Dennis Vymer,
Whalebone Threat Intelligence Product Manager
Something fundamental shifted in the phishing landscape over the past year. What once required days of preparation – crafting convincing emails, building fake landing pages, setting up ad campaigns – now takes hours. In some cases, minutes. The culprit? The same AI tools that are revolutionizing legitimate businesses are supercharging cybercriminal operations.
For telecommunications providers and their subscribers, this acceleration represents an unprecedented challenge. According to KnowBe4's 2025 Phishing Threat Report, 82.6% of all phishing emails now contain AI-generated elements.
This is not a future concern – it is today's reality.
Generative AI has dramatically lowered the technical barriers to launching phishing campaigns while accelerating the creation of both attack content and infrastructure.
Consider what it takes to launch a phishing campaign in 2026. A bad actor purchases a fresh domain, creates a credential-harvesting page using generative AI tools, and launches targeted Facebook ads – all within a few hours, even with minimal technical expertise.
The speed difference is staggering. IBM X-Force research demonstrated that AI can generate highly convincing phishing emails in five minutes compared to the sixteen hours typically required by experienced human operators – a 192× improvement in efficiency.
More recently, Okta's threat intelligence team documented attackers using generative AI to build complete phishing sites in under 30 seconds.
For telcos, this acceleration translates into concrete business pain: a surge in brand impersonation sites, credential theft fueling account takeover and SIM-swap fraud, SMS lures that erode subscriber trust, overwhelmed support teams, and ultimately – increased churn.
Most of us can speak from anecdotal experience: suspicious websites, SMS messages, emails, and calls have increased dramatically over the past two years.
A study from SlashNext documented a 1,265% increase in malicious phishing emails since ChatGPT's launch in late 2022.
And perhaps most concerning: Hoxhunt's research found that by March 2025, AI-generated phishing campaigns were 24% more effective than those created by elite human red teams.
Phishing does not arrive just via email anymore. Social media advertising has become a primary attack vector, and the scale of the problem is alarming.
A December 2024 Reuters investigation revealed that approximately 19% of Meta's Chinese advertising revenue – over $3 billion in 2024 – came from ads promoting scams, illegal gambling, and other banned content.
Academic research analyzing 5.3 million Facebook ads found that 32.2% of users were exposed to unsafe advertising, with nearly a quarter of high-risk ads linking directly to phishing sites.
When attackers can deploy new phishing infrastructure in minutes, traditional blocklist-based approaches simply cannot keep pace. By the time a malicious domain gets reported, analyzed, and added to a blocklist, the campaign may have already captured thousands of credentials and moved on to a fresh domain.
The industry is responding with proactive detection methods. Two approaches have proven particularly effective: newly registered domain (NRD) analysis and Certificate Transparency (CT) stream monitoring.
Research from Palo Alto Networks Unit 42 shows that over 70% of newly registered domains are classified as malicious, suspicious, or unsafe – roughly 10x higher than established domains.
The Anti-Phishing Working Group found that 77% of domains reported for phishing are maliciously registered – created specifically for fraud. Critically, 41% of phishing domains are weaponized within 14 days of registration.
Industry forecasts paint an intensifying picture. The Google Cloud Cybersecurity Forecast 2026 states that "threat actor use of AI is expected to transition decisively to the norm." Voice phishing (vishing) with AI-driven voice cloning is emerging as a particularly concerning vector, enabling hyperrealistic impersonations at scale.
The 82.6% AI adoption rate in phishing operations is not a projection – it is the present reality. The window between domain registration and active phishing campaigns has collapsed to hours. Defensive response times must collapse accordingly.
This reality demands a fundamental shift in approach: from reactive blocking to proactive intelligence, from static lists to real-time analysis, and from hoping users can spot fakes to ensuring they never see them in the first place.
At Whalebone, we are proactively evaluating the most effective entry point for protecting our user base. As launching new campaigns has become easier, the threat landscape has shifted toward localized, rapidly emerging risks.
To address this, we began monitoring activity at the earliest stages, specifically during domain creation. This includes tracking newly registered domains as well as newly issued certificates for subdomains.
Even at this initial step, early indicators often suggest suspicious activity, allowing us to begin analyzing patterns and assessing the owner’s intent right away.
Across the networks we protect, more than 30B threats were blocked last year. The way these threats evolved shows how quickly attackers are adapting.
Learn what shaped the cybersecurity landscape in 2025 and what lies ahead. Get a copy of our latest threat report.