← Back to BlogEmerging Threats

AI-Generated Phishing: Why Scam Emails No Longer Have Typos

AI-Generated Phishing: Why Scam Emails No Longer Have Typos

Remember the old advice? "You can spot a scam email by the bad spelling and grammar." Well, that advice has officially expired. Welcome to the era of AI-generated phishing — where the emails are flawlessly written, culturally appropriate, and eerily convincing.

What's changed?

Tools like ChatGPT and other large language models have made it trivially easy for anyone — including non-English-speaking criminals in other countries — to generate perfectly written, grammatically flawless emails in Australian English.

That "Nigerian prince" email with the capitalised random WORDS and bizarre punctuation? Completely obsolete. Today's AI-generated phishing emails read like they came from your actual bank, your actual supplier, or your actual colleague.

What does AI-powered phishing look like in 2026?

  • Hyper-personalised emails that reference real details about your company, your role, or your recent activities (scraped from your LinkedIn, your website, or your social media).
  • Perfect tone matching — if the attacker has studied a few of your real emails, AI can help them replicate your writing style and send emails from a spoofed address that sounds exactly like you.
  • Context-aware follow-ups — AI agents can now hold multi-email conversations that slowly build trust before asking for something.
  • Deepfake voice and video — combined with phishing, AI can generate audio or video of executives that seems completely real.

The $25 million Hong Kong case

In 2024, a finance worker in Hong Kong transferred $25 million after attending a video call with what he believed were several of his company's executives — including the CFO. Every person on the call was a deepfake. He only discovered the fraud when he checked with head office afterwards.

If that can happen at a large corporation, it can happen to any Australian business with less sophisticated verification processes.

So how do you spot AI-generated phishing?

Honestly? You can't rely on language quality anymore. Instead, focus on:

  1. Unexpected requests. Regardless of how well-written the email is, ask: is this request normal? Would this person normally email me about this?
  2. Sender verification. AI can write the email; it can't change where it actually came from. Check the actual email domain carefully.
  3. Out-of-band verification. For anything involving money, access, or sensitive data — verify through a separate channel. Text them. Call them. Walk to their desk.
  4. Trust processes, not personality. Don't make exceptions to your verification process just because "it really sounds like Sarah." That's the point.

Build habits that AI can't beat

The good news: AI might make phishing emails harder to detect linguistically, but it can't hack your verification processes. A team that always verifies unusual requests through a second channel is bulletproof against even the most sophisticated AI phishing.

Sharpen your eye for AI fakes at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →