Email scammers are using artificial intelligence (AI) tools to create and launch mass spam campaigns rather than advanced targeted attacks, according to new research by the Universities of Columbia and Chicago, leveraging Barracuda’s threat detection data. The findings show that 51% of spam messages are now generated by AI, compared to 14% of business email compromise (BEC) attacks, although in both cases, the use of AI is increasing.
The researchers analyzed a large Barracuda dataset of unsolicited and malicious emails covering February 2022 to April 2025.
The findings show:
· By April 2025, 51% of spam emails were generated by AI rather than a human.
· By April 2025, 14% of BEC attacks were generated by AI.
· A steady increase in AI-generated content in both spam and business email compromise (BEC) attacks after the release of ChatGPT in November 2022.
· AI-generated emails are typically more formal, use more sophisticated language, and have fewer grammatical errors than human-written emails.
· Attackers appear to be using AI to test word variations to see which are more effective in evading defenses and encouraging more targets to click links.
· Attackers seem to be primarily using AI to refine their email content rather than to change the tactics of their attacks.
“Determining whether or how AI has been used in cyberattacks is a difficult challenge, since we can only see the attack, but don’t know how it was generated,” said Asaf Cidon, Associate Professor of Electrical Engineering and Computer Science at Columbia University. “Our analysis suggests that by April 2025, the majority of spam emails were not written by humans, but rather by AI. For more sophisticated attacks, like Business Email Compromise, which require more careful tuning of the content to the victim’s context, the vast majority of emails are still human-generated, but the volume that is generated by AI is steadily and consistently increasing.”
The approach used by the researchers to detect the involvement of AI was based on the assumption that emails sent before the public release of ChatGPT in November 2022 were likely to have been created by humans. This allowed them to set a baseline and train detectors to identify automatically whether a malicious or unsolicited email was generated using AI.
Parag Khurana, Country Manager for India, Barracuda Networks, said, “Cybercriminals are already using AI to their advantage to automate and scale email attacks, making it critical for Indian organisations to gain deeper visibility into evolving threats and adopt a platform-based approach to defend against them. At Barracuda, we’re seeing increased demand for solutions that combine multi-layered protection with continuous threat detection and response. By leveraging threat intelligence with integration across email, data, and network security, businesses can respond faster to AI-generated cyberattacks with greater precision.”
To defend against evolving email threats, Barracuda recommends implementing advanced, multi-layered, and AI-powered email protection, coupled with cybersecurity awareness training for employees so they know the latest attack tactics and threats to look out for.
The Threat Spotlight was authored by Wei Heo with research support from Van Tran, Vincent Rideout, Zixi Wang, Anmei Dasbach-Prisk, M. H. Afifi and Junfeng Yang, and professors Ethan Katz-Bassett, Grant Ho, Asaf Cidon.
