What AI-Powered Phishing Actually Looks Like

Hyper-personalized spear phishing at scale

Traditional spear phishing required an attacker to manually research a target, craft a custom message, and send it individually. This limited volume. AI changes that entirely. Attackers now use AI to scrape LinkedIn, company websites, press releases, and social media to generate personalized, contextually accurate phishing emails at machine speed.

Your accounts payable manager gets an email that references your CFO by name, mentions a specific vendor you actually use, references a real invoice number scraped from a public procurement filing, and requests an urgent payment change before an end-of-quarter deadline. Every detail is accurate. The only thing wrong is the sender.

Deepfake voice and video fraud

The FBI has specifically warned about AI-generated voice and video being used in business fraud. In a documented attack pattern, employees receive what appears to be a video call with their CEO or CFO asking them to execute an urgent wire transfer. The face is AI-generated from public video footage. The voice is cloned from earnings calls or YouTube interviews.

In Arizona’s high-growth business market — where employees frequently interact with executives they’ve never met in person and organizations regularly onboard remote staff — this attack vector is particularly effective.

AI-generated impersonation of IT and vendors

Attackers are using AI to impersonate IT providers, software vendors, and security companies. The emails are technically literate, use correct terminology, and often arrive at exactly the right moment — because the attackers have researched the target’s vendor relationships from public sources.

For Phoenix businesses that rely on MSPs, cloud vendors, and SaaS tools, an AI-generated email claiming to be from their IT provider asking to “verify credentials for a system upgrade” is nearly indistinguishable from a legitimate communication.

What the Data Shows

The FBI’s IC3 has documented a significant increase in AI-assisted Business Email Compromise and fraud schemes. Key findings from recent reporting:

•       BEC incidents leveraging AI-generated content have increased substantially year over year.

•       Deepfake fraud losses have been documented in the millions of dollars per incident at the enterprise level; SMB incidents are underreported.

•       AI-generated phishing now achieves open rates and click rates significantly higher than traditional bulk phishing.

•       Arizona’s status as a high-BEC state means Phoenix businesses are in an elevated risk zone for these attack types.

Why Traditional Defenses Are No Longer Sufficient

The training that worked before — look for bad grammar, be suspicious of urgency, hover over links — is still valuable but no longer sufficient as a primary defense. AI-generated phishing routinely bypasses all of these heuristics.

Email security filters that rely on known-bad signatures are also struggling. AI-generated content doesn’t match known patterns. It’s new every time.

This doesn’t mean training and filters are worthless. It means they need to be supplemented with controls that don’t depend on humans detecting deception.

The Defense Framework for AI-Era Phishing

Layer 1: Technical controls that don’t require human detection

MFA on every account is the most important control against AI phishing. Even if an employee is deceived into providing credentials, MFA prevents the attacker from using them. This is why every cyber insurance carrier now requires it.

•       Multi-factor authentication: eliminates credential theft as a useful attack outcome.

•       Email authentication (SPF, DKIM, DMARC in enforcement mode): prevents domain spoofing.

•       AI-powered email security: modern email security tools use AI to detect AI-generated phishing — fighting fire with fire.

•       Zero-trust network architecture: even if a credential is compromised, lateral movement is restricted.

Layer 2: Process controls that verify identity outside email

Any request involving money movement, credential changes, or access provisioning should be verified through a second channel — a phone call to a known number, not a number provided in the email. This single process control defeats BEC and most deepfake fraud scenarios.

•       Call-back verification for all payment instruction changes.

•       Out-of-band confirmation for any executive request received via email only.

•       Dual authorization for wire transfers above a defined threshold.

Layer 3: Updated awareness training

Training should be updated to reflect the AI threat specifically. The new red flags aren’t grammar errors — they’re requests that create urgency and bypass normal process. Employees should be trained to recognize process circumvention, not just grammatical tells.

The Phoenix Context

Phoenix’s rapid business growth, high remote workforce density, and concentration of high-transaction industries make it a prime market for AI-powered phishing. New employee relationships, frequent vendor changes, and executive teams distributed across locations all create the conditions these attacks exploit.

The businesses we work with that have been victimized in the last 18 months share one characteristic: they relied on human vigilance as their primary defense. The businesses that avoided incidents had technical controls that didn’t depend on anyone catching anything.

AEGITz’s security stack includes AI-powered email protection and BEC-specific controls. If you want to know how your current defenses would perform against AI-generated phishing, ask us about a security assessment.