The old way of ordinary phishing might be past – now that almost anyone can have AI spin them up a fully translated and accurate-looking email landing page, it’s crucial to change the way we look at and respond to emails.
Phishing
In the olden times, phishing was as simple as sending an email from an address with a big attachment saying ‘click me!’ because the average email user often didn’t know someone could even do something to their computer via email. They’d get a link from someone they definitely didn’t know with something like “please see the atachthed[sic]”, not know what an .exe file is, click it, and then have their machine start doing funny stuff.
Then, after people started warning each other this could happen (and after enough people had access to email addresses, even on computers they didn’t own) the phishing had to get a little trickier. The key word in that sentence is “little” because scammers started naming themselves things like “BestBy @ Yahoo . com”, or “BeastBuy”, or “B3stBuy”, or any other number of stupid combos that suggest a name brand, and therefore lend some credibility if you don’t know that corporate emails often put the brand name (not always – but often) after the @ sign.
After people got wise to that, phishing scams diverged. Some went the route of becoming easier to detect, in order to filter the possible recipients, while others got even sneakier.
AI
It’s no secret. AI can write perfectly passable, if sometimes inaccurate, business emails, and it can do so for free. This is kind of annoying if you’re attempting to collaborate with someone who’s clearly not reading your email in lieu of having an AI summarize it for them, because they’ll simply gloss over parts, hallucinate others, neglect to mention attachments, etc. but it’s a known thing that AI is advertised for.
Writing scam emails is as simple as asking the AI to do the writing for you and then attaching a malicious file to it instead of an actual invoice. AI can condense information from the best-practices pages of all available online business writing guides into a perfectly plausible cold email and send it off, disguising a problematic link as a link to a PDF that’s only visible on Google or Microsoft.
Worse, it can do all this after the scammer has already gained access to an account, and scraped all of their business contacts! Should the AI gain access to a real person’s account via this method, it instantly gains their authority and is much harder to spot as a scam ahead of actually becoming compromised. Why wouldn’t you trust a brief email asking you to review a floorplan, or a billing proposal, even if you’re not in a sector where that makes sense? It’s from someone you know, and the writing sounds fine. So how do we navigate this new world where phishing emails are so good they may be indistinguishable from the real people who’s accounts got stolen?
Navigating It
It’s tough to know when someone else’s emails have been hacked, because in a matter of minutes, an AI can be generated off of someone’s email contents to sound like them if the hacker is really, really invested in the scam. The case used to be that scammers wrote differently than the people or businesses they were impersonating, and taking a second to think “wait a minute, Janet from Accounting doesn’t use exclamation points like this” could be enough time to realize a phishing attempt was in motion.
In the same vein, if your coworker or business contact was already using AI to write, it might be harder to tell that they’ve had their email compromised when they send something that should be suspicious, because the default voice of Gemini or CoPilot is pretty inoffensive and easy to replicate. AI is also not prone to typos, and any signatures applied via Outlook would be unaffected, two things that regular human phishing scammers cannot guarantee even if they’re trying. In this case, practicing basic internet safety, like making sure you’re actually on the Microsoft home page when you click a link they send you to sign in, or making sure any attachments are not secretly .exes, for example, can save you where attempting to recognize an imposter by tone alone may not be possible.
Going to a second location (a sign-in page that looks like Microsoft’s but is actually a uniquely-created fake login page for example) can also lend an air of credibility to these scams. It’s unfortunate, but many AI are capable of whipping up a passable fake sign-in page that can steal input data, and there aren’t guiderails on most of them telling them not to do that, even though the primary use case is fraud. This used to be a lot harder to pull off. It used to be the sign of a truly advanced scam, a sign that the business that got it might be getting targeted; now, everyone gets them. Partially because everyone uses Microsoft, but still!
If you do realize at any point that your email has been compromised, get in touch with your IT department right away – they should be able to lock your account and prevent further harm. Microsoft has a set limit for the number of emails that a given account can send in a 24 hour period, and then on top of that a limit per week, so it may eventually stop a spam attack coming from one account on it’s own… but in the event it doesn’t, locking the account and then sending a followup email alerting contacts who might have received a fraudulent email from your account without your knowledge will give them warning to not click a link or to change their login password if they did.
Considering the impacts of a breach – like confidential emails being forwarded out of the mailbox, hidden rules set to forward even once control of the account has been regained, or the simple loss of trust from having a compromised account running around trying to get other accounts compromised too, practicing a bit of caution up to and including calling the sender to confirm they’ve really asked you to do XYZ out of the ordinary can save tons of time and headache!
