AI-generated spear phishing has officially surpassed human-crafted attacks in effectiveness — and it’s happening faster than expected.
A new study by cybersecurity firm Hoxhunt shows a dramatic shift: by March 2025, AI-powered spear phishing became 24% more effective than attacks created by expert human red teams. That’s a massive leap from 2023, when AI lagged behind humans by 31%. This turning point signals a serious transformation in how social engineering threats will evolve.
How AI Caught Up and Surpassed Humans in Just Two Years
The research traces this evolution back to 2023, when Hoxhunt began testing AI-generated spear phishing emails against those crafted by elite human teams. At the time, AI emails—created using tools like ChatGPT—were significantly less successful. The effectiveness was measured by the click rate—how often targets clicked on malicious links. In 2023, humans had a 14% click rate, while AI managed just 11%.
IBM’s cybersecurity unit, X-Force Red, ran similar tests and reached nearly identical results. Snow Carruthers, IBM’s Chief People Hacker, noted that AI lacked emotional intelligence, which limited its ability to craft believable, emotionally charged messages that trick users into clicking.
“Humans can still write emails that feel real and pull at your emotions,” Carruthers said. “But that’s going to change.”
Agentic AI: The Game-Changer for Phishing Effectiveness
That change began in 2024 with the rise of agentic AI—AI systems that can learn, adapt, and evolve autonomously. Recognizing this shift, Hoxhunt built its own AI phishing agent, dubbed “JKR” (short for Joker), to test against human-created spear phishing emails.
Over 2024, the gap began to close fast. AI’s effectiveness rose from 31% below humans to just 10% less by the end of the year. But what happened next took even Hoxhunt by surprise.
Between November 2024 and February 2025, AI spear phishing agents saw a massive performance boost. By March, JKR and similar AI models were outperforming humans by 24%. That marked a major inflection point.
What This Means for Cybersecurity Going Forward
According to Pyry Avist, co-founder and CTO at Hoxhunt, this isn’t a theoretical risk anymore—it’s reality. “AI agents can now craft more convincing phishing emails at scale than humans,” he said. “The phishing-as-a-service market will soon pivot toward mass adoption of AI spear phishing agents.”
And that’s what makes the threat so serious. Historically, mass phishing campaigns were broad, clumsy, and easier to detect. Only targeted spear phishing could fool well-trained employees. But with agentic AI, even mass campaigns can now appear deeply personal and authentic.
Avist warns that once these AI agents are widely deployed, the average quality of phishing attacks will jump dramatically. What used to be elite-level spear phishing will become the new standard—and far more dangerous for everyday users and companies.
