\n<\/p>\n
\n\t\tOpinions expressed by Entrepreneur contributors are their own.\t<\/p>\n
There\u2019s a version of the phishing problem that most companies think they\u2019ve solved. You run the annual security training. You send the simulated phishing emails. You remind everyone to look for red flags \u2014 bad grammar, suspicious links, strange sender addresses. You do all of this and then feel reasonably confident that your team knows what to watch for.<\/p>\n
The data suggests otherwise \u2014 not because your employees are ignoring the training, but because the threat has quietly changed around them. The habits that make people vulnerable were never really about awareness in the first place; they\u2019re about how people respond to messages under pressure. That\u2019s communications territory.<\/p>\n
AI has gotten very good at writing. And the people using it to craft phishing messages have noticed. According to a recent Sagiss survey of 500 U.S. desk-based workers<\/a>, 72% say phishing attempts are more convincing today than they were just a year ago \u2014 specifically because of AI-generated language. Sixty-six percent believe an AI-crafted message could successfully impersonate someone they actually work with. More than half say AI-written phishing is harder to spot simply because it feels more professional.<\/p>\n That last part is worth some reflection. The thing that used to make phishing detectable \u2014 the awkward phrasing, the stiff tone, the telltale grammatical errors \u2014 is disappearing. What\u2019s replacing it is something that sounds a lot like your CFO, or your IT department, or that colleague who always messages you when she needs something fast. The messages don\u2019t stand out. They blend in.<\/p>\n But here\u2019s what the data also shows, and what most security conversations don\u2019t spend enough time on: The problem isn\u2019t just that phishing messages look better. It\u2019s that your employees are making fast decisions under conditions that were never designed to support careful judgment.<\/p>\n Sixty-three percent<\/a> of workers surveyed said they clicked a work-related link in the past year and later felt they should have double-checked it first. That includes 42% who said it happened more than once. Almost half had replied to a message and later questioned whether it was legitimate. Fifty-seven percent had verified a request only after already taking action.<\/p>\n Think about what that actually means. These aren\u2019t people who don\u2019t know about phishing. They know. And they still click, reply and engage first \u2014 then pause and wonder afterward. Why?<\/p>\n Because they\u2019re working. They\u2019re in back-to-back meetings, switching between five browser tabs, watching a Slack thread fill up in real time while a client waits for a response. When asked what situations make them most likely to make a mistake, 55% pointed to rushing between tasks, and 48% pointed to multitasking. Only 7% said the problem was that they didn\u2019t know how to verify a message. The knowledge is there. The conditions to use it aren\u2019t.<\/p>\n This matters because it reframes the entire conversation about phishing risk. We\u2019ve spent years treating it primarily as an education problem. Train people harder, remind them more often, and make the simulations more sophisticated. But if your employees are already aware and still getting caught \u2014 not because they forgot, but because they\u2019re managing 200 emails, three urgent requests and a meeting that started two minutes ago \u2014 then more training isn\u2019t the answer. The environment is.<\/p>\n There\u2019s another dimension here that doesn\u2019t get nearly enough attention: after-hours access. Nearly 70% of workers in the survey said they check work email or chat outside of normal business hours at least sometimes. More than half said they feel pressure to respond after hours. And about a third said they had responded to a work message after hours and later felt they should have verified it more carefully first.<\/p>\n This is significant. The after-hours window is when attention is most fragmented, context is hardest to access and the impulse to just handle something quickly is strongest. It\u2019s also when a well-crafted, AI-polished message that references a real project name and sounds like a real colleague has the best chance of passing the test. If your security posture assumes that risk is mostly a 9-to-5 problem, you\u2019re missing a large and growing piece of the exposure.<\/p>\n What does all of this actually require from business leaders? It requires accepting that cybersecurity is no longer just a technical or training problem; it\u2019s an operational one. The conditions under which your people work every day are either helping them make good decisions or quietly undermining their ability to do so.<\/p>\n That means looking at communication norms. If your culture rewards instant responses and treats anything over an hour as slow, you\u2019re implicitly pressuring people to skip verification. It means looking at after-hours expectations. If employees feel they have to stay continuously connected, you\u2019re extending the window of risk without any additional safeguards in place. It means building friction deliberately \u2014 not to slow everyone down, but to create moments where a pause is normal and expected rather than a sign that someone isn\u2019t keeping up.<\/p>\n And it means recognizing that the cues we\u2019ve taught people to trust \u2014 a familiar name, professional language, workplace context \u2014 are now the exact cues attackers are replicating. The message that sounds most like someone your employee trusts may be the one that should trigger the most caution.<\/p>\n Your team isn\u2019t the weak link because they\u2019re careless. They\u2019re the weak link because they\u2019re busy, pressured and being targeted by tools that are getting better at looking legitimate. That\u2019s a leadership problem, not a training one \u2014 and it starts with taking a hard look at the communications culture you\u2019ve built.<\/p>\n<\/p><\/div>\n There\u2019s a version of the phishing problem that most companies think they\u2019ve solved. You run the annual security training. You send the simulated phishing emails. You remind everyone to look for red flags \u2014 bad grammar, suspicious links, strange sender addresses. You do all of this and then feel reasonably confident that your team knows what to watch for.<\/p>\n The data suggests otherwise \u2014 not because your employees are ignoring the training, but because the threat has quietly changed around them. The habits that make people vulnerable were never really about awareness in the first place; they\u2019re about how people respond to messages under pressure. That\u2019s communications territory.<\/p>\n AI has gotten very good at writing. And the people using it to craft phishing messages have noticed. According to a recent Sagiss survey of 500 U.S. desk-based workers<\/a>, 72% say phishing attempts are more convincing today than they were just a year ago \u2014 specifically because of AI-generated language. Sixty-six percent believe an AI-crafted message could successfully impersonate someone they actually work with. More than half say AI-written phishing is harder to spot simply because it feels more professional.<\/p>\n<\/p><\/div>\nAwareness isn\u2019t the problem<\/h2>\n
How business leaders must respond<\/h2>\n
Key Takeaways<\/h2>\n
\n
Here\u2019s what\u2019s actually happening<\/h2>\n