AI-powered phishing: why 'spot the typo' advice no longer works
AI has made phishing emails flawless. Why the old red flags are gone, and what actually protects your business now.
For years we told people to watch for typos and bad grammar. AI has made that advice dangerous.
The standard phishing advice — look for spelling mistakes, clumsy grammar, generic greetings — worked because attackers were often careless or writing in a second language. Generative AI has erased all of that. Today's phishing emails are flawless, perfectly on-brand, and personalised. The old red flags are gone, and relying on them now gives a false sense of safety.
What changed
Perfect writing.
AI produces grammatically flawless, professional emails in seconds, in any tone.
Personalisation at scale.
Attackers scrape public information and have AI craft messages to your name, role, and even recent activity.
Voice and video.
AI voice cloning means a phone call "from the boss" authorising a payment may not be the boss at all.
Speed.
Convincing campaigns that once took skill now take minutes, so there are far more of them.
Why "spot the fake" no longer works
You cannot reliably tell a good AI-written phishing email from a real one by reading it carefully — that is the whole point. When the content is perfect, scrutinising the wording is no longer a defence. The signal has moved from how the message is written to what it is asking and whether you expected it.
What actually protects you now
Multi-factor authentication.
Even if a perfect email steals a password, MFA stops it being enough to get in. This is the single most important control.
Verify out of band.
Any unexpected request involving money, payment details or credentials gets verified by a known phone number — never the contact details in the message.
Email security and monitoring.
Technical filtering catches much of it, and a SOC catches the account compromise that follows a successful one.
A culture of "check, don't trust."
Staff who feel safe pausing to verify, rather than rushing to comply, are your strongest defence.
The mindset shift
Stop teaching people to spot fakes and start teaching them to verify requests. The question is no longer "does this email look suspicious?" but "am I about to do something involving money or access that I did not expect — and have I confirmed it through a separate channel?" That shift, backed by MFA and monitoring, is what defends a business in the age of AI phishing. It is core to our managed cybersecurity approach.
Frequently asked questions
Why are phishing emails harder to spot now?
AI writes flawless, personalised emails, removing the typos and clumsy grammar that used to give phishing away.
Does the old "check for spelling mistakes" advice still work?
No. AI-written phishing has perfect spelling and grammar. Focus instead on whether a request is expected and verify it independently.
What is the best protection against AI phishing?
Multi-factor authentication, out-of-band verification of money and credential requests, email security, and monitoring — together.
Can attackers fake a phone call from my boss?
AI voice cloning makes this possible. Verify unusual requests through a known, separate channel, even if the voice sounds right.
Defend against modern phishing
Book a free IT & Cyber Security Review and we will check whether your defences match today's threats. Call 1300 053 948.
Related Key IT services
More insights
Could you spot a phishing email?
The signs of a phishing email every staff member should know — with real examples — and what to do…
Read article →RansomwareAustralia's 72-hour ransomware reporting rule
Pay a ransom in Australia and you have 72 hours to report it. From Jan 2026 enforcement applies…
Read article →ScamsThe $25M deepfake phone call
AI voice cloning lets scammers fake your voice to authorise payments. Here's how Melbourne…
Read article →Book your free IT & Cyber Security Review
See exactly where your IT and security stand, and what to fix first. No jargon, no obligation.