The browser has become ground zero for cyberattacks—and it’s now facing an alarming new threat. With most people relying heavily on browsers for their daily tasks, cybercriminals are intensifying their attacks, and AI-powered phishing schemes are driving the surge.
Recent research from Menlo Security reveals a staggering 140% jump in browser-based phishing attacks over the past year. Their analysis, based on 750,000 phishing attempts across 800 organizations, shows a 130% spike in zero-hour phishing attacks—dangerous campaigns that strike before detection systems can respond.
This explosive growth is driven by several factors. Our dependency on browsers for work, the rising number of zero-day vulnerabilities, and the increasing sophistication of cybercriminals all play a role. Yet, the most unsettling factor is the growing use of generative AI (gen-AI) by attackers.
Gen-AI Supercharges Phishing Threats
According to Andrew Harding, VP of Security Strategy at Menlo Security, cybercriminals are evolving rapidly. “They’re moving at the pace of professional engineers, using the same advanced tools and infrastructure. The mix of zero-day exploits, sophisticated social engineering, and readily available phishing-as-a-service kits creates the perfect storm for browser-based attacks,” Harding warns. He predicts the situation will worsen in 2025 as AI adoption by attackers accelerates.
Gen-AI is reshaping phishing in alarming ways. Criminals now deploy AI to build hyper-realistic phishing sites, impersonate trusted services, and scale attacks with terrifying efficiency. They even use AI-generated lures, offering fake services to trick users.
“It’s getting harder for regular users to tell the difference between genuine and fake sites,” explains Thomas Richards, Red Team Practice Director at Black Duck. “Phishing campaigns now blend so seamlessly with trusted services that spotting them requires extreme caution. Users should always verify a website’s authenticity before sharing credentials or personal information.”
Menlo’s report highlights nearly 600 incidents involving fake AI service websites—many crafted to look like legitimate generative AI platforms. These fraudulent sites not only gather personal data but also deliver malware through seemingly harmless downloads, often disguised as PDFs.
“Increasingly, these scams skip the traditional goal of stealing login details,” Harding notes. “Instead, they trick victims into uploading sensitive data—like for a resume generation—and then deliver malware-laden PDFs directly.” This shift signals a dangerous evolution where AI-powered phishing attacks move straight to delivering ransomware or other payloads.
Mobile Browsers: The New Battleground
Experts warn that the mobile browsing experience is making it even easier for attackers. Limited URL visibility, auto-login features, and smaller screen sizes create ideal conditions for phishing success. Krishna Vishnubhotla, VP of Product Strategy at Zimperium, calls it the “perfect storm” for stealthy credential theft.
The rise of Phishing-as-a-Service (PhaaS) is also amplifying the threat. Menlo forecasts PhaaS will grow as it becomes cheaper and more accessible. Meanwhile, Barracuda’s latest report reveals that January and February 2025 alone saw over a million PhaaS attacks worldwide. The Tycoon 2FA platform accounted for 89% of those incidents, showcasing the scale of industrialized phishing.
What’s more troubling is that AI and large language models (LLMs) are now embedded into these PhaaS tools. Menlo Security warns this combination boosts automation, enhances social engineering, and enables cybercriminals to launch highly convincing attacks across browsers and social media.
Jason Soroko, Senior Fellow at Sectigo, adds, “Phishers know the public is eager to try the latest AI platforms. They exploit that curiosity by faking popular sites. Users must stay vigilant—always double-check domains to avoid these traps.”
As AI continues to evolve, so does its misuse. The fusion of speed, creativity, and automation makes AI-powered phishing attacks an unprecedented challenge for organizations and individuals alike. If left unchecked, 2025 could witness phishing threats on a scale we’ve never seen before.
