AI · JAN 23, 2026
PHISHING IN THE AGE OF AI
Kishan Patel · 5 min read
For twenty years we trained people to spot phishing by its clumsiness. Broken grammar, strange greetings, obviously fake logos, a prince with a fortune to share. That advice built an entire generation of instincts, and that advice is now actively dangerous, because it taught people one fatal rule: if the message reads well, it is probably safe.
Large Language Models, the AI systems that generate fluent text on demand, have deleted the clumsiness. A modern lure is written in flawless, personalized language, in any tone, in any language, tuned to the exact context of the target. The tells we spent two decades teaching are gone. Which means we have to teach something harder and more durable: how to read the intent of a message rather than the quality of its writing.
The old tells are gone
Consider what a modern phishing message can now do without any special effort from the attacker. It can quote your real, current project by name, because that information is scattered across your public posts. It can mimic your manager writing style, scraped from their LinkedIn activity. It can arrive at exactly the believable hour, in your language, referencing a meeting you actually had. The grammar is perfect. The context is real. The request is the only thing that is fake.
Voice makes it worse. A thirty-second sample of someone speaking, easily harvested from a video or a voicemail greeting, is now enough to clone their voice convincingly. The urgent phone call from your CEO asking for a favor may not be your CEO at all. The face on the video call may be synthesized. The comfortable signals we relied on, a familiar voice, a fluent email, are no longer evidence of anything.
You can no longer detect the attacker by the quality of the message. You detect them by what the message is asking you to do.
What still gives them away
Here is the good news, and it is genuinely good. AI upgraded the words, but it cannot upgrade the underlying structure of the scam. Every phishing attack, no matter how polished, still needs the same three ingredients to succeed. Those ingredients are now your detection signals, and they are far more reliable than grammar ever was.
- Urgency that punishes verification. Right now, before the call ends, do not tell anyone, we only have a few minutes. Real, legitimate processes survive a ten-minute delay for a sanity check. Manufactured urgency exists specifically to stop you from pausing, because the pause is where the scam falls apart.
- Channel switching. An email that pushes you toward WhatsApp. A work call that moves to a personal account. Attackers want to pull you off monitored, logged, official rails and onto channels where there is no oversight and no record. A request to change communication channels is a bright red flag.
- Authority without process. Real finance teams have forms, approvals, and procedures. A fake CFO, the Chief Financial Officer whose authority the attacker is borrowing, has only feelings and deadlines. When someone senior asks you to skip the normal process because of who they are, the seniority is the weapon.
- Requests that bypass systems. Gift cards, cryptocurrency transfers, sudden changes to bank details, wire transfers to a new account. The specific payload changes with the season, but the shape is constant: move value in a way that is fast and hard to reverse.
Defense for the new era
If you cannot trust the content, you have to move trust somewhere the attacker cannot reach. That somewhere is a second channel you already trust independently. Call the known phone number, not the one in the message. Message the person on the internal system you already use. For any movement of money, agree on a verification step in advance, even a simple code word, and use it every time without exception.
This is called out-of-band verification, and it is the seatbelt of 2026. It feels slightly awkward, the way asking your own manager to confirm a request feels awkward. Do it anyway. The awkwardness lasts a moment. The alternative lasts a lot longer.
For teams, the shift is to stop training people to spot bad grammar and start drilling the behavior instead. Assume every message will be perfectly written. Run realistic simulations. And most importantly, reward the person who slowed down a suspicious CEO request, loudly and publicly, because the moment slowing down feels embarrassing is the moment your human defenses collapse.
Looking ahead
Real-time video deepfakes on conference calls have already moved from research demos to documented, real-world fraud. The question we used to ask, is this message fake, is quietly aging into a much stranger question: is this person real? As synthesis improves, the content of any single communication becomes less trustworthy, and process becomes the only thing that scales as a defense.
The comforting truth underneath all of this is that the attacker still has to ask you to do something, and that something still has the same suspicious shape it always had. Run the drill in your head today. If your boss voice called right now asking for an urgent transfer, what exactly is your verification step? If you hesitated even slightly, stop reading and go define that step. That single answer is worth more than any amount of grammar-spotting.
Next up · Security
OSINT YOURSELF BEFORE THEY DO



