Skip to content
HomeBlogThreat Watch

AI-Written Phishing: Why the Typos Are Gone and Clicks Are Up

Quill pen of red light writing a glowing email envelope under a blue shield lens

The tell-tale typos are gone. Generative AI now writes phishing emails in clean, natural English — personalized to your company, your vendors, and your org chart — and click rates have risen accordingly. The fix is to retrain your team on behavioral tells and to layer in controls that work even when the writing is flawless.

Phishing got a ghostwriter

Since large language models went mainstream in late 2022, the cost of writing a convincing email in perfect English has dropped to zero. Criminal forums sell purpose-built tools for it, and mainstream chatbots can be talked into “drafting a note from the CFO about an urgent invoice” with little effort.

Security vendors analyzing phishing traffic now attribute a large and fast-growing share of it to AI-generated text, and controlled studies published last year found AI-written spear phishing performed about as well as messages crafted by human social-engineering experts. Volume is up as well: filters that once caught campaigns by their reused templates now face thousands of unique variants in a single blast.

Phishing emails showing AI-generated content (% of analyzed phish)
025507510016220212022202320242025ChatGPT launches

Industry estimates; illustrative.

View data table
AI-generated share (% of analyzed phish)
20211
20223
202314
202438
202562

Why the old phishing training fails now

For twenty years we taught people to spot bad grammar, odd phrasing, and generic greetings. AI erases all three. Worse, it personalizes at scale: a scraper pulls your team page and LinkedIn, and the model writes a different, plausible email to every employee — referencing real names, real vendors, real projects.

The economics matter as much as the prose. What once took a skilled attacker an afternoon now takes anyone thirty seconds, so mid-sized businesses that were never worth a custom lure are now getting them daily. And it isn’t limited to email: a finance employee in Hong Kong wired roughly $25 million last year after a video call with deepfaked company executives.

The new tells: behavior, not spelling

Train your team to react to what a message asks for, not how it reads:

  • Urgency plus money or credentials. Wire changes, gift cards, payroll updates, a “quick login to review a document.”
  • A channel switch. An email that pushes you to text or WhatsApp is moving you off monitored ground.
  • First-time senders who know things. Familiar details no longer prove legitimacy.
  • Requests to skip process. Anyone asking you to bypass an approval step is the reason that step exists.
  • Any link that lands on a login page. Navigate to the site yourself instead.

The golden rule: verify out of band. A thirty-second call to a number you already have on file defeats the best-written phish on earth.

Two more channels deserve a mention in your next training session: QR codes on posters and invoices that route phones straight to credential pages, and voice calls that sound exactly like a colleague asking for a payment change. The same discipline applies to both — verify through a channel you chose, not the one the message handed you.

Email security controls that hold up when the writing is perfect

Awareness helps, but you need layers that don’t depend on human judgment in the moment. Phishing-resistant MFA — hardware keys or passkeys — stops a stolen password from mattering. Enforced DMARC, SPF and DKIM make your own domain far harder to spoof. Modern email filtering evaluates sender behavior and intent, not just spelling.

And assume some clicks will still happen. Endpoint detection with someone actually watching it is what catches the one that slips through — our engineers monitor client environments 24/7 for exactly that moment. Finally, make reporting easy and blame-free: the person who says “I think I just clicked something” within five minutes is your best security control.

Key takeaways

  • AI has removed typos and bad grammar as reliable phishing signals.
  • Train on behavior: urgency, money, credential requests, channel switches.
  • Verify unusual requests out of band, every time.
  • Deploy phishing-resistant MFA and enforce DMARC on your domain.
  • Assume clicks will happen — detection and fast reporting limit the damage.

Curious how your team and your filters would hold up against a 2025-grade phish? Start with our cybersecurity assessment.

Reading is free. So is knowing where you stand.

Turn insight into action.

Take a free cybersecurity or AI readiness assessment, or book a call with a NetSys engineer — no obligation, no runaround.