Key Takeaways from Authenticate 2025: How Generative AI Is Supercharging Phishing

By Yuriy Ackermann

At this year’s Authenticate Conference, Aware Senior Identity Advisor, Yuriy Ackermann, delivered a captivating talk on one of the fastest-evolving cybersecurity threats: Generative AI–powered phishing. Ackermann, who has deep experience across biometrics, authentication, and cybersecurity, explored how the economics of fraud are shifting, and what it means for organizations trying to stay secure.

Here are the key takeaways from his presentation.

1. Phishing Is Just Sales with Bad Intentions

Ackermann began by making a simple yet profound comparison: phishing and sales follow the same playbook.

Both rely on identifying targets, building relationships, and closing the deal — except one side is trying to help customers, and the other is trying to exploit them.

The “seven-step phishing cycle” mirrors the stages of sales (prospect, contact, qualify, nurture, offer, negotiation, closing):

1. Recon (Prospecting) — Find potential victims using the same channels sales teams use: email lists, networking, scraped or purchased data, and inbound leads.
2. Luring (Contacting) — The first interaction: outreach that sparks interest and begins to build rapport (the equivalent of making contact).
3. Probing (Qualification) — Validate the target: timing, risk appetite, and expected payoff — the attacker’s version of qualification.
4. Build trust (Nurturing) — Keep engaging the target, having conversations and creating familiarity, slowly pulling them toward commitment just like sales nurturing.
5. Payload (Offer) — Deliver the malicious “offer”: a crafted payload such as a fake DocuSign, credential-harvesting form, or malicious attachment.
6. Pressure (Negotiation) — Escalate urgency or consequences to force action — the phishing analogue of negotiation and pressure to sign/commit.
7. Cashout (Closing) — Monetize the compromise: capture credentials, extract funds, sell access, or pass the victim on to other actors.

“The only difference between a phishing email and a sales email is the link at the end.”

2. The Cost of Generative AI Has Collapsed — and That’s a Problem

Over the past 30 months, the cost of large language model usage has plummeted from $180 per million tokens to under $0.05. That means it now costs just a few cents to generate thousands of targeted, spear-phishing emails.

AI enables long-running, fully autonomous spear-phishing campaigns. These attacks don’t occur in a single moment — like a drawn-out business negotiation, they can unfold over weeks, months or even years and involve dozens of messages. The problem is human psychology: prolonged, familiar communication creates a sense of trust, so someone you’ve corresponded with for months is more likely to be believed. Orchestrating that level of long-game deception used to require careful, time-consuming planning; AI makes it extremely cheap, autonomous, scalable, and far more effective.

What used to require organized crime groups, translators, and infrastructure can now be done by a single individual on a $200 laptop. Generative AI has democratized cybercrime, removing barriers like technical skill and language fluency.

This isn’t just phishing anymore — it’s mass, personalized spear-phishing at a scale.

3. Deepfakes and AI Toolkits Are Expanding the Threat Surface

The same AI tools that can write human-like text can also clone voices, create fake video calls, and generate realistic imagery.

Ackermann pointed to tools like SpamGPT — an actual dark web service for automated phishing — and shared examples of AI-generated deepfakes used in scams, including a notorious “Brad Pitt” case where a victim was manipulated using fake images.

As Ackermann put it:

“It takes just 15 seconds of your voice to clone it. Never answer unknown calls — worst case, they’ll email you.”

4. The Underground Economy Is Decentralizing

With AI making phishing easier and cheaper, large criminal organizations are breaking down into smaller, more agile “crime startups”. GenAI phishing is becoming a gateway crime, as anyone who is skilled enough to use computer can now do spear phishing.

These actors don’t need human translators, fake job ads, or physical compounds — just access to open-source AI models and the dark web.

This decentralization means more attacks from more directions, and greater difficulty for law enforcement to respond.

5. Protecting Against AI-Powered Phishing Requires a Multi-Layered Approach

Ackermann’s recommendations were both practical and urgent:

Strengthen Authentication

• Deploy phishing-resistant multi-factor authentication (MFA), such as passkeys and security key, and combine it with biometric verification for step up, such as Aware biometrics offering.
• Layer security controls so no single compromised credential grants full access.

Enhance Email Security

• Enforce DMARC, SPF, and DKIM across all domains.
• Use “External” tagging and contextual warnings to flag messages from outside the organization.

Improve Processes

• Require dual approval for high-risk transactions.
• Limit admin privileges to prevent total compromise from a single breach.

Promote Social Awareness

• Teach employees and families to pause under pressure, as most scams exploit panic.
• Encourage use of trusted communication apps and family passphrases for verification.

6. The Bottom Line: Phishing Is a Human Problem

Phishing isn’t just a technical issue — it’s a human one.

As Ackermann concluded:

“Phishing is born from opportunism and impunity, and it thrives on instability and poverty. The best way to fight it is by making phishing hard — and deploying biometrics, and passkeys.”

Generative AI is here to stay, but by strengthening digital identity, deploying phishing-resistant biometric authentication, and raising public awareness, we can preserve trust in an AI-driven world.