How generative AI is supercharging phishing
Generative AI has quietly removed the two biggest bottlenecks in phishing: writing convincing copy and doing it at scale. What used to require a fluent human writer and hours of research can now be produced in seconds, in any language, tailored to a specific target.
What actually changed
For years, the classic "tells" of a phishing email were linguistic: awkward grammar, odd phrasing, generic greetings. Large language models erase all three. An attacker can now generate a flawless message in dozens of languages, mirror a company's tone, and adapt the register for a CFO versus a helpdesk technician.
The important shift is cost per convincing message. When crafting a bespoke lure costs almost nothing, attackers move from spray-and-pray to high-volume, high-quality targeting.
Concrete attacker workflows
- Reconnaissance at scale. LLMs summarise a target's LinkedIn history, recent press releases, and GitHub activity into a one-paragraph pretext.
- Spear-phishing personalization. Given a name, role, and employer, a model drafts a message referencing a plausible internal project or a recent org change.
- Business Email Compromise (BEC). Models replicate an executive's writing style from a handful of public samples, producing wire-transfer requests that read authentically.
- Multilingual campaigns. A single template is localized into 20 languages with correct idiom, defeating "the English was off" as a signal.
- Conversational follow-up. Attackers wire an LLM behind a mailbox so replies are handled automatically, sustaining a believable thread over days.
Beyond email: voice and video
The threat is no longer text-only.
- Voice cloning needs only seconds of reference audio (from a webinar, earnings call, or voicemail) to synthesise a convincing vishing call.
- Deepfake video has already been used in live meetings — the 2024 Arup case saw an employee wire roughly $25M after a video call populated entirely with synthetic "colleagues."
Why traditional detection struggles
Legacy filters lean on signatures, known-bad URLs, and repeated content fingerprints. AI-generated campaigns undercut all of these:
- Every message is unique, so content-hash and template matching fail.
- Copy is grammatically perfect, so heuristic "spammy language" scoring drops.
- Infrastructure is fresh and rotated, so domain and IP reputation lags.
Detection increasingly has to rely on behavioural and structural signals instead of content.
Signals that still work:
- Authentication: SPF, DKIM, DMARC alignment (p=reject)
- Display-name vs. envelope/From mismatch
- Newly registered or look-alike sending domains
- Anomalous reply-to / return-path routing
- First-contact + urgency + payment/credential ask
What defenders should do now
Harden authentication. Enforce DMARC at p=reject on your own domains, and prefer phishing-resistant MFA (FIDO2/WebAuthn passkeys) so that even a perfectly cloned login page cannot replay credentials.
Shift training away from spelling. "Look for bad grammar" is dead advice. Teach staff to verify requests — out-of-band confirmation for payments and credential resets, regardless of how polished the message is.
Assume voice and video can lie. Establish a code-word or callback-number process for high-value financial and access requests.
Instrument reporting. A one-click "report phishing" button that feeds your SOC is more valuable than ever, because human suspicion is now one of the few signals that scales with the attack.
The defensive goal is no longer to spot the fake by its flaws. It is to make the action the attacker wants impossible or reversible — through authentication, out-of-band verification, and phishing-resistant credentials.
How GottaPhish helps
AI now lets attackers craft flawless, personalized lures that defeat the "spot the typo" habits employees were once taught. GottaPhish and its expert support team help you meet exactly that threat: AI-personalized simulations tailored to each recipient's role, language and context, with dashboards showing which teams engage the most sophisticated lures. Our experts assist with setup, design realistic scenarios, help you interpret the results, and support rollout of phishing-resistant MFA (FIDO2/passkeys) so a click no longer means a compromise — measuring resilience against today's threat, not the phishing of five years ago.
