One limited academic analysis of selected spam reveals AI-crafted emails use formal language, fewer errors, and test variations in English-speaking regions.

Researchers from Columbia University and the University of Chicago have reported a significant increase in the use of AI to generate spam emails, according to a new data analysis of unsolicited and malicious emails sent between February 2022 and April 2025.

The data trends suggest that 51% of spam messages now (April 2025, based on analyses of spam from English-speaking countries) are believed to be AI-generated, while the proportion of business email compromise (BEC) attacks using AI remains lower (at an estimated 14% based on the supplied data set by a single source) but is steadily rising.

The researchers note that the use of AI in both spam and BEC attacks had increased after the public launch of ChatGPT in November 2022. AI-generated emails tend to be more formal, use more sophisticated language, and contain fewer grammatical errors than those written by humans.

Limitations of the research

With AI, attackers appear to have been testing different word variations, aiming to evade detection systems and increase the likelihood that recipients will click on malicious links. In some cases, this process resembles A/B testing in marketing, where multiple versions of an email are generated and tested to determine which phrasing is most effective at bypassing defenses or enticing user engagement.

However, the researchers note that, while AI is being used to refine the content of these emails, the overall tactics of the attacks have not changed significantly. The researchers also acknowledged the challenges in definitively determining whether an email was generated by AI, as only the content of the attack is visible, not the method of its creation.

According to Asaf Cidon, Associate Professor,  Electrical Engineering and Computer Science, Columbia University, in a press release: “Our analysis suggests that by April 2025 the majority of spam emails were not written by humans, but rather by AI. For more sophisticated attacks, like [BECs], which require more careful tuning of the content to the victim’s context, the vast majority of emails are still human generated, but the volume that is generated by AI is steadily and consistently increasing.”

The methodology for detecting AI-generated emails was based on the assumption that emails sent before November 2022 were primarily human-written, which served as a baseline for training automated detectors.

[Editor’s note: This approach may not account for earlier AI or automation tools that could have been used prior to ChatGPT’s release, and may therefore overestimate the growth of AI-generated spam.]

The data used in the analysis (disclosed as spam sent to people in English-speaking countries) was supplied by Barracuda.

An example of A/B word comparisons of different spam emails to attempt to detect AI provenance.