The Email That Almost Got My Friend Fired
My friend Sarah is sharp. She's been in finance for fifteen years, has seen every scam in the book, and rolls her eyes at people who click suspicious links. Last March, she almost wired $47,000 to a fake vendor because of an email that looked — and I mean exactly looked — like it came from her CFO.
The grammar was perfect. The tone was right. It even referenced a real internal project by name. She caught it at the last second because the CFO walked by her desk in person. That's the only reason she still has her job.
What Sarah encountered wasn't a Nigerian prince letter. It was an AI-generated spear-phishing email, and it's now the dominant threat in corporate fraud.
What AI Actually Does to a Phishing Email
Old phishing was obvious. Typos, weird phrasing, generic greetings like "Dear Valued Customer." Your brain flagged it because it felt off.
AI removes the "off." Tools like large language models can write in flawless English — or flawless Indonesian, French, or Tagalog — with zero tells. They can mimic your boss's actual writing style if they've scraped enough of their public emails, LinkedIn posts, or company communications.
According to IBM's X-Force Threat Intelligence Index, AI-assisted phishing campaigns now generate emails that are significantly more convincing than traditional ones, with open and click rates increasing substantially when messages are personalized and grammatically clean.
This isn't theoretical. The tools to do this are cheap, some are free, and they require almost no technical skill to operate.
The Personalization Problem
Here's the part most articles skip: the writing quality is only half the threat. The bigger danger is contextual accuracy.
AI doesn't just write well — it researches. A attacker can feed a model your LinkedIn profile, your company's press releases, your public Slack exports if they exist, your published interviews. The model then writes an email that references your actual job title, your real manager's name, a project you're actually working on, and a deadline that's plausible.
According to researchers at Stanford Internet Observatory, AI-enhanced social engineering attacks are particularly effective because they exploit familiarity and cognitive trust — our brains are wired to accept information that matches what we already know.
When an email knows things, we stop questioning whether the sender is legitimate. That's the exploit.
The Counterintuitive Part Nobody Talks About
Most security advice focuses on spotting bad emails. Check the sender address. Look for weird links. Don't download attachments.
That advice is mostly still useful — but here's what it misses: AI phishing is now optimized to pass exactly those checks.
The email address might be one character off (cfo@companyname.net instead of .com) but the message itself will give you no other reason to look. AI-generated emails are designed to prevent the uncomfortable pause that makes you verify. They create urgency, invoke authority, and match tone — all specifically to short-circuit your instinct to double-check.
The real defense isn't reading the email more carefully. It's building habits that operate outside the email entirely. When a financial request arrives by email, your policy should be to confirm it through a completely separate channel — a phone call, a walk to someone's office, a Slack message you initiate yourself. Not a reply. Not a forward. A separate, independent contact.
What You Can Actually Do
Verify out-of-band, always. Any request involving money, credentials, or sensitive data that arrives via email should be confirmed through a different communication channel before you act. This one habit breaks almost every AI phishing attempt.
Slow down on urgency. AI-generated phishing almost always creates artificial time pressure. "I need this before end of day." "Don't mention this to anyone yet." The urgency is engineered. Real emergencies can survive a two-minute phone call.
Use a passphrase system with your team. Some companies now use a verbal code word — something only internal people know — to authenticate sensitive requests over phone or video. Low-tech, effective.
- Turn on multi-factor authentication everywhere, especially email and financial systems
- Check full email headers on suspicious messages, not just the display name
- Report suspected phishing to your IT team even if you didn't click — patterns matter
According to the Anti-Phishing Working Group's Phishing Activity Trends Report, phishing attacks continue to increase year-over-year, with business email compromise — the category Sarah nearly fell for — causing billions in losses annually.
The Part That Should Worry You More Than Anything
Voice cloning now exists alongside text generation. Attackers can clone your CEO's voice from a few minutes of publicly available audio — earnings calls, conference talks, YouTube interviews — and call your finance team pretending to be them.
This is already happening. It's not a future threat. If you work in a role that handles money or sensitive systems, your organization needs voice verification protocols that don't rely on "it sounds like them."
One Honest Caveat
None of these defenses are perfect. Out-of-band verification can be slow and sometimes genuinely impractical. Passphrase systems can be forgotten or inconsistently applied under pressure. The uncomfortable truth is that AI phishing is an asymmetric threat — attackers only need to succeed once, and they have unlimited attempts.
Security culture — meaning the institutional habit of slowing down for high-stakes actions — is the best available defense. But culture requires consistent reinforcement, and most organizations invest in it only after a loss. Sarah got lucky. Most people who almost fall for these don't notice in time.
Sources:
- IBM X-Force Threat Intelligence Index
- Stanford Internet Observatory
- Anti-Phishing Working Group Trends Reports