← All articles

How generative AI is supercharging phishing

GottaPhish Team · April 1, 2026

Generative AI has quietly removed the two biggest bottlenecks in phishing: writing convincing copy and doing it at scale. What used to require a fluent human writer and hours of research can now be produced in seconds, in any language, tailored to a specific target.

What actually changed

For years, the classic "tells" of a phishing email were linguistic: awkward grammar, odd phrasing, generic greetings. Large language models erase all three. An attacker can now generate a flawless message in dozens of languages, mirror a company's tone, and adapt the register for a CFO versus a helpdesk technician.

The important shift is cost per convincing message. When crafting a bespoke lure costs almost nothing, attackers move from spray-and-pray to high-volume, high-quality targeting.

Concrete attacker workflows

Beyond email: voice and video

The threat is no longer text-only.

Why traditional detection struggles

Legacy filters lean on signatures, known-bad URLs, and repeated content fingerprints. AI-generated campaigns undercut all of these:

Detection increasingly has to rely on behavioural and structural signals instead of content.

Signals that still work:
- Authentication: SPF, DKIM, DMARC alignment (p=reject)
- Display-name vs. envelope/From mismatch
- Newly registered or look-alike sending domains
- Anomalous reply-to / return-path routing
- First-contact + urgency + payment/credential ask

What defenders should do now

Harden authentication. Enforce DMARC at p=reject on your own domains, and prefer phishing-resistant MFA (FIDO2/WebAuthn passkeys) so that even a perfectly cloned login page cannot replay credentials.

Shift training away from spelling. "Look for bad grammar" is dead advice. Teach staff to verify requests — out-of-band confirmation for payments and credential resets, regardless of how polished the message is.

Assume voice and video can lie. Establish a code-word or callback-number process for high-value financial and access requests.

Instrument reporting. A one-click "report phishing" button that feeds your SOC is more valuable than ever, because human suspicion is now one of the few signals that scales with the attack.

The defensive goal is no longer to spot the fake by its flaws. It is to make the action the attacker wants impossible or reversible — through authentication, out-of-band verification, and phishing-resistant credentials.

How GottaPhish helps

AI now lets attackers craft flawless, personalized lures that defeat the "spot the typo" habits employees were once taught. GottaPhish and its expert support team help you meet exactly that threat: AI-personalized simulations tailored to each recipient's role, language and context, with dashboards showing which teams engage the most sophisticated lures. Our experts assist with setup, design realistic scenarios, help you interpret the results, and support rollout of phishing-resistant MFA (FIDO2/passkeys) so a click no longer means a compromise — measuring resilience against today's threat, not the phishing of five years ago.