Email scammers are using artificial
intelligence (AI) tools to create and launch mass spam campaigns rather than
advanced targeted attacks, according to new research by the Universities of
Columbia and Chicago, leveraging Barracuda’s threat detection data. The
findings show that 51% of spam messages are now generated by AI, compared to
14% of business email compromise (BEC) attacks, although in both cases, the use
of AI is increasing.
The researchers analyzed a large Barracuda
dataset of unsolicited and malicious emails covering February 2022 to April
2025.
The findings show:
· By
April 2025, 51% of spam emails were generated by AI rather than a human.
· By April 2025, 14% of
BEC attacks were generated by AI.
· A
steady increase in AI-generated content in both spam and business email
compromise (BEC) attacks after the release of ChatGPT in November 2022.
· AI-generated
emails are typically more formal, use more sophisticated language, and have
fewer grammatical errors than human-written emails.
· Attackers appear to be
using AI to test word variations to see which are more effective in evading
defenses and encouraging more targets to click links.
· Attackers
seem to be primarily using AI to refine their email content rather than to
change the tactics of their attacks.
“Determining whether or how AI has been used in cyberattacks is a
difficult challenge, since we can only see the attack, but don’t know how it
was generated,” said Asaf Cidon, Associate Professor of
Electrical Engineering and Computer Science at Columbia University. “Our analysis suggests that by April 2025, the majority of spam emails
were not written by humans, but rather by AI. For more sophisticated attacks,
like Business Email Compromise, which require more careful tuning of the
content to the victim’s context, the vast majority of emails are still
human-generated, but the volume that is generated by AI is steadily and
consistently increasing.”
The approach used by
the researchers to detect the involvement of AI was based on the assumption
that emails sent before the public release of ChatGPT in November 2022 were
likely to have been created by humans. This allowed them to set a baseline and
train detectors to identify automatically whether a malicious or unsolicited
email was generated using AI.
Parag Khurana, Country Manager for India,
Barracuda Networks, said, “Cybercriminals are already using AI to their
advantage to automate and scale email attacks, making it critical for Indian
organisations to gain deeper visibility into evolving threats and adopt a
platform-based approach to defend against them. At Barracuda, we’re seeing
increased demand for solutions that combine multi-layered protection with
continuous threat detection and response. By leveraging threat intelligence
with integration across email, data, and network security, businesses can
respond faster to AI-generated cyberattacks with greater precision.”
To defend against evolving email threats, Barracuda recommends
implementing advanced, multi-layered, and AI-powered email protection, coupled
with cybersecurity awareness training for employees so they know the latest
attack tactics and threats to look out for.
The Threat Spotlight was authored by Wei Heo with research support from
Van Tran, Vincent Rideout, Zixi Wang, Anmei Dasbach-Prisk, M. H. Afifi and
Junfeng Yang, and professors Ethan Katz-Bassett, Grant Ho, Asaf Cidon.
For more information
and insight: https://blog.barracuda.com/2025/06/18/half-spam-inbox-ai-generated
National, India, June 19th, 2025
