AI Phishing: Why Spotting Bad Grammar Is No Longer Enough
Just a few years ago, a fraudulent email was obvious at first glance: typos, awkward phrasing, a suspicious sender, and an unrealistic promise. Today, it was written by a model trained on billions of texts. It knows your name, references your latest project, and knows what your boss is called. How do you defend against a threat the human eye can no longer see?
Traditional phishing was like a door-to-door salesman in a torn jacket. Obvious, clumsy, and easy to spot. AI phishing is like a well-dressed business partner who knows your goals, arrives at exactly the right moment, and speaks precisely your language.
This shift happened fast. And most companies haven't caught up yet.
The End of "Anyone Can Spot It"
For a long time, phishing attacks were successfully blocked by a combination of technology (spam filters, URL scanners) and employee common sense: don't click strange links, don't trust unknown senders, look for typos.
Generative AI has disrupted this balance from every direction at once.
Linguistically flawless messages. Large language models generate convincing text in Czech, Slovak, English, or any other language — without grammatical errors, without awkward phrasing, in your style and tone. A typo as a safety signal is no longer reliable.
Personalisation at scale. An attacker no longer needs to write each email by hand. An automated tool scans the target's LinkedIn profile, company website, public mentions, and social media — and generates hundreds of personalised messages in minutes. Each will reference a specific project, colleague, or recent event.
Spear phishing without manual effort. What previously required hours of research per target now takes seconds. Targeted attacks on specific individuals — CFOs, HR managers, system administrators — are now accessible even to less sophisticated attackers.
AI Phishing Beyond Email: Vishing and Deepfakes
The problem doesn't stop at the inbox. AI can now clone voices from just a few seconds of recording — a public video or a meeting recording is enough. Attackers are using this for vishing: calling an employee in a voice that sounds exactly like their boss or a trusted colleague, requesting an urgent payment transfer, login credentials, or other sensitive actions.
Deepfake video call incidents have also been documented, where an attacker posing as company leadership convinced employees to authorise bank transfers in the millions.
This is not science fiction. These are documented cases from 2024 and 2025.
What No Longer Works
Telling employees "watch for typos and don't trust unknown senders" is no longer enough.
A spam filter that blocks known malware signatures is not enough — AI-generated content doesn't have signatures.
A one-off annual training session where people click through 20 slides and go back to work is not enough.
What Actually Works
Effective defence in the age of AI phishing rests on three pillars:
1. Behavioural training, not memorising rules. Employees don't learn secure behaviour by reading a presentation. They learn it through repeated practice in realistic simulations. Good training includes simulated phishing campaigns tailored to your company — so that people experience an attack in a safe environment and know exactly how to respond when the real thing comes.
2. Verification processes outside the digital channel. Received an email from your CEO requesting an urgent payment? Before doing anything, call them on the phone. This simple procedure eliminates an enormous number of BEC (Business Email Compromise) attacks, deepfake scams, and AI phishing attempts. Processes — not technology — are the first line of defence.
3. A security culture, not just rules. Employees who understand why security works the way it does behave more securely — even without a checklist in front of them. This requires training tailored to each person's role in the company: the approach for a receptionist is different from the approach for a CFO, and different again for an IT administrator.
Simulate the Attack Before Someone Else Does
The best way to find out how your people respond to phishing is to try it — in a safe, controlled environment. A phishing simulation shows who clicked the link, who entered their credentials, and where the biggest training gaps are. Without that information, you don't know what to train on.
At CypherOn, we design Security Awareness programmes tailored to your company — from one-off team training sessions to long-term programmes that include phishing simulations, e-learning, and progress measurement over time. Because cybersecurity isn't a destination you reach once — it's a capability that needs to be continuously trained.
Learn more about Security Awareness
Or contact us directly — the initial consultation is free.
The Threat Has Changed. So Should Your Defence.
AI phishing isn't just a better version of an old problem. It's a qualitatively different threat that demands a qualitatively different response. Technology alone isn't enough — and neither is awareness training built on rules from the last decade.
Companies that recognise this early and invest in the genuine security culture of their people will be a significant step ahead. The rest will find out where they failed after an incident.