From Passwords to Biometrics: The Evolution of Phishing with the Help of AI

Kaspersky detected and blocked more than 142 million phishing attacks in the second quarter of 2025, marking a 3.3% increase compared to the first quarter. Phishing attacks are currently undergoing a transitional phase, driven by advanced deception techniques leveraging artificial intelligence (AI) and other innovative evasion methods. From deepfakes and voice cloning to widely used applications like Telegram and Google Translate, cybercriminals are exploiting every available tool to gain access to biometric data, putting both individuals and businesses at risk.

AI-driven tactics are transforming phishing attacks

Artificial intelligence has made phishing an extremely personalized threat. Using large language models, attackers can craft convincing emails, messages, and websites free of grammatical errors, perfectly mimicking legitimate sources. Additionally, AI-powered bots on social media and messaging apps impersonate real users, engaging targets in lengthy conversations to build trust. These bots lure victims with fake “opportunities,” using AI-generated voice messages or deepfake videos, pushing them into scams related to romance or investments.

Attackers are also creating realistic deepfakes, impersonating colleagues, celebrities, or bank employees to either promote fake offers or extract sensitive data. For example, automated calls mimicking bank security personnel use AI to trick users into sharing two-factor authentication (2FA) codes, granting access to accounts or enabling fraudulent transactions. Furthermore, AI tools analyze publicly available data from social media or corporate websites to launch highly targeted attacks, such as HR-themed emails or fake calls referencing personal information.

New evasion techniques

Attackers are increasingly employing sophisticated methods to gain victims’ trust, often using official platforms to prolong the lifespan of their attacks. A notable example is Telegram’s Telegraph platform, designed for publishing long-form content but now used to spread phishing campaigns. Similarly, Google Translate’s website translation feature generates links which attackers exploit to bypass security systems.

Moreover, attackers are embedding CAPTCHA challenges in phishing sites before redirecting users to malicious pages. This misleads detection mechanisms, as CAPTCHAs are typically associated with legitimate platforms, reducing the likelihood of being flagged.

New targets: from passwords to biometric data

The focus has shifted from passwords to personal data that cannot be changed. Attackers target biometric information through fake websites requesting access to a device’s camera under the guise of account verification, capturing faces or other permanent personal data. This information can then be used to gain unauthorized access to sensitive accounts or sold on the dark web. Similarly, electronic and handwritten signatures—critical for legal and financial processes—are being stolen via phishing attacks. Attackers imitate platforms like DocuSign or prompt users to upload their signatures to fake websites, causing financial and reputational damage to businesses.

Earlier in 2025, Kaspersky identified a series of complex targeted phishing attacks named Operation ForumTroll, where attackers sent personalized phishing emails inviting recipients to the “Primakov Readings” forum. Targets included media outlets, educational institutions, and government organizations in Russia. Clicking the email link required no additional action for system compromise: the exploit leveraged a previously unknown vulnerability in the latest version of Google Chrome. To avoid detection, the malicious links had very short lifespans and often redirected to the official “Primakov Readings” website after the exploit was disabled.

Kaspersky’s recommendations for phishing protection:

• Always verify messages, calls, or links, even if they appear legitimate. Never share 2FA codes.
• Carefully examine videos for unnatural movements or overly enticing offers, which may indicate deepfakes.
• Reject camera access requests from unverified websites and avoid uploading signatures to unknown platforms.
• Limit the online sharing of sensitive information, such as document photos or confidential work data.
• Use Kaspersky Next (for corporate environments) or Kaspersky Premium (for personal use) to block phishing attacks.