You’ve seen them before: the clumsy emails with dodgy grammar, a vague sense of urgency, and a request to “click here immediately or lose access to your account.” For years, phishing emails were mostly laughable - easily spotted and discarded, but those days are fast disappearing.
Thanks to generative AI, phishing has evolved. What used to take time, skill, and trial-and-error can now be done in minutes - with terrifying precision. And unlike your average con artist, AI doesn't sleep, doesn't get sloppy, and never forgets a name.
Let’s pull back the curtain and look at how this next-gen phishing works.
Step One:
Open-Source Reconnaissance on Steroids
Forget hours of Googling or trawling Facebook manually. Today’s attackers let AI handle reconnaissance. Tools can scrape LinkedIn profiles to map out org charts, job roles, and communication styles. They cross-reference this with company blogs, press releases, GitHub repos, leaked breach data, or even forum posts.
The AI builds a picture: Jane in Finance just returned from maternity leave. The CEO is in Singapore for a conference. Last week, the company posted a blog about a new product launch. These breadcrumbs aren’t just data points - they’re ammunition.
Step Two:
Crafting the Killer Prompt
Once the AI has a dossier on its target, the attacker becomes a prompt engineer. A cleverly worded input like:
"Write a professional-sounding email from the CEO of a tech company to the head of finance, requesting urgent payment to a new vendor. Mention the CEO's recent trip to Singapore and reference the latest product launch."
The result? An email that looks exactly like something the CEO would send. The style matches. The timing makes sense. The urgency is subtle but effective. And crucially, there are no spelling mistakes or awkward phrasing to raise red flags.
If you’re thinking, “But surely AI can’t know who we buy from?” - don’t count on that. If you've ever discussed them publicly, maybe mentioned new vendors in trade press, or the data was leaked in a breach, then it might.
Step Three:
Scaling the Attack
AI doesn’t have to stop at one email. Once the prompt is dialled in, it can generate a hundred bespoke versions - each tailored to a specific recipient. One for HR referencing a job application. One for IT pretending to be a password reset. One for Legal, quoting an actual client.
This isn’t phishing anymore. It’s spear phishing at scale - hyper-personalised, relentless, and cheap to deploy.
How Do We Fight Back?
What do we do when the enemy writes better emails than our CEO?
The answer isn’t a single silver bullet - it’s layered, deliberate, and yes, a bit uncomfortable. Awareness training still matters a lot, but it needs to move past just the basics. People need to see the kind of AI-generated phishing content that’s out there now - not just laughably bad Nigerian prince emails, but the sharp, convincing kind that could pass for a message from a trusted colleague.
Technical defences play a vital role too, but they must go beyond basic spam filters. Email gateways and threat detection systems need to analyse context, behaviour, and intent, not just keywords and known signatures.
Then there’s culture; the human layer. Encouraging habits like verifying unusual requests through a second channel - not just clicking “Reply.” Instilling a sense of healthy scepticism, without grinding everyone down with paranoia.
It’s not about being afraid of your inbox. It’s about knowing that behind every subject line might be a machine with access to everything you’ve ever publicly shared. That’s the real threat: not that the phishing emails are getting better, but that they now know you.
Welcome to the age of personalised deception. Keep your wits about you, because there aren’t so many red flags any more!
