Generative AI has brought a noticeable shift in how social engineering attacks are carried out. Phishing has transformed into a sophisticated, AI-fueled ecosystem encompassing smishing (SMS phishing) and vishing (voice phishing) and attackers now have the tools to automate, scale, and personalize attacks across new communication channels.
AI allows scammers to write messages that match a company’s usual tone and word choices. They can even mimic the emotional cues that people expect from real conversations.
Cybercriminals have found that victims are more responsive to texts and calls, and with the help of AI, today’s phishing attacks are no longer easy to spot. They can arrive as a professional-looking message, a deepfaked voice call, or a combination of both.
The tone is right, the request makes sense, and the timing feels normal. That is exactly what makes these attacks so effective.
Why It Matters: Technical controls like email filters and firewalls used to help keep many of these threats in check. But filters cannot catch a voice that sounds like the CFO or a message that follows a real business workflow. That changes what needs protecting and how. Security measures need to rethink how trust is verified, especially when everything about the message looks and sounds right.

- Smishing Is Now a Primary Threat Vector: In 2024, 39% of all mobile threats were smishing attacks. These messages bypass traditional spam filters and exploit users’ trust in SMS as a more legitimate and urgent form of communication. AI customizes each message using data scraped from public profiles and prior breaches, making it harder to detect and easier to fall for.
- Vishing Surges with Synthetic Voices and Dynamic Scripts: Voice phishing saw a 442% increase in the latter half of 2024. AI allows scammers to clone voices and deliver dynamic, emotionally targeted calls that sound as if they’re coming from internal company figures or trusted sources.
- Multi-Channel Phishing Is the New Norm: Attackers now combine email, SMS, and voice in coordinated campaigns. For example, a text might include a link to a fake website that is followed by a call to confirm information, increasing perceived legitimacy. This blending of channels makes the scam harder to detect and resist.
- Direct Communication Channels Bypass Traditional Security Tools: Unlike email, which is heavily monitored and filtered, phone calls and SMS go largely unmonitored. Once an attacker has a victim on the phone or engaged by text, there’s little opportunity for outside systems to detect or block malicious intent, especially when the communication appears urgent and personalized.
- Verification Must Go Beyond the Voice: Voice recognition and caller ID are no longer reliable for confirming identity. Organizations must adopt multi-factor verification that goes beyond what can be easily faked, including cross-verification from internal systems or predetermined secure methods. Training must also include awareness of more subtle manipulation tactics like redirecting users to malicious websites under the guise of security.
Go Deeper -> AI Is Amping Up Phishing, Smishing And Vishing Attacks – Forbes
Scam (increasingly) likely: What’s behind the rise of vishing? – IBM
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.