How has AI changed phishing attacks?

AI allows attackers to generate perfectly written, personalised phishing emails at scale. The traditional signs of phishing — poor grammar, generic greetings, obvious typos — are largely gone. Modern attacks use personal details scraped from LinkedIn and social media to create convincing, targeted messages.

How can I tell if an email is a phishing attempt?

In 2026, look for urgency and pressure, requests to change bank details, unusual requests from known contacts, links that go to unexpected domains (hover before clicking), and anything asking you to act quickly on a financial or security matter. Verify unexpected requests by calling the person directly.

What should I do if I clicked a phishing link?

Do not enter any credentials on the page. Close the browser. Change the password for any account the link was impersonating. Enable MFA on that account if not already active. Report the email to report@phishing.gov.uk and to your IT department if at work.

Home / Cyber Security / AI-Powered Phishing: Why Attacks Are Getting Harder to Spot

Cyber Security

AI-Powered Phishing: Why Attacks Are Getting Harder to Spot

1. What Has Changed

2. What AI-Powered Phishing Looks Like

3. Voice Cloning and Deepfake Attacks

4. How to Protect Yourself

5. Verify Separately Before Acting

6. Check the Actual Link, Not the Text

7. Use a Password Manager

8. Enable Multi-Factor Authentication

9. Be Suspicious of Urgency

10. Report Suspicious Emails

11. For Businesses: What to Do

12. Related Guides

Phishing attacks have become significantly harder to detect in 2026. AI tools now allow attackers to generate personalised, grammatically perfect emails at scale — the days of obvious spelling mistakes and broken English are largely over. This guide explains what AI-powered phishing looks like and how to protect yourself.

What Has Changed

Traditional phishing emails were easy to spot: poor grammar, generic greetings (“Dear Customer”), obvious fake sender addresses, and implausible scenarios. Security awareness training for years told people to look for these signs.

AI has removed most of these tells. Modern phishing emails can be:

Perfectly written in fluent, natural English (or any language)
Personalised with your name, employer, role, and recent activity scraped from LinkedIn and social media
Generated in seconds at scale — attackers can send thousands of personalised emails for the cost of a few pounds of API credits
Timed to match real events (“Following up on your recent purchase”, “Regarding your delivery tomorrow”)

What AI-Powered Phishing Looks Like

A realistic example targeting a small business employee:

“Hi Sarah, I hope you are well. I am following up on the invoice we discussed last week with your colleague James at the Manchester office. The payment deadline is tomorrow — could you process the attached invoice at your earliest convenience? I have also updated the bank details as our account has recently changed. Many thanks, David Richardson, Finance Director, [Legitimate-Looking Company Name]”

This email uses a real name, references a real colleague, mentions a real office location, creates urgency, and includes the classic “bank details have changed” fraud tactic — all generated from information scraped from LinkedIn in minutes.

Voice Cloning and Deepfake Attacks

Phishing is no longer limited to email. AI voice cloning can now replicate someone’s voice from a few seconds of audio — enough to fake a call from a colleague or manager. Reports of criminals impersonating CEOs or finance directors over the phone to authorise fraudulent transfers have increased significantly.

If you receive an unexpected call asking you to transfer money or share credentials — even if the voice sounds familiar — verify independently before acting.

How to Protect Yourself

Verify Separately Before Acting

Any email asking you to click a link, change bank details, approve a payment, or share credentials should be verified through a separate channel. Call the person directly using a number you already have — not one in the email.

Check the Actual Link, Not the Text

Hover over any link before clicking. The text might say “microsoft.com” but the actual URL (shown in the bottom of your browser) could be “micros0ft-login.com”. Never type credentials into a page you reached by clicking an email link — go directly to the site instead.

Use a Password Manager

Password managers only auto-fill on the exact domain they saved credentials for. If you land on a fake site, your password manager will not fill in your credentials — a reliable safety net against convincing fakes.

Enable Multi-Factor Authentication

Even if a phishing attack captures your password, MFA means the attacker still cannot access your account without the second factor. Enable MFA on all important accounts, especially email.

Be Suspicious of Urgency

Urgency is a manipulation technique — “act now”, “within 24 hours”, “immediate action required”. Legitimate organisations rarely demand instant action on sensitive matters. Slow down when pressure is applied.

Report Suspicious Emails

In the UK, forward suspicious emails to [email protected]. In Outlook, use the Report Phishing button. Reporting helps protect others.

For Businesses: What to Do

Update security awareness training to reflect AI-generated attacks — old training showing typo-riddled emails is no longer sufficient
Implement a verbal verification policy for any financial transfers, even for internal requests
Use email authentication (SPF, DKIM, DMARC) to reduce spoofing of your own domain
Consider a “safe word” system for verifying urgent requests from senior staff