Artificial intelligence is accelerating one of the most significant shifts the cybersecurity industry has seen in years. During Cofense’s webinar, Inside the Shape-Shifting Inbox: A Modern Playbook for Security Leaders, CEO Marc Olsen and Board Advisor George Gerchow explored how AI is transforming phishing from a high-effort, tactical attack into a highly scalable, adaptive business risk.
The discussion highlighted a new reality for security leaders: attackers are using AI to create phishing campaigns that evolve in real time, evade traditional defenses, and exploit both human and machine identities. Here are five key takeaways from the conversation.
1. AI Has Changed the Economics of Phishing
One of the most important themes from the discussion was that AI has dramatically reduced the cost and effort required to launch phishing campaigns. What once took hours of manual work can now be completed in minutes. Attackers can use AI to generate convincing emails, personalize content at scale, vary messaging across thousands of targets, and continuously adapt campaigns without human intervention.
This shift has increased both the speed and volume of attacks. Instead of sending identical phishing emails, threat actors can now create unique variations for every recipient, making detection significantly more difficult and enabling campaigns to scale far beyond what was previously possible.
2. Polymorphic Attacks Are Rendering Traditional Detection Less Effective
The webinar focused heavily on polymorphic phishing campaigns—attacks that continuously change their characteristics to evade detection. Subject lines, sender information, URLs, language, and payloads can all be modified automatically using AI.
Traditional email security tools often evaluate messages individually and rely on signatures, fingerprints, or known indicators of compromise. However, when every email is slightly different, those approaches become less reliable.
Security teams need to shift from message-level analysis to campaign-level visibility. Understanding patterns across multiple attacks provides a more complete picture of attacker behavior and enables organizations to identify threats that may otherwise appear unrelated.
3. Human Intelligence Remains a Critical Security Layer
Despite advances in automation and AI, both speakers emphasized that humans remain one of the most valuable detection mechanisms available to organizations.
Employees often identify suspicious activity that automated systems miss, particularly when dealing with novel or zero-day attacks. User-reported emails provide context, feedback, and validation that can strengthen detection models and improve incident response.
The future of phishing defense is not about removing humans from the process. Instead, it is about creating an effective human-in-the-loop model where AI handles repetitive tasks such as triage, correlation, and analysis while people provide judgment, context, and decision-making authority.
4. Defense-in-Depth Is Still the Best Strategy
While AI is becoming a powerful tool for defenders, it is not a silver bullet. Olesen introduced the concept of the “automation gap,” the reality that attackers will continue developing new techniques that bypass automated controls.
Because that gap will never completely disappear, organizations must maintain a defense-in-depth strategy. Effective phishing defense requires multiple layers working together, including secure email gateways, threat intelligence, AI-powered analysis, employee reporting, incident response processes, and post-delivery protection.
Security leaders should resist the temptation to view any single technology as the answer. Instead, resilience comes from combining complementary capabilities that collectively reduce risk and improve response speed.
5. Measure Resilience, Not Activity
Many organizations continue to focus on operational metrics such as alert volume or detection counts. The speakers argued that these metrics often measure activity rather than effectiveness.
Instead, security leaders should focus on indicators that demonstrate resilience. Examples include employee reporting rates, remediation time for user-reported threats, dwell time for sophisticated attacks, analyst efficiency, and cost per resolved incident.
The goal is not simply to process more alerts faster. The goal is to reduce exposure, improve response outcomes, and increase organizational resilience against evolving threats.
What Security Leaders Should Do Next
Looking ahead, the speakers outlined several priorities for security teams over the next 12 to 24 months:
• Invest in explainable AI that provides transparency into how decisions are made.
• Expand visibility beyond email to address multi-channel attacks across chat, voice, text, and collaboration platforms.
• Maintain a human-in-the-loop approach that balances automation with expert oversight.
• Govern AI agents and machine identities with the same rigor applied to human users.
• Redesign security operations around intelligence-driven workflows rather than reactive investigations.
Organizations that successfully combine AI, human expertise, and layered defenses will be best positioned to respond to the next generation of phishing threats.
AI is reshaping phishing faster than most organizations realize. To hear the full discussion from Marc Olesen and George Gerchow, including their insights on polymorphic campaigns, security operations, governance, and resilience, watch the webinar on demand.