearly half of users engaged with phishing emails last year, with Gen Z most likely to fall for them.

What happened

According to The New York Post, phishing attacks have grown so sophisticated that more than half of the surveyed individuals can no longer confidently identify fraudulent emails. According to the global study, 44% of respondents interacted with a phishing message over the past year, such as clicking a link or opening an attachment. Gen Z was the most vulnerable group, with 62% reporting some form of interaction with phishing emails.

The research shows how modern phishing attacks now rely more on psychological manipulation than obvious technical tricks. While younger people engaged more often with phishing emails, the ability to accurately identify them was low across all age groups.

Going deeper

The study found a disconnect between awareness and behavior. Despite acknowledging that usernames and passwords are weak forms of protection, they remain the default method for most personal and work accounts. Only 40% of employees reported receiving any cybersecurity training, and fewer than half of organizations had deployed multi-factor authentication (MFA) across all apps.

Even among personal email users whose accounts often link to banking, healthcare, and telecom services, a third had not enabled MFA. However, adoption is improving in some areas: in France, personal MFA usage jumped from 29% in 2024 to 71% in 2025. Confidence is also growing in hardware-based authentication methods like security keys and passkeys, especially in the U.S. and U.K.

Meanwhile, concern about AI-driven phishing is rising rapidly in countries like Japan and Sweden, where fears have more than doubled over the past year.

What was said

The global survey found that “most people couldn’t differentiate between a phishing message written by artificial intelligence (AI) and an authentic, human-written email.” Only 46% of participants correctly identified an AI-generated phishing email, and 44% admitted to interacting with a phishing message in the past year. Ronnie Manning of Yubico warned that “weak cybersecurity practices at any level of an organization could lead to significant and dangerous security breaches,” urging both individuals and companies to adopt phishing-resistant tools like multi-factor authentication and device-bound passkeys to reduce growing AI-driven phishing risks.

The big picture

Phishing emails have become so realistic that even experienced users are getting caught. The problem isn’t a lack of awareness, it’s that attackers now use the same tools and tone as real companies, making fake messages almost impossible to tell apart. As AI-generated content becomes more common, phishing is shifting from sloppy grammar and fake logos to messages that feel personal and urgent.

Paubox recommends Inbound Email Security as an added layer of protection. It looks for changes in tone, context, and sender behavior that don’t match normal communication, helping catch dangerous emails before they reach users. Combined with stronger login tools and regular training, it gives organizations a practical way to stay ahead of modern phishing scams.

FAQs

Why is Gen Z more likely to interact with phishing emails?

Gen Z tends to engage more frequently with digital content, making them statistically more exposed. However, their phishing detection accuracy is similar to other age groups, indicating that volume of exposure, not lack of awareness, is the driver.

What are security keys and passkeys, and how do they help?

Security keys and passkeys are hardware-based authentication tools that provide strong protection against phishing. They work by validating login attempts only on legitimate sites, making it nearly impossible for attackers to trick users.

Why hasn't multi-factor authentication been more widely adopted?

Barriers include lack of awareness, organizational inertia, compatibility issues with legacy systems, and the perception that MFA adds friction to the user experience.

What part does AI play in phishing attacks?

AI can generate phishing emails that mimic human tone, grammar, and style, making them harder to detect. AI can also personalize messages based on publicly available data, increasing their success rate.