New research from Darktrace points to a gap between employee confidence from existing security awareness training and actual preparation for modern phishing attacks. The reports shows that 79 percent of surveyed U.S. office workers are confident they could spot a phishing email in their day-to-day work.
However, in a test of realistic messages, only 32 percent confidently identified an actual phishing attack. The findings suggest that established training approaches may be building confidence faster than real-world phishing readiness, and many agree with these findings.
Darktrace’s research suggests security professionals are not strongly convinced that conventional security awareness training is keeping pace with modern phishing. While 58 percent of security professionals surveyed agree it is effective at preparing employees to identify phishing attempts, only six percent strongly agree, and just three percent say they see no limitations in conventional training.
The biggest limitations professionals identify are training being too one-size-fits all (28 percent), too focused on failure (26 percent) and too difficult to measure meaningfully beyond completion or click rates (19 percent).
The underlying story is that, as attackers use AI to create highly personalized, flawless phishing at scale, annual compliance videos and simulated tests risk becoming mere security theater – checkbox exercises that can leave organizations more vulnerable, not less.
Industry experts seem to agree.
Mika Aalto, Co-Founder and CEO at Hoxhunt: "Modern phishing has evolved beyond static text. Security awareness and phishing training must do the same. The entire concept of ‘security awareness training’ is outdated if it stops simply at awareness.
"The next generation of defense is behavioral, not informational. We’re moving from telling people what to do to shaping what they actually do, in real time. We are building an innate set of security reflexes and instincts.
"Social engineering remains the easiest way into organizations, therefore security teams need to invest as much in preparing people as they do in technology. The most effective defense is training employees on the exact types of attacks they are likely to face, turning real-world phishing attempts into learning moments that build lasting cyber resilience.
"Organizations need to move beyond traditional third-party risk management and adopt Human Risk Management — hardening the human layer with the skills and reporting mechanisms that turn employees into threat sensors and feed human threat intelligence directly into detection and response."
Rajeev Gupta, Co-Founder & CPO at Cowbell: "Generative AI’s ability to interpret complex vulnerability data is essential to building more accurate and responsive risk models. Cybersecurity best practices must evolve alongside AI adoption.
"Organizations should verify AI tools, avoid inputting sensitive data into chatbots, and remain vigilant against increasingly sophisticated AI-generated phishing attacks. Building a culture of awareness, and implementing robust AI use policies, will be critical to mitigating these emerging risks."
Vincenzo Iozzo, CEO and Co-founder at SlashID: "AI has dramatically amplified social engineering campaigns. Phishing emails that once required manual customization can now be generated at volume with convincing, context-aware language and much better conversion rate.
"Deepfakes, both audio and video, have been used in business email compromise and impersonation schemes, with several high-profile cases involving synthetic voice calls to authorize fraudulent wire transfers. AI-powered reconnaissance is also a growing concern: threat actors can use LLMs to rapidly profile and de-anonymize targets by synthesizing publicly available data from LinkedIn, corporate filings, and social media.
"Increased visibility is critical to countering AI-enabled attacks for two distinct reasons. First, as AI tools proliferate within organizations gaining visibility into how these tools are being used internally becomes essential. This means monitoring permissions, tracking what data is being fed into AI systems, and understanding the intent behind prompts.
"Without this visibility, organizations face elevated risk from prompt injection attacks, as well as insider threats. Second, breakout times are steadily decreasing, in large part because of AI-assisted offensive operations."
