Spot the difference: How AI is making phishing harder to detect 

Executive summary 

  • AI has fundamentally changed what phishing looks like: the bad grammar, generic greetings, and obvious red flags that staff were trained to spot are largely gone. 
  • Criminals are now using AI to craft hyper-personalised emails, clone the voices of executives, and even fake video calls with people your staff think they know. 
  • Defending against AI-powered phishing means combining the right technical tools with a culture of healthy scepticism – and making sure your staff know the rules have changed. 

Introduction 

Cast your mind back to the last time you received a phishing email. 

Chances are, you spotted it immediately. Maybe it was addressed to “Dear Customer” rather than your name. Maybe it was riddled with spelling mistakes, or the sender’s email address had a suspicious string of numbers in it. Or perhaps it just had that unmistakable whiff of something being “off”. 

For years, this is how we’ve taught people to identify phishing attacks. Look for the red flags. Trust your gut. If it seems dodgy, it probably is. 

The problem is that those red flags are disappearing. And the reason is artificial intelligence. 

How has AI changed phishing? 

Traditional phishing was a numbers game.  

Criminals would blast out millions of identical, poorly written emails and wait for a small percentage of recipients to click. The bad grammar wasn’t sloppiness – in some cases it was deliberate, designed to filter out anyone savvy enough to be suspicious, and target only the most vulnerable. 

But, as with many other areas of working life, AI has torn up that playbook entirely. 

With access to large language models (LLMs), criminals can now generate thousands of unique, perfectly written, highly personalised phishing emails in minutes. The AI scrapes your LinkedIn profile, your company website, your social media, and your press releases, and uses all of it to craft a message that sounds like it came from someone who genuinely knows you. It references your job title, your recent projects, your clients, and your colleagues by name. 

And the numbers are bearing out the risks. Recent research from Microsoft has found that AI-generated phishing emails achieve a click-through rate of around 54%, compared to just 12% for traditional phishing. That’s more than four times as effective – and the gap is only growing. 

It doesn’t stop at email 

If AI-powered email phishing sounds alarming, the next developments are even more unsettling. 

Voice cloning (and vishing) has become frighteningly accessible. According to research by McAfee, just three seconds of audio is enough to create a convincing clone of someone’s voice. That audio might come from a YouTube video, a podcast appearance, a Teams recording, or even a voicemail. Once cloned, it can be used to make phone calls that sound exactly like your CEO, your finance director, or a trusted supplier. 

In one high-profile case, the CEO of advertising giant WPP was targeted by criminals who cloned his voice and used it on a fake Teams-style call to instruct staff to share sensitive credentials and transfer funds. The voice sounded authentic. The call looked legitimate. Only a last-minute moment of doubt prevented significant financial damage. 

What can you actually do about it?  

The good news is that this is a solvable problem – but it requires a bit of adjustment to both your technology and your company culture. Here are the 5 key steps to make that happen: 

  1. Retrain your team around the new reality. The “look for spelling mistakes” advice is outdated. Staff need to know that a perfectly written, highly personalised email is no longer proof that it’s genuine. The same goes for phone calls and video meetings. A familiar voice or a familiar face is no longer a guarantee of authenticity. 
  2. Establish a verification culture. Any request involving money, credentials, or sensitive data should be verified through a separate channel before acting on it – regardless of how legitimate it looks or sounds. If your “CFO” calls asking for an urgent transfer, hang up and call them back on their known number. 
  3. Use the right technical defences. Microsoft Defender for Office 365 uses AI-powered analysis to detect suspicious patterns in emails, links, and attachments that traditional spam filters miss entirely. It’s already included in many Microsoft 365 Business Premium and E3/E5 plans. 
  4. Enable multi-factor authentication everywhere. Even if a phishing attack successfully harvests a password, MFA means that credential alone isn’t enough to get in. It’s one of the single most effective things any business can do to reduce its exposure. 
  5. Keep security awareness training up to date. Research shows that the effects of security training fade after around four months without reinforcement. Regular, scenario-based training that reflects the actual threats your team faces – including AI-generated content – is significantly more effective than an annual tick-box exercise. 

          Don’t let your team fight yesterday’s threats 

          The phishing attacks targeting your business in 2026 look nothing like the ones your staff were trained to spot two or three years ago. The criminals have upgraded their tools, so your defences need to keep pace too. 

          Whether you want to review your Microsoft Defender configuration, talk through your MFA setup, or make sure your team is up to speed on the latest threats, we’re here to help. 

          Speak to your Get Support Customer Success Manager or call our friendly team on 01865 594 000.