Email scammers are using artificial intelligence (AI) tools to create and launch mass spam campaigns rather than advanced targeted attacks, according to new research by the Universities of Columbia and Chicago, leveraging Barracuda’s threat detection data. The findings show that 51% of spam messages are now generated by AI, compared to 14% of business email compromise (BEC) attacks, although in both cases, the use of AI is increasing.
The researchers analyzed a large Barracuda dataset of unsolicited and malicious emails covering February 2022 to April 2025.
The findings show:
· By April 2025, 51% of spam emails were generated by AI rather than a human.
· By April 2025, 14% of BEC attacks were generated by AI.
· A steady increase in AI-generated content in both spam and business email compromise (BEC) attacks after the release of ChatGPT in November 2022.
· AI-generated emails are typically more formal, use more sophisticated language, and have fewer grammatical errors than human-written emails.
· Attackers appear to be using AI to test word variations to see which are more effective in evading defenses and encouraging more targets to click links.
· Attackers seem to be primarily using AI to refine their email content rather than to change the tactics of their attacks.
“Determining whether or how AI has been used in cyberattacks is a difficult challenge, since we can only see the attack, but don’t know how it was generated,” said Asaf Cidon, Associate Professor of Electrical Engineering and Computer Science at Columbia University. “Our analysis suggests that by April 2025, the majority of spam emails were not written by humans, but rather by AI. For more sophisticated attacks, like Business Email Compromise, which require more careful tuning of the content to the victim’s context, the vast majority of emails are still human-generated, but the volume that is generated by AI is steadily and consistently increasing.”
The approach used by the researchers to detect the involvement of AI was based on the assumption that emails sent before the public release of ChatGPT in November 2022 were likely to have been created by humans. This allowed them to set a baseline and train detectors to identify automatically whether a malicious or unsolicited email was generated using AI.
To defend against evolving email threats, Barracuda recommends implementing advanced, multi-layered, and AI-powered email protection, coupled with cybersecurity awareness training for employees so they know the latest attack tactics and threats to look out for.