Blog
← Back to Blog
January 20, 2023 cybersecurity

AI-Powered Phishing Is Here. Your Staff Isn't Ready.

AI-powered phishing attacks and ChatGPT threats

For years, we've told staff to watch for phishing red flags: poor grammar, spelling errors, awkward phrasing, generic greetings. "Dear Valued Customer" with three typos was easy to spot. Those days are ending.

ChatGPT and similar AI language models can generate grammatically perfect, contextually appropriate, personalized phishing emails in seconds. In any language. At any reading level. With industry-specific terminology. The traditional signs of phishing are disappearing.

What AI Phishing Looks Like

An AI-generated phishing email targeting a dental practice might read:

"Hi Sarah, I hope your Tuesday is going well. I wanted to follow up on the Dentrix update we discussed last week. We've released a patch that addresses the scheduling sync issue you reported. Could you download and install it from the link below before end of day? We want to make sure it's applied before the weekend. Thanks, Mike - Henry Schein Technical Support"

No typos. Correct product names. Appropriate tone. Personalized greeting. Specific enough to seem legitimate. This is what AI makes trivially easy to generate at scale.

Why Traditional Training Falls Short

  • "Look for bad grammar" - AI doesn't make grammar mistakes
  • "Watch for generic greetings" - AI can personalize every email using publicly available information
  • "Be suspicious of urgent requests" - AI can craft subtle, non-urgent pretexts that feel routine
  • "Check for spelling errors" - AI spells perfectly in every language

What Still Works

AI makes phishing emails look better. It doesn't change the fundamental attack mechanics. These detection methods still work:

  1. Verify the sender's actual email address. AI can write perfect English but can't change the sender's domain. Check the full email address, not just the display name.
  2. Don't click links in emails. Navigate directly. If your vendor emails you about an update, go to their website directly. Don't use the link in the email.
  3. Verify through a separate channel. Got an email from a vendor about a change? Call them at the number on their website. Got an email from a colleague with an unusual request? Walk over and ask.
  4. Be suspicious of any request involving credentials, money, or data. Regardless of how well-written the email is.
  5. Use email authentication. SPF, DKIM, and DMARC help verify that emails actually came from the claimed sender's domain.

Updated Training for the AI Era

Your security awareness training needs to evolve:

  • Stop emphasizing grammar and spelling as primary indicators
  • Focus on behavioral verification: verify requests through separate channels
  • Emphasize the sender's email address and domain
  • Train staff to hover over links and check URLs before clicking
  • Run phishing simulations using AI-generated emails to test realistic scenarios

AI is making phishing more dangerous. But the defense was never about spotting typos. It was about verifying before trusting. That principle is more important than ever.