A few months ago an office manager forwarded me an email she had been about to act on. It was addressed to her by name, it referenced the actual software rollout her team was in the middle of, and it asked her to confirm her login on a page that looked exactly like the company portal. The writing was clean and friendly and on-brand. There was no typo, no broken logo, no awkward phrasing. She paused only because the request arrived a day before the real rollout was due, not because anything in the message looked wrong. There was nothing to spot.
For about twenty years the standard advice was: watch for bad spelling and clumsy grammar, and you will catch the phishing. I want to be blunt with you. That advice is dead, and the thing that killed it is the same generative AI your own team is probably already using to write emails.
Why the old tell stopped working
The typos were never the point. They were a symptom. A lot of phishing used to be written by people working in a second or third language, churning out volume, not proofreading. The broken English was an accident of how the scam was produced, and we taught a generation of employees to treat it as the giveaway.
That accident is gone. A generative AI tool will write a lure in flawless English, or flawless Spanish, or flawless anything, in seconds. It will match your industry’s vocabulary. It will sound like a busy executive who is slightly annoyed and wants the transfer done before a meeting. Feed it a few public details about your company, the kind anyone can pull off your website and LinkedIn, and it will personalize the message to a specific person and a specific deal. The result is on-brand, correctly localized, and personal. None of the signals we trained people to look for are present, because the thing that used to produce those signals is no longer in the loop.
It is not only email. The same kind of tool can clone a voice from a short clip and put it on a phone call. A finance person can get a call that sounds like the owner, asking for an urgent payment, with the right speech patterns and the right name for the client. Video is heading the same way. The point is not to scare you with the technology. The point is that the cues we leaned on for two decades were always shallow, and now they are nearly worthless.
The trap of “spot the phish” training
Here is where a lot of small businesses go wrong, and it is an understandable mistake. They respond to phishing by trying harder at the old game. They buy a training course that drills people on warning signs, they run a simulated phishing test, they post a list of red flags by the printer, and they treat a human being as the last line of defense. In effect they are asking each employee to be a spam filter made of meat, scanning every message for a mistake the attacker is no longer making.
This fails for a simple reason. You are asking people to win a perception contest against a machine that is specifically built to look legitimate, and you are asking them to win it every single time, on a busy Tuesday, while doing their actual job. They will lose sometimes. When they do, the usual reaction is to blame the person who clicked, which teaches everyone else to go quiet the next time they are unsure. That is the worst possible outcome, because the message you most want to hear about is the one someone is not certain about.
People are not the weak link here. Untested process is. A team with no agreed way to verify a request will get fooled by a good fake no matter how much “awareness” they have absorbed. A team with a habit of verifying does not need to win the perception contest, because they are not relying on perception at all.
What actually works
The defense moves from spotting mistakes to a verification habit and a culture where reporting is easy, backed by technical controls that do not depend on anyone’s attention. None of this is complicated, and most of it is free or close to it.
- Verify any money, credential, or access request out of band. If a message asks you to move money, change bank details, hand over a password, or grant access, confirm it through a known channel before acting. Call the number you already have on file, not the one in the email. Never verify by replying to the same message, because if it is fake, you are just asking the impersonator to confirm they are who they claim to be.
- Make reporting a suspicious message the easy, rewarded thing to do. Give people one obvious way to flag something and thank them when they use it, even when it turns out to be nothing. A near miss that gets reported is a win, not a nuisance.
- Never punish the misclick. The person who clicks and immediately says “I think I just clicked something I should not have” is doing exactly what you need. Punishment buys you silence and delay, and delay is what turns a contained mistake into a real loss. Reward the speaking up.
- Turn on multi-factor authentication, especially on email. A convincing message that harvests a password gets the attacker much less far if the login also needs a second factor. MFA is the single highest-value control most small businesses skip, usually because of friction you can design around.
- Set up DMARC and let your filters do the boring work. DMARC, along with SPF and DKIM, makes it much harder for someone to send mail that looks like it came from your own domain. Pair it with link and attachment filtering so the obvious junk never reaches a human in the first place. The goal is to shrink how many decisions a person has to make at all.
If you want to see why the typo advice is finished, look at real examples. Our phishing gallery shows actual lures, and the modern ones are clean. And if you want to know how easy your own domain is to spoof right now, the free email scan will tell you what your business looks like to an attacker, including whether your DMARC is doing anything.
This is the same problem you already have, twice
If this sounds familiar, it should. The out-of-band verification habit is exactly the control that stops wire fraud and business email compromise, where the mechanics of the scam play out once the fake request lands. AI did not invent that attack. It made the bait better, which means the only durable defense was always the part that does not depend on the bait looking wrong. And the tool doing the writing is, in many cases, the same kind of tool your own employees are already using, which is worth thinking about from both directions.
A team that verifies and reports beats a team that hunts for typos. It is calmer, it is faster, and it makes you a business other businesses trust to handle their money and their data. That is the part worth selling internally: you are not adding paranoia, you are adding a habit that protects payroll, keeps a deal from blowing up over a redirected payment, and means a mistake gets caught in minutes instead of discovered in a bank statement. Stop training your people to be spam filters. Give them a phone number to call and permission to use it.
Further reading
- From Resolute Security: The $48,000 Email: How Wire Fraud Actually Happens
- From Resolute Security: Why Your Team Fights MFA
- From Resolute Security: Your Employees Are Already Using AI
- Resolute tools: Phishing Gallery (real examples) and the free Email Scan
- CISA Secure Our World: recognize and report phishing
- FTC Small Business Cybersecurity
- Not sure where you stand? Take the free 10-minute cyber readiness assessment.
See what attackers see for your own domain, in about thirty seconds.
A free scan that checks your SPF, DKIM, and DMARC records. No account, no sales call.
Run the scan on your domain →