The rule that just died: "bad grammar = scam"
For two decades, "spot the typo" was the single most-taught anti-phishing skill. It worked because most phishing was run by non-native English speakers using machine translation that left phrasing artefacts. "Kindly verify the below information." Native speakers caught those instantly.
That signal is gone. A free ChatGPT account produces a perfectly idiomatic phishing email on the first try. Microsoft Threat Intelligence's 2024 reporting on actors like Crimson Sandstorm documented LLM use for "researching potential victims" and "improving scripts and phishing emails." Mandiant M-Trends 2024 describes the same trend across financially motivated and state-sponsored actors. Proofpoint's State of the Phish 2024 noted that the proportion of phishing with overt grammar tells fell sharply while click-through rates rose.
If you have been training employees to "trust your gut on weird wording," your gut now has a much smaller signal to work with. The defense has to shift from how the email reads to where it came from, what it asks for, and whether it fits prior context.
What AI actually lets attackers do
AI changed five operational stages of a phishing campaign.
1. Hyper-personalization at scale
Pre-AI phishing was either generic ("Dear Customer") or hand-crafted at low volume against executives. LLMs collapsed that trade-off. An attacker feeds a model a victim's LinkedIn profile, recent tweets, and target email, and gets a one-of-a-kind lure in under a second.
2. Perfect translation into any language
A single operator runs the same campaign in fifteen languages with native fluency in each. CrowdStrike's Global Threat Report has tracked phishing expansion into previously under-attacked language markets as a direct consequence.
3. Instant phishing-page cloning
Code-capable models reproduce a target's login page in seconds, including matching CSS classes and button gradients. Visual inspection of the page is no longer a reliable defense.
4. Faster A/B testing of subject lines
LLMs generate dozens of subject-line variants, batch-test the highest open rate, then push the winner. The cycle that used to take a week now takes an afternoon.
5. Auto-replying conversation bots
When a target replies "Is this really you?", a model in the loop responds in seconds, in the right register. BEC chains that fell apart on the second exchange now survive five or six rounds. The FBI IC3 has flagged BEC as the single highest-loss category for years, and conversational AI is part of why.
Why visual checks became unreliable
Phishing pages cloned by code-capable LLMs no longer have the pixel-off feel that hand-built fakes had. The logo is vector. The font is the right fallback. The button gradient matches. Visual checks still catch lazy campaigns but cannot be the primary line. The primary line has to be structural: where did this come from, what is it asking for, does it fit prior context.
The 7 new tells that still work in 2026
Tell #1: Sender domain mismatch (still works, more important than ever)
AI rewrites the body. It does not give the attacker control over the sender domain - that is determined by the email infrastructure, not the language model. Real Microsoft mail comes from a Microsoft-owned domain. Real Apple mail from @apple.com or @email.apple.com. Real bank mail from the bank's domain. If a beautifully written email about your Microsoft account is sent from @microsoft-account-team.io, the body could have been written by Shakespeare and it is still phishing. The display name lies. The actual address tells the truth.
Tell #2: Unfamiliar payment rail
Real institutions in 2026 do not ask you to pay or verify by gift card, cryptocurrency, money mule transfer, or wire to an unfamiliar account. The IRS does not take Apple gift cards. Microsoft does not need Bitcoin. Your bank does not ask you to wire money to "secure" your own account. The moment an email steers you toward an unusual payment method, the rest of the email no longer matters. The grammar can be perfect. The logo can be perfect. The request itself is impossible.
Tell #3: New-sender + urgency combo
An email from a domain you have never received mail from before, demanding action in the next 24 hours, is hostile until proven otherwise. Either one alone is sometimes legitimate. The two together almost never are. Real businesses you have a relationship with use senders you have seen before. Real emergencies direct you back to your existing account portal, not to a same-day click.
Tell #4: Generic-but-personalized greeting
"Dear Valued Customer, John," is now a real pattern. AI-written phishing pastes the victim's first name into the greeting after a generic title, because the prompt template was "Dear Valued Customer" and the personalization step appended the name without rewriting the line. A genuinely personal email from a real business addresses you the same way every time, either by full name or by first name alone, not both.
Tell #5: Link mouseover vs anchor text mismatch
The old rule that did not die. AI writes the visible link text. It does not change the underlying URL. Hover over any button before clicking. The real destination shows in the browser status bar (desktop) or as a long-press preview (mobile). If the visible text says "secure.microsoft.com" but the actual link points to secure-microsoft.verify-now.xyz, the email is hostile no matter how clean the prose reads.
Tell #6: No email thread history with this sender
Search your inbox for the sender's email address. If you have never received legitimate mail from them and they claim an ongoing relationship ("as discussed yesterday"), the relationship is fabricated. This is especially important for BEC: the real CEO has thread history with the CFO; a CEO impersonation usually arrives as the first message ever from that address.
Tell #7: Attachment with minimal body
An email that says little more than "see attached" with a DOCX, XLSX, HTML, or PDF file is a structural red flag. Real business communication explains itself in the body. A near-empty body means the attacker is relying on the file to do the work - usually a phishing form, a malicious macro, or a malware payload. HTML attachments are especially dangerous because they render a credential-harvesting page locally, making the URL bar show a file path instead of a suspicious domain.
The 5-step verification flow that still works post-AI
None of the seven tells above require you to evaluate writing quality. The new verification flow is structural, not stylistic.
- Read the sender address, not the display name. Confirm the domain matches the brand's known sending domain.
- Do not click links in the email. Open a new tab and type the official URL directly. Sign in there.
- Check for thread history. First-ever contact plus an urgent request equals phishing-likely.
- Sanity-check the ask. Gift card, crypto, wire to a new account, password or 2FA code entry, document download to "verify" identity. All hostile by default.
- Verify out-of-band for anything financial. Call the institution at the number on the back of your card or on their official site. Never the number in the email.
If you already clicked or replied
Most phishing damage happens after the click. Closing the page or stopping the conversation early often prevents the worst outcomes.
- Clicked a link but typed nothing. Close the tab. Run an antivirus scan. Risk is low.
- Entered a password. Change it from a clean browser tab. Turn on or rotate 2FA. Sign out of all sessions.
- Entered a 2FA code. Treat as a real compromise. Reset MFA and check inbox forwarding rules - this is how attackers maintain silent access for weeks.
- Sent money. Call your bank to recall the transfer. Same-day calls have a much higher recovery rate. File a report at ic3.gov.
- Replied to a conversational thread. Stop - they have an AI in the loop and you do not. Forward to reportphishing@apwg.org.
How browser-layer defense catches AI-written phishing
The email is hard to block at the inbox layer because the writing matches legitimate mail. The defensive surface that still works is the destination URL. The credential-harvesting page has properties AI cannot fake at the domain layer: it sits on a domain that is not the real brand, it loads brand logos and login forms for a brand it does not own, and it often went live in the last 24 hours.
SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before render. It checks the domain against 550+ brands, analyzes content for impersonation signals, and uses AI content analysis in 100+ languages. Whether the email was written by a human or GPT, the page-layer defense fires the same way.
Install SafeBrowz free
Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.
Add to Chrome
Add to Firefox
Add to EdgeFrequently asked questions
Is AI phishing actually growing or is this overhyped?
It is growing. AI has become a default tool inside an already-large attack volume. Microsoft Threat Intelligence has publicly documented LLM use by state-aligned and financially motivated groups since 2024. Mandiant M-Trends and CrowdStrike's Global Threat Report describe the same expansion. Proofpoint's State of the Phish 2024 reported 71 percent of working adults took a risky action in the prior year. The FBI IC3 continues to log BEC as the single highest-dollar-loss category. AI removed the grammar bottleneck and made personalization cheap.
Will AI defenses fix this on the email side?
Partially, not completely. Gmail, Microsoft Defender for Office 365, Proofpoint, and Mimecast all use ML to score inbound mail and catch a large share of obvious campaigns. The cat-and-mouse problem is that defender and attacker models train on similar data. Filters catch most volume; the surviving fraction looks very convincing. That fraction is what the structural checks in this guide are for.
How do I know if an email was actually written by AI?
You usually cannot. Public AI detector tools are unreliable on short emails and have high false-positive rates on legitimate human writing. Stop trying to identify the author. Identify the request instead: who sent it, what are they asking for, does it fit prior context.
If the grammar tell is dead, what should I teach my employees?
Three things in order. Verify the sender domain at the address level, not the display name. Never act on email links - go to the institution directly in a fresh tab. Financial and credential requests require out-of-band phone verification. Drop the "look for typos" line entirely - it teaches a false sense of security.
Are AI-generated phishing pages also harder to spot than the old ones?
Yes. Code-capable LLMs clone a brand's login HTML and CSS in seconds. The reliable signal moved from "does the page look right" to "is the domain right." A pixel-perfect Microsoft login page on a domain that is not login.microsoftonline.com or login.live.com is still a phishing page.
Should I worry more about voice (vishing) and SMS (smishing) too?
Yes. Voice cloning models reproduce a known voice from seconds of audio, which has fed BEC variants where the "CEO" calls the CFO to confirm a wire. SMS phishing benefits from the same translation and personalization advances. The defensive principle is identical: verify out-of-band through a channel the attacker did not give you.
Related reading
- Clone phishing: when a legitimate email gets tampered with
- Microsoft phishing emails: 7 ways to spot them
- The 6 emotions every phishing email targets
- How to tell if a website is a scam
Bottom line: AI-generated phishing emails are common and grammatically perfect. The old writing-quality tells no longer work. The new tells are structural: sender domain, payment rail, request type, thread history, hover-vs-anchor, body-vs-attachment, and new-sender-plus-urgency. Pair them with a browser-layer scanner like SafeBrowz so the destination page never loads even if the email slips past your filter.