What Changed

For decades, security training taught people to spot phishing by looking for specific tells. Grammatical errors. Generic salutations like "Dear Customer." Requests that didn't match how legitimate organizations actually communicate. Poor design, suspicious links, obvious pretexts.

These tells worked because phishing relied on speed and volume. Attackers couldn't afford to personalize thousands of messages, so they made trade-offs: they sacrificed credibility for scale. Mass phishing had obvious red flags because they had to.

AI has eliminated these trade-offs. AI can write grammatically perfect messages. It can research a specific person and draft a message that references real details about them — a real colleague's name, a real recent project, a real corporate event. It can customize that message for thousands of targets at near-zero cost per target. The tells that trained a generation of users to spot phishing are largely gone, replaced by something that sounds like it's actually from someone who knows you.