Phishing 2.0: AI’s New Trick for Fooling the Best of Us

Artificial Intelligence (AI) continues to be a hot topic in information technology. In the last decade, it has skyrocketed in power and popularity, becoming a valuable and time-saving tool. From automating repetitive tasks, to powering up customer service with AI chatbots, and even serving up tailored recommendations on platforms like Netflix and Google—AI is making life smoother for users. 

In the cybersecurity world, AI can serve as the watchdog in detecting threats. However, it can also be the villain.

Phishing got a serious upgrade, and we’ve got AI to thank for that. Gone are the days of laughably bad grammar and sketchy emails from mysterious foreign royalty. AI provides a tool for writing phishing emails that are polished, precise, and scarily believable. These messages are so sophisticated they’ll have you questioning if your boss really didn’t just ask for a wire transfer at 3 AM. A study published earlier this year showed that 60% of people fell for AI-powered phishing scams. 

But don’t panic there are ways to spot these AI-crafted traps. Stopping and verifying the legitimacy of a request is your best defense against this evolving threat. Here are some tips on what to consider with any email request.

• Unexpected Communication: Even if the email seems legitimate, ask yourself if it makes sense. Were you expecting this email? Is the tone, urgency, or topic consistent with previous communication from this person or organization?
• Too Formal or Too Friendly: AI might overcorrect by being too formal or casual for certain relationships. Compare the tone with what you would normally expect from the sender.
• Urgent Requests for Sensitive Information: Requests for passwords, social security numbers, or bank details should be ALWAYS treated with suspicion, especially if the message pressures you to act quickly.
• Unusual Requests: If someone you know (like a boss or colleague) asks you to do something unusual, such as making a wire transfer, providing sensitive information, or clicking on a strange link, verify the request by contacting them through a different channel (e.g., phone or in person). Be especially suspicious of links leading to a “form” to complete where you enter your credentials. This has become a common technique in credential harvesting. 
• Look for inconsistencies between the display name and the actual email address.
• If you receive a suspicious email, check the ISO website phishing alerts page. If the email is not listed there, forward it to phish@arizona.edu. It is better to delay than to regret your response. 

AI-powered phishing scams are rising, but the Information Security Office (ISO) has resources to keep you sharp and ready to tackle cyber threats head-on. This mini-course will take you deep into the trenches of how AI is supercharging cybercrime and, more importantly, arm you with the tools and knowledge you need to fight back. So, buckle up—after this, you’ll be ready to outsmart even the trickiest AI-powered attacks.