A new study co-authored by Columbia PhD student Wei Hao and Columbia Electrical Engineering and Computer Science Professors Asaf Cidon, Ethan Katz-Bassett, and Junfeng Yang, reveals that over 51 percent of spam emails are now generated using artificial intelligence. The research—accepted to the prestigious ACM Internet Measurement Conference (IMC) 2025—is the first academic work to quantify AI’s role in modern spam and phishing attacks, a topic that has long been discussed but lacked hard data.
The research, a collaboration among Columbia University, University of Chicago, and cybersecurity company Barracuda Networks, has garnered national attention, including coverage in Forbes, TechRepublic, Infosecurity Magazine, etc.
“Our results show that attackers are primarily using AI to improve email quality—reducing typos and grammatical errors—rather than altering attack strategies,” said lead author Hao. “This makes spam harder to detect and potentially more convincing to recipients.”
Professor Cidon added, “We were pleasantly surprised that we could accurately estimate the prevalence of AI in real-world cyberattacks. Up to now, most discussion around AI-generated spam has been anecdotal. This study brings data to the table.”
Key Findings:
- 51 percent of all spam emails in April 2025 were AI-generated
- 14 percent of business email compromise (BEC) attacks showed signs of AI use
- Attackers use A/B testing to optimize scam variations with AI tools
- Most AI-generated emails employ classic tactics like urgency and pressure—strategies that remain largely unchanged from human-written scams
Despite the alarming numbers, Cidon emphasized that there is still room to adapt. “This isn’t something to panic over—yet,” he told TechRepublic. “As long as these emails remain text-based and don’t incorporate more complex deception methods, there are still effective ways to counter them.”
The team hopes their findings will inform better spam detection tools and inspire more rigorous research into the intersection of AI and cybersecurity.
To read more, visit the Barracuda blog or explore full coverage in Forbes and TechRepublic.
