Phishing doesn’t look like phishing anymore. It looks like your bank. Your boss. Your kid’s school. The Nigerian Princes of 2005 have been replaced by AI-generated CFOs on video calls authorizing $25 million wire transfers. Here’s how to spot the tell.
Phishing is the #1 source of account compromise and financial fraud. No technical defense replaces awareness — because the attack is aimed at you, not your software.
Types of Phishing Attacks
| Type | Method | Target |
|---|---|---|
| Standard Phishing | Mass email impersonating trusted brands (bank, PayPal, Amazon, IRS) | Anyone |
| Spear Phishing | Targeted email using personal details from your social media or data breaches | Specific individual |
| Clone Phishing | Exact copy of a legitimate email you previously received, with a malicious link substituted | Anyone who received the original |
| Smishing | SMS/text message phishing (“Your package is delayed — click here”) | Mobile users |
| Vishing | Voice call phishing (IRS agents, bank fraud departments, tech support scams) | Phone users |
| Whaling | Spear phishing targeting executives or high-value individuals | CEOs, executives |
| Quishing | QR code phishing — malicious QR codes on flyers, parking meters, restaurant menus, or in emails that redirect to credential-harvesting sites | Anyone who scans QR codes |
How to Recognize Phishing
AI-generated phishing is here. Large language models can now produce flawless phishing emails — no typos, no broken grammar, personalized with details scraped from your LinkedIn and social media. The old advice of “look for spelling errors” is dead. Focus on context and behavior instead: did you expect this email? Does the request make sense? Is there urgency pushing you to act before thinking?
Red flags in emails:
- Urgency or threat: “Your account will be closed in 24 hours”
- Mismatched sender address: display name says “PayPal” but address is
paypal-secure@gmail.com - Generic greeting: “Dear Customer” instead of your name
- Suspicious links: hover over links before clicking — the URL doesn’t match the claimed sender
- Unexpected attachments — especially .zip, .exe, .docx files with macros
- Any request for credentials, payment, or personal information via email
Red flags in texts (Smishing):
- Unknown sender with a link
- Fake package delivery notifications with URLs that don’t match the actual carrier (UPS, FedEx, USPS all have consistent URL patterns)
- “Verify your account” messages you didn’t trigger
- Prize notifications for contests you didn’t enter
Prevention
- Never click links in emails or texts — go directly to the website by typing the address manually
- Verify unexpected requests by calling the sender using a number from their official website, not a number provided in the message
- Enable MFA on every account — even if credentials are stolen, MFA blocks the attacker. Use phishing-resistant methods (FIDO2/passkeys) on high-value accounts
- Use a password manager — it won’t autofill on fake sites because the URL won’t match
- Hover over links before clicking to see the real destination URL
- Check the sender’s actual email address, not just the display name
- Keep software updated — many malware attachments exploit known vulnerabilities in unpatched software
- Preview QR codes before opening — use your phone’s built-in camera (iOS and Android both show the URL before opening it). If the URL looks suspicious or doesn’t match the expected destination, don’t tap it
If You Clicked a Phishing Link
- Do NOT enter any information on the page — close the tab immediately
- Change your password for any account the phishing attempt was impersonating
- Enable or verify 2FA on the affected account
- Scan your device with antivirus software
- Contact your bank if the phishing was financial — report as fraud
If you entered credentials:
- Change the compromised password immediately
- Change the same password anywhere else you reused it
- Monitor accounts for unauthorized activity over the next 30 days
Deepfakes
In 2024, a finance employee at a Hong Kong company transferred $25 million USD to attackers after a deepfake video call that appeared to show his company’s CFO and other colleagues authorizing the transfer. Every participant on the call was AI-generated. The employee had no idea until days later.
This isn’t science fiction. The technology is available and cheap.
Deepfake detection tips:
- Unnatural blinking or eye movement — AI still struggles with realistic blinking patterns
- Blurred or inconsistent edges around the face and hair
- Lighting inconsistencies — light direction doesn’t match the environment
- Audio sync issues — slight lag between lip movements and speech
- Unnatural skin texture or overly smooth appearance
- Strange artifacts when the subject turns their head
Protecting against deepfake social engineering:
- Establish a verbal passphrase with family members — a word or phrase that confirms identity in emergencies. If someone calls claiming to be your family member in crisis, ask for the passphrase.
- Never authorize large financial transfers solely based on a video or audio call — verify through a second, independent channel
- Be suspicious of any unexpected urgent request for money, information, or action — even if it appears to come from someone you know and trust
The family passphrase is a low-tech solution to a high-tech problem. Set one up this week.
Reporting Phishing
- Phishing emails: Forward to the Anti-Phishing Working Group: reportphishing@apwg.org
- US: Report to the FTC at reportfraud.ftc.gov
- IRS phishing: Forward to phishing@irs.gov
- SMS phishing: Forward the message to 7726 (SPAM) — works on most US carriers
Set a family passphrase today. Pick something specific, something no one outside your household would guess, and make sure everyone knows it. That’s the one action here that protects against threats no software can catch.