For years, we’ve trained ourselves to spot the classic signs of a phishing email: bad grammar, generic greetings like "Dear Valued Customer," and suspicious links.
Unfortunately, those days are over.
In 2026, cybercriminals are using the same generative AI tools that we use for productivity to create scams that are frighteningly personal, polished, and persuasive. These new AI-powered phishing attacks don't just look legitimate—they can even sound like people you know.
Your old security playbook is outdated. Here's your new one.
What is AI-Powered Phishing?
AI phishing (or "spear-phishing on steroids") uses artificial intelligence to do the heavy lifting for scammers.
Hyper-Personalization: AI can scrape your social media (like LinkedIn or Facebook) to learn your name, your job title, who your boss is, what projects you're working on, and even how you write.
Flawless Content: AI-generated text has perfect grammar and can mimic any tone, from a casual text from a friend to an urgent "all-staff" memo from your IT department.
Deepfakes (Voice & Video): This is the most alarming trend. Scammers can clone a person's voice from just a few seconds of audio (like a public video or even a voicemail). They then use this "voiceprint" to call you, sounding exactly like your boss, a family member, or a bank representative.
5 AI Scams to Watch For in 2025
1. The "Urgent" Deepfake Voice Call (Vishing) How it works: You get a phone call. The voice is a perfect clone of your manager or a company executive. They say they're "stuck in a meeting" or "traveling" and need you to urgently transfer money to a new vendor or buy gift cards for a client. The sense of urgency is designed to make you panic and skip security protocols.
How to Spot It:
The "Callback" Test: The single best defense. Hang up and call the person back on their official number stored in your phone or the company directory. If the real person is confused, you've spotted the scam.
Unusual Request: Is this a normal part of your job? Would your boss ever really ask you to buy gift cards? Trust your gut.
2. The Hyper-Personalized "Helpful" Email How it works: You receive an email that looks like it's from your IT department. It might say, "We're migrating our email server this weekend. To ensure you don't lose your files, please log in to the new portal to verify your account." The email uses your name, references a real company-wide event, and the link looks almost identical to your real company portal.
How to Spot It:
Hover, Don't Click: Always hover your mouse over any link before clicking. Look at the actual URL that pops up in the bottom corner of your browser. Is it
it-support.ourcompany.comor a weird variation likeourcompany.it-support-portal.net?Check the Sender: Look at the full email address, not just the display name. Scammers often use "typo-squatting" (e.g.,
micros0ft.comwith a zero).
3. The QR Code Scam (Quishing) How it works: You see a QR code in an email, perhaps for "two-factor authentication," "accessing a shared file," or even a "parking ticket" on your car. You scan it with your phone, and it does one of two things:
Takes you to a fake login page to steal your credentials.
Directly initiates a malware download onto your phone.
How to Spot It:
Be Skeptical of All QR Codes: Treat a QR code with the same suspicion as a link. Your phone's camera can't tell if it's malicious.
Preview the Link: Most modern phone cameras will show you a preview of the web URL before opening it. Examine it closely.
4. The AI-Powered Romance/Investment Scam How it works: This is common on dating apps and social media. A scammer uses an AI-generated profile picture (of a person who doesn't exist) and uses an AI chatbot to maintain multiple, convincing, and emotionally engaging conversations at once. They build trust over weeks before inevitably asking for money for a "family emergency" or a "can't-miss" cryptocurrency investment.
How to Spot It:
Refusal to Meet or Video Chat (Properly): They will always have an excuse. If they do agree to a video call, it may be a "glitchy" call that is actually a pre-recorded deepfake video.
The Conversation Turns to Money: This is the ultimate red flag. Legitimate people you meet online will not ask you for money or investment advice.
5. The "I Took Over the Thread" Scam How it works: This is a sophisticated attack where a scammer hacks into a legitimate email account. They use AI to read the entire email history, then "inject" themselves into a real, ongoing conversation. For example, in an email chain with a vendor about an invoice, the AI-powered scammer will reply from the real account (or one that looks identical) and say, "Hi all, please note we have updated our banking details. Please use this new account for all future payments."
How to Spot It:
Verify Changes "Out-of-Band": Any change in payment information, phone numbers, or addresses must be verified through a separate, trusted channel. Call your vendor at the number you have on file (not one from the email) to confirm the change.
Your 3-Step Action Plan to Stay Safe
PAUSE: The #1 weapon scammers use is urgency. Force yourself to stop for 30 seconds.
VERIFY: Trust no one. Verify every unusual request through a separate channel. Hang up and call back. Send a new message on Teams/Slack.
PROTECT: Use Multi-Factor Authentication (MFA) everywhere. Even if scammers steal your password, MFA is the lock that stops them from getting in.
