The tell-tale signs are gone

For years we taught employees to spot phishing by its mistakes: clumsy grammar, generic "Dear Customer" greetings, odd-looking links. That advice is now dangerous, because the mistakes have disappeared.

Generative AI lets attackers produce flawless, context-aware messages at scale — in English, Hindi, Tamil, or any language your team speaks. The same tools that draft your marketing copy now draft the lure.

Three things AI changed about phishing

Perfect language, every time. No more spelling errors to catch. Messages read like they came from a colleague.

Personalisation at scale. Attackers scrape LinkedIn, company sites and social media to reference your real projects, managers and vendors — thousands of targets at once.

Conversation, not just a single email. AI chatbots sustain multi-turn exchanges, making voice phishing (vishing) and chat-based scams far more convincing.

When the message is flawless, the only reliable signal left is the request itself — not how it is written.

What modern awareness training must teach

The defence shifts from "spot the typo" to "verify the ask." Train people to pause on the *intent* behind a message:

Any request to move money, change bank details, or buy gift cards — verify through a second channel, always.
Urgency and secrecy are pressure tactics, not signs of importance.
A real, known sender does not make a request safe — accounts get compromised.
Report first, decide later. A fast report button beats a slow judgement call.

The bottom line

You can no longer outsource phishing defence to spell-check instincts. In 2026, a resilient organisation is one where every employee treats unusual *requests* with suspicion — regardless of how polished the message looks. That habit is built through continuous, realistic simulation, not an annual slideshow.