Until recently, the signs of a phishing scam were relatively obvious – typos, “dear”, clumsy grammar, a cloying sense of urgency.

Not only did people know what to watch for, but they also felt confident in their abilities to detect a phishing email and to avoid a malicious link or attachment.

But new research shows that young people are extremely concerned about accidentally exposing their organization to a cyber attack – largely due to the fact that the phishing threat landscape has shifted.

The new phishing

Eighty-five percent of employees, many of whom skew younger, believe that AI has rendered cyber security attacks more sophisticated than ever before. Seventy-eight percent of that cohort is concerned about the use of AI in cyber attacks and its potential to help create imperceptible threats.

Employees were once considered the first line of cyber defense – It was all about teaching employees to recognize phishing emails, to avoid clicking on suspicious links…etc. While phishing awareness is undoubtedly still relevant, organizations may need to reconsider the extent to which they rely on employees to recognize and independently stop threats.

If threats are fooling executives, how can we, in good faith, create the expectation that employees should know more than high-level stakeholders and maintain an exceptionally high-level of responsibility for protecting the organization?

New threat examples

Gen Z is losing confidence in its ability to recognize phishing attacks and for good reason. The attacks are becoming absurdly sophisticated.

Below are three examples of phishing emails that your employees could encounter tomorrow, and likely wouldn’t know to flag. You can also use the email examples below within your own phishing tests or as examples within your educational programming:

1. This email asks employees to review a [fake] policy.

Dear [Employee Name],

As part of our ongoing commitment to information security, we have recently updated our company policies regarding data handling and access. To ensure that all employees are aware of these changes, [your company name] requires a one-time review and acknowledgement.

Your access to company resources will be temporarily restricted until you have completed this brief review. The process takes approximately 5 minutes and can be accessed through the secure link provided below.

[Link to fake page with company logo and colors]

Please note: This link is unique to your account and will expire in 48 hours. We appreciate your cooperation in maintaining a secure work environment.


The Information Security Team

2. This email realistically [and falsely] alerts employees to a data breach.

Dear [Employee Name],

We are writing to inform you of a recent data breach that may have affected a limited amount of employee information. We are still investigating the scope of the incident, but out of an abundance of caution, we recommend that you take immediate action to secure your accounts.

For your convenience, we have included a link to a secure portal where you can review the potentially compromised data and update your login credentials for all company-related accounts.

[Link to fake data breach information page]

We understand this news may be concerning, and we are committed to keeping you informed as we learn more.


The Security Response Team

3. This email provides believable [and false] information about an HR-run program.

Hi [Employee Name],

It’s time to celebrate our amazing team! We’re holding our annual internal employee recognition program and need your vote to choose the winners in various categories.

To ensure a fair and secure voting process, we’ve implemented a new single sign-on system. Simply click the link below and use your Windows login credentials to cast your vote.

[Link to fake page with company logo and colors]

Voting closes on [date]. Let’s show our appreciation to those who go the extra mile!

Best regards,

The HR Department

Current phishing falsehoods

The point is that today’s phishing attempts look much different from what we’re used to seeing, and yet we’re still holding employees to the same expectations around serving as the first line of defense and stopping attacks.

Yes, employees bear some responsibility. Yes, they should receive educational training around the basics, from links to attachments, but we also need to be sure that we’ve fully internalized the fact that the landscape has changed.

It’s not that Gen Z isn’t knowledgeable about cyber security – younger workers are digital natives and 86% see themselves as cyber aware.

Actionable steps for cyber security professionals

In addition to robust phishing education and training exercises:

  • Implement advanced email security protection. Prevent phishing threats that are AI powered and exceptionally evasive. Leverage advanced tools, like Check Point’s email security solutions, which are 93X more effective than other tools on the market.
  • Deploy comprehensive endpoint protection. Endpoint protection can help ensure that employees are not duped into providing sensitive information.
  • Adopt a zero trust security framework. This can minimize the potential damage, should a phishing attack succeed.
  • Leverage AI-powered, cloud-delivered cyber security solutions. These solutions scale well and can be updated quickly to address new threats.
    Learn more here.

Discover additional must-read AI trends and expert insights in this article. Lastly, to receive cyber security thought leadership content, groundbreaking research and emerging threat analyses each week, subscribe to the CyberTalk.org newsletter.