Cybersecurity 4 min read
AI-enabled phishing: why traditional training is no longer enough and what to do in an SMB
Analysis of AI-enabled phishing, vishing, and deepfakes in 2026 with a modern training plan for SMBs: realistic simulations, operational metrics, and verification processes.
In this article +
A recent KnowBe4 report indicates that 86% of phishing analyzed in the last quarter includes content generated or personalized with AI. Vishing and deepfakes, once anecdotal, are now part of the regular toolkit.
The classic awareness program, based on misspellings and suspicious links, increasingly fails to measure real risk. For an SMB, keeping that practice without updating it produces a false sense of security.
Short answer
Effective anti-phishing training in 2026 combines three changes: realistic simulations that match current attack quality, operational metrics beyond click rate, and verification processes that reduce damage when someone falls for it, because they will.
What changed in the last year
| Before | Now with AI |
|---|---|
| Misspellings and reused templates | Idiomatic, recipient-personalized text |
| Generic addresses and clumsy domains | Coherent impersonation with real environment accounts |
| Vishing reserved for VIP accounts | Vishing aimed at help desk and admin staff |
| Rare and expensive deepfakes | Affordable short audio and video |
| Asynchronous email attacks | Multichannel conversations with follow-up |
The common factor: the cost of crafting a credible lure dropped, so volume and quality went up.
Attack types worth covering
| Vector | Typical case | Where it hits |
|---|---|---|
| AI-generated email phishing | Email from “the CEO” in correct tone and context | Finance, hiring, HR |
| Vishing to the help desk | Call to reset MFA or change phone | Identity and SaaS |
| Voice deepfake | Executive audio requesting urgent transfer | Payments and accounting |
| Vendor impersonation | Email changing IBAN after a legitimate prior thread | Procurement and operations |
| MFA fatigue + social engineering | Notification spam combined with a call | Any employee |
An SMB does not need to cover every vector with the same intensity. It must cover those affecting processes with financial or identity impact.
Why traditional training fails
| Common practice | Why it loses effectiveness |
|---|---|
| Generic simulation templates | Real attacks are now personalized |
| ”Click rate” as the only metric | Does not measure severity or attack progression |
| Annual training without reinforcement | Habituation bias reduces attention |
| Punishing the individual who fell | Creates silence in the next case |
| ”Do not open anything suspicious” message | Unworkable in roles that open things all day |
What gets measured gets managed. If the metric is only clicks, the program optimizes that number and ignores the rest.
Modern training program
| Component | Goal | How an SMB does it |
|---|---|---|
| Realistic simulations | Match current attack quality | Templates adapted to sector and role |
| Channel variation | Cover email, voice, and messaging | One quarterly simulation per channel |
| Microlearning | Reinforce concepts without saturation | 3-5 minute pills at the moment of failure |
| Blame-free culture | Increase report speed | Recognition for reporting, not for guessing right |
| Verification processes | Reduce damage even when there is a click | Dual channel for payments, IBAN changes, resets |
| Post-incident review | Learn from each real case | Brief analysis shared with the team |
The combination matters more than the tool. A realistic simulation without a verification process behind it only frightens.
Operational metrics
| Metric | What it indicates | How to measure |
|---|---|---|
| Report rate | How fast someone alerts | Time from sending to first report |
| Failure depth | How far the attack reaches | Click only? Credentials? MFA approved? |
| Time to containment | Process effectiveness | Minutes until the account is locked |
| Per-person recurrence | Individual reinforcement need | Consecutive cycles with a miss |
| Process coverage | Critical areas with verification | % with documented dual channel |
These metrics do not replace click rate, but they put it in context.
Processes that reduce damage
- Mandatory dual channel for payments above an agreed threshold.
- IBAN changes never by email; always with direct verbal verification.
- MFA reset with out-of-band verification and manager approval.
- Verbal confirmation of off-hours financial instructions.
- Explicit policy: when audio or video from an executive demands urgency, verify before acting.
- Clear channel to report suspicion without penalty.
These processes are cheap. The hard part is keeping them in daily life.
Common mistakes
- Replacing the entire program with an expensive platform without changing processes.
- Treating vishing as “out of scope” because it is not email.
- Punishing the first employee who reports and silencing the rest.
- Running seasonal simulations and forgetting them for months.
- Excluding help desk and admin staff from the program.
- Confusing training coverage with real compliance.
Progress indicators
| Indicator | Good | Bad |
|---|---|---|
| Simulation realism | Sector- and role-adapted | Generic templates |
| Channel coverage | Email, voice, and messaging | Email only |
| Report time | Minutes | Days or never |
| Payment processes | Dual channel in >90% of cases | Email is enough to authorize |
| Error culture | Reports without penalty | Silence after a miss |
Final criterion
Defense against AI-enabled phishing stops being only a training problem and becomes a process problem. A person who falls can still cause little damage if the processes behind them require verification. That is the lever that moves risk most in an SMB.
Working sources
- KnowBe4 research on the share of AI-enabled phishing in the last quarter.
- Awareness best practices with operational metrics beyond click rate.
- Official documentation of major identity providers for safe help desk processes.
- Technical and training decisions must be adapted to each company’s sector, size, and maturity.
