Inevitable? Proofpoint Gives Stern Warning About Phishing, Reveals Key Technique to Avoid It

Cybersecurity isn’t just a software and infrastructure problem. It is as much a people problem at the core, whether it is employees conniving with cybercriminals to perpetuate an attack from the inside, or clicking the wrong links, or going to the wrong sites. Proofpoint’s 2025 Voice of the CISO report proves as much, as it revealed that human error remains the top cybersecurity vulnerability in 2025.

According to the 2025 Voice of the CISO report, three in five (61%) CISOs in Singapore cite people as their greatest risk, even if 66% believe employees understand cybersecurity best practices. This disconnect underscores the critical reality that awareness alone is not enough anymore—especially not today when the rapid rise of GenAI (Generative Artificial Intelligence) is amplifying concerns around human risk, with data loss via public GenAI tools emerging as a top-of-mind concern more and more. Specifically, generative AI is being weaponised to great effect by cybercriminals, who are now tapping into the immense capabilities of AI to create highly believable, hyper-personalised phishing campaigns.

“Today, Generative AI is simply just another tool cybercriminals leverage to research their targets, write code for malware, and generate or translate phishing messages,” Dr Bob Haussmann, Lead Cognitive Scientist, Human Risk Management, at Proofpoint, told Cybersecurity Asia in an exclusive commentary. “A more critical success factor for a phishing email is alignment: This refers to how closely the message connects to your personal preferences, purchase history, or services you use. But if a message appears to come from your tax authority, it resonates because it relates to something that affects everyone.”

AI Is Changing the Cybersecurity Landscape and Making Phishing More Effective

So, if phishing was working pre-GenAI, imagine the damage it is doing now in the Age of AI. And if that isn’t worrying enough, Dr Haussmann also gave a chilling warning—something along the lines of: Falling for a phishing attempt is near inevitable.

“When it comes to phishing, it is important to acknowledge one simple fact: There is a lure for everyone, and it’s only a matter of time until one falls victim to it,” Dr Haussmann warned. “At some point, an attacker will send the right message at precisely the wrong moment—when you are tired, distracted, or in a rush. That’s why phishing simulations are valuable: They remind us that none of us are immune to a well-crafted, or well-timed scam.”

It’s probably no lie. Neither is it an exaggeration. Phishing campaigns have evolved so much, and have become so sophisticated, that it is highly likely more people are falling for them. This is bad news as phishing (email fraud, for one) continues to be a big part of what is an incredibly diverse threat landscape, alongside ransomware, supply chain attacks, and insider threats.

The situation is admittedly causing many sleepless nights among CISOs and business leaders because, whatever the tactic employed, most attacks lead to data loss, which could disrupt operations at the very least, or result in compliance-related fines and punishment in some cases. In other words, the stakes are at an all-time high, and that’s probably why 59% of CISOs say they would consider paying a ransom to restore systems or prevent data leaks.

Fighting Back Against Phishing

But rather than make cybercrime pay by simply giving in to cybercriminals’ financial demands, CISOs and business leaders must also circle back to the human problem. In particular, they might need to take a look at this susceptibility to falling for phishing campaigns and do something about it because—believe it or not—there might be a solution. It’s not fool-proof, because nothing in cybersecurity ever is, but it can certainly help. And a good start in this case would be to disseminate to everyone in the organisation this practical message from Dr Haussmann:

Regardless of the demographic, the key is always to stop and pause. Take a step back and ask yourself: Does this message make sense? Why am I receiving it now? Does something feel off? Why is there urgency, and why am I being pushed to act immediately? Often, the best defence is to pause, reflect, and recognise that the message may not be legitimate.”

Again, nothing is guaranteed—and that’s why cybersecurity is such a challenging field. But the reality is the human disconnect can compromise even the best defences, so it only makes sense to address this problem head-on. Doing so can be a complicated undertaking, but it beats the alternative of simply letting cyber crime pay.