AI tools have lowered the barrier for several stages of a cyber attack. Phishing content generation, target research, code development for malware, and vulnerability scanning can all be assisted by publicly available AI tools. The question for Australian businesses is not whether AI changes the threat environment — it does — but what it actually changes about the required defensive posture.
Where AI Is Being Used by Attackers
Phishing Content Generation
Grammatically perfect, contextually relevant phishing emails are now trivially produced by AI tools. The prior signals of a phishing attempt — poor grammar, implausible scenarios, generic greetings — are no longer reliable. Volume and personalisation have both increased.
Voice Cloning for Vishing
AI voice cloning tools can generate convincing audio impersonating executives or known contacts using only a few minutes of publicly available audio. These tools are being used in vishing (voice phishing) attacks — calls to finance staff purportedly from the CEO authorising urgent wire transfers. The quality of the clone is sufficient to deceive under normal working conditions.
Automated Reconnaissance
AI-assisted tools can rapidly analyse public sources — LinkedIn, company websites, ASX announcements, social media — to build detailed organisational profiles including key personnel, technology stack, and business relationships. This intelligence is used to make phishing and social engineering attacks more targeted and credible.
What Has Not Changed
The attack goals are the same: credentials, money, and data. The initial access vectors are the same: email, exposed services, and credential compromise. The effective defences are the same: MFA, patching, access controls, and staff awareness. AI amplifies attacks but does not fundamentally change the defence requirements.
Should we tell staff about AI-generated phishing?
Yes. Staff awareness training should be updated to reflect that AI-generated phishing emails look professional, are personalised, and may be highly convincing. The training focus should shift from identifying low-quality signals (typos, generic greetings) to process-based verification — confirming unusual requests through known phone numbers regardless of how credible the email appears.
