By April 2025, 51% of spam and 14% of BEC emails were AI-generated, with researchers noting a post-ChatGPT surge in formal, grammatically polished messages as attackers use AI to optimize content rather than alter attack strategies
Artificial intelligence (AI) is increasingly being used by cybercriminals to automate large-scale spam campaigns, rather than for highly targeted attacks, according to new research conducted by Columbia University and the University of Chicago. The study, which draws on threat detection data from cybersecurity firm Barracuda, reveals that 51% of spam emails are now generated using AI tools—a sharp rise compared to just 14% of AI-generated business email compromise (BEC) attacks.
Researchers analyzed a comprehensive dataset of unsolicited and malicious emails collected by Barracuda between February 2022 and April 2025. The findings highlight the growing role of AI in enabling low-effort, high-volume cyber threats, marking a shift in the tactics employed by email scammers.
The findings show:
· By April 2025, 51% of spam emails were generated by AI rather than a human.
· By April 2025, 14% of BEC attacks were generated by AI.
· A steady increase in AI-generated content in both spam and business email compromise (BEC) attacks after the release of ChatGPT in November 2022.
· AI-generated emails are typically more formal, use more sophisticated language, and have fewer grammatical errors than human-written emails.
· Attackers appear to be using AI to test word variations to see which are more effective in evading defenses and encouraging more targets to click links.
· Attackers seem to be primarily using AI to refine their email content rather than to change the tactics of their attacks.
“Determining whether or how AI has been used in cyberattacks is a difficult challenge, since we can only see the attack, but don’t know how it was generated,” said Asaf Cidon, Associate Professor of Electrical Engineering and Computer Science at Columbia University. “Our analysis suggests that by April 2025, the majority of spam emails were not written by humans, but rather by AI. For more sophisticated attacks, like Business Email Compromise, which require more careful tuning of the content to the victim’s context, the vast majority of emails are still human-generated, but the volume that is generated by AI is steadily and consistently increasing.”
The approach used by the researchers to detect the involvement of AI was based on the assumption that emails sent before the public release of ChatGPT in November 2022 were likely to have been created by humans. This allowed them to set a baseline and train detectors to identify automatically whether a malicious or unsolicited email was generated using AI.
Parag Khurana, Country Manager for India, Barracuda Networks, said, “Cybercriminals are already using AI to their advantage to automate and scale email attacks, making it critical for Indian organisations to gain deeper visibility into evolving threats and adopt a platform-based approach to defend against them. At Barracuda, we’re seeing increased demand for solutions that combine multi-layered protection with continuous threat detection and response. By leveraging threat intelligence with integration across email, data, and network security, businesses can respond faster to AI-generated cyberattacks with greater precision.”
To defend against evolving email threats, Barracuda recommends implementing advanced, multi-layered, and AI-powered email protection, coupled with cybersecurity awareness training for employees so they know the latest attack tactics and threats to look out for.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
