Phishing has always been a headache for businesses, but the game has changed. What used to be a fairly obvious "Dear Customer, click here to claim your prize" email has evolved into something far more convincing and frankly, more alarming. Thanks to artificial intelligence, cybercriminals can now craft phishing messages that are polished and almost indistinguishable from the real thing.

If you run a business in Singapore, this is not a distant problem. According to the Cyber Security Agency of Singapore's (CSA) Singapore Cyber Landscape 2024/2025 report, phishing attempts surged by 49% in 2024, with over 6,100 cases reported. Notably, 12% of those phishing emails were found to contain AI-generated content. That figure is only going to grow. Understanding what you're up against and what you can do about it is no longer optional.

Why AI makes phishing so much harder to spot

Traditional phishing emails had tell-tale signs: awkward grammar, generic greetings, suspicious links that looked nothing like the company they claimed to be from. Most employees were trained to look for exactly these red flags. But here is the uncomfortable truth: those signs are disappearing.

AI tools can now generate text that reads naturally, adapts tone to match a specific company's communication style, and even mimics the writing patterns of real individuals. This is partly what drives the conversation around how hackers are personalising phishing using AI by pulling publicly available information from LinkedIn, company websites, and social media to craft messages that feel entirely legitimate.

Imagine receiving an email that addresses you by name, references your current project, and appears to come from your managing director's email address. It asks you to approve an urgent payment. The language is spot-on. The logo is right. The email signature looks familiar. Would you pause long enough to question it? Many people would not. CSA's 2024 Cybersecurity Public Awareness Survey found that only about one in ten respondents could accurately distinguish between all phishing and legitimate content, a sobering reminder that even informed people struggle with this.

The stakes for Singapore businesses

Singapore's position as a regional financial and technology hub makes it a particularly attractive target. According to findings from Kaspersky Security Network, 2024 saw over 21 million cyber attacks originating from compromised servers in Singapore, making it the region's hotspot for malicious activity.

Beyond the sheer volume of attacks, the financial impact is real. Phishing scams were among the top five scam types by total amount lost in Singapore in 2025, alongside investment scams and business email compromise. For businesses, a single successful phishing attack can lead to data breaches, financial loss, reputational damage, and regulatory scrutiny, none of which are easy to recover from.

This is precisely why working with professionals who are CREST certified in Singapore is important. CREST professional certifications and service provider accreditations give buyers of penetration testing and cybersecurity services confidence that the work is being carried out by qualified individuals with up-to-date knowledge, skills, and competence. When the threat landscape is evolving this quickly, choosing a certified, reputable partner is one of the smartest investments a business can make.

What businesses can actually do

The good news is that protecting your business from AI-driven phishing is absolutely achievable. It requires a layered approach; no single fix will do it all, but combining the right habits and tools makes a significant difference.

• Train your people and keep training them: Security awareness training is not a one-off tick-box exercise. It needs to be ongoing and relevant. Employees should be regularly tested with simulated phishing exercises so they can practise spotting suspicious emails in a safe environment. The goal is not to catch people out, but to build genuine awareness and healthy scepticism.
• Establish a clear verification process for sensitive requests: Any request involving financial transfers, credential changes, or access to sensitive data should require a secondary verification step, like a phone call to a known number, for example. No matter how legitimate an email looks, a quick call can prevent a costly mistake.
• Use technical defences alongside human training: Email security tools, multi-factor authentication, and domain authentication protocols (such as DMARC, DKIM, and SPF) make it significantly harder for attackers to spoof your organisation's email addresses. These are not complex to implement, and they dramatically reduce the risk of employees receiving convincing impersonation emails.
• Run regular penetration testing: Understanding where your vulnerabilities actually lie before an attacker finds them is enormously valuable. A professional security assessment can surface weaknesses in your email infrastructure, employee awareness, and technical controls that you might not otherwise know exist.
• Have an incident response plan: If someone does click a malicious link or hand over credentials, the speed of your response is crucial. Know in advance who to contact, what systems to isolate, and how to notify affected parties. A plan drafted before an incident happens is far more useful than one written in a panic afterwards.

Building a culture of security

Perhaps the most important shift is cultural. Cybersecurity cannot sit entirely with the IT team. Every person in the organisation is a potential target, and every person can be a line of defence.

Encourage staff to report suspicious emails without fear of embarrassment. Make it easy to flag something odd, even if it turns out to be nothing. The employee who almost fell for a phishing attempt and reported it is not a liability; they are exactly the kind of alert, engaged team member every business needs.

Leadership also sets the tone. When senior leaders take cybersecurity seriously, talk about it openly, and participate in training themselves, it sends a clear message that this is a priority for the whole organisation, not just something that happens in the background.

AI is not going away, and neither are the cybercriminals who know how to use it. But with the right awareness, the right processes, and the right professional support, your business can stay well ahead of the threat.

Conclusion

If you want to understand exactly where your business stands and what needs to improve, Group8 is here to help. As a CREST-accredited cybersecurity company in Singapore, Group8 offers penetration testing, vulnerability assessments, and tailored security solutions to protect your organisation from today's most sophisticated threats, including AI-driven phishing. Reach out to our team to find out how we can help you build a stronger, more resilient security posture.