🤖 Guide AI Security · 6 min read · General · December 1, 2025

AI Phishing: Why Scam Emails Are Harder to Spot

AI writes flawless phishing emails personalised to each target. Learn what changed, how to spot AI scam emails, and how to protect your team from phishing.

AI
🤖 Guide AI Security
AI
phishing email security AI fraud social engineering

The Email That Almost Fooled an IT Security Manager

The email looked like it came from Microsoft. It had the right logo, the right font, a professional tone, and a plausible reason for action: your subscription payment had failed and your account would be suspended in 24 hours.

The IT security manager hovered over the link. The URL was one letter off from Microsoft’s real domain — microsofft.com instead of microsoft.com. They caught it. Most people don’t look that closely.

What made this email different from the phishing emails of five years ago? It was written perfectly. No spelling mistakes. No awkward phrasing. No Nigerian prince. Just a clean, convincing message that would land in most people’s inbox as utterly normal.

That’s what AI has done to phishing.

What Changed: From Spam to Surgical Strikes

Old-school phishing emails were easy to spot. They were riddled with errors, sent to millions of random addresses, and relied on sheer volume to find a small percentage of victims.

Today’s AI-powered phishing is different in three important ways.

1. The writing is perfect

Large language models like GPT-4 can produce native-quality English (and virtually any other language) instantly. The days of laughing at a phishing email’s grammar are over. An attacker can now generate thousands of unique, professionally written messages in minutes — each one different enough to avoid spam filters.

2. It’s personalised

AI tools can scrape publicly available information about a target — their LinkedIn job title, recent posts, company announcements, even the names of their colleagues — and weave it into a message.

“Hi Sarah, I saw your post about the Q3 results last week — impressive numbers. I’m reaching out about an audit concern related to the Wilson account that needs your attention before end of day.”

If you’re Sarah, and there is a Wilson account, and you did post about Q3 results, that email feels real. It’s not. It’s a machine that spent two seconds on LinkedIn before writing to you.

3. It arrives at scale with low effort

A targeted phishing campaign used to require a human attacker researching each target. Now an AI can research, draft, and schedule thousands of personalised emails in the time it used to take to write one. The cost of a sophisticated attack has collapsed.

The Most Common AI-Enhanced Phishing Tactics Right Now

Fake invoice scams

An AI-generated invoice arrives from a supplier you recognise, with a slightly different bank account number. The email thread looks authentic. The brand is perfect. The only difference is where the money goes.

Executive impersonation (BEC — Business Email Compromise)

A message appears to come from your CEO or a senior manager. It’s urgent. It asks for something unusual: gift cards, a wire transfer, a change to payroll details. The AI has studied the executive’s public writing style to mimic their tone.

HR and IT service desk spoofing

“Your password expires today. Click here to update it.” These messages exploit routine IT procedures. When they look identical to real IT communications, most people comply automatically.

Fake HR notifications

Salary updates, benefits enrolment windows, or changes to paid leave — anything that triggers an emotional response (excitement about a raise, anxiety about losing benefits) works well as a lure.

The Signals That Still Reveal a Phishing Email

Even AI-polished emails leave clues. Train yourself to look for these:

The domain is almost right, but not quite. paypal-support.com, microsoft365-login.net, amazon-verify.co — attackers register domains that look plausible at a glance. Before clicking anything, hover over the link and read the full domain carefully.

The request is unusual for the sender. Your IT department doesn’t ask for your password. Your CEO doesn’t request gift card codes. HR doesn’t ask you to verify your salary via a third-party link. Anything that deviates from normal process is worth a phone call before you act.

There’s urgency or consequences for not acting. “Your account will be closed.” “Respond within 2 hours.” “Failure to act will result in suspension.” Pressure is a manipulation tactic. Legitimate services give you time.

The greeting is generic or oddly specific. “Dear valued customer” signals a mass blast. But also be suspicious of hyper-specific openings that include your job title, company, and a recent event — this could be AI-researched targeting.

You weren’t expecting it. A delivery notification when you haven’t ordered anything. A payment failure for a service you don’t use. A document shared by someone you don’t know. If you didn’t initiate it, be suspicious.

What to Do If You Receive a Suspicious Email

  1. Don’t click any links or open attachments. A sophisticated phishing site can download malware the moment you land on it — before you’ve typed a single character.

  2. Don’t reply to the email. The attacker receives a confirmation that your address is active.

  3. Verify through a different channel. If the email is from your bank, call the number on the back of your card. If it’s from a colleague, walk over or message them on Slack. Never use contact information in the suspicious email.

  4. Report it. Most email providers have a “report phishing” button. Use it — it helps protect other people.

  5. Tell your IT or security team. Even if you didn’t click, they want to know the attack is circulating.

The Bigger Problem: Why Filters Can’t Solve This Alone

Email security tools — spam filters, anti-phishing gateways, domain reputation checks — are genuinely useful and catch a large volume of attacks. But they’re in an arms race with attackers who update their techniques specifically to evade them.

When an AI can write a new, unique, contextually relevant email every time, signature-based filters struggle. When the phishing site lives on a brand-new domain with a clean reputation, URL blocklists don’t help. When the email comes from a compromised but legitimate email account, sender verification fails.

This doesn’t mean filters aren’t worth having — they absolutely are. It means they’re not enough on their own.

The most resilient defence remains human judgement, paired with clear processes for handling unusual requests.

Protecting Your Organisation

If you run a business, three practical steps have the highest return on investment against phishing:

Multi-factor authentication (MFA) on every account. Even if a phishing attack steals a password, MFA means the attacker can’t use it without a second factor. It doesn’t prevent the click — it limits the damage.

Regular phishing simulation training. Services exist that send realistic fake phishing emails to your staff and track who clicks. The goal isn’t punishment; it’s awareness and habit-building.

A clear escalation path. Employees need to know who to call when they suspect something. If there’s no obvious answer, they’ll either ignore it or make the decision alone — neither is good.

If you’d like a security assessment or help building a phishing awareness programme, get in touch with our team.

Want to protect your organisation?

Talk to our certified security team and get tailored advice for your business.

Get in Touch