The "Nigerian prince" is dead. What's replacing it is much, much harder to spot — because it's being written by the same AI tools your team uses to draft customer emails.
What changed
Until about two years ago, phishing emails gave themselves away. Bad grammar, obvious typos, broken formatting, a faintly weird tone. The "filter" most people used to spot them was just this email reads wrong.
Large language models broke that filter. Today's phishing emails are grammatically perfect, contextually relevant, and tonally on-brand for whatever industry they're pretending to be in.
What still gives them away
Three things still work. Sender domain — always hover over it. The display name says "Microsoft 365 Support" but the email is from support-microsoft365-team@notmicrosoft.xyz. Urgency — anything that needs you to act right now is suspicious. Unexpected requests — your CEO doesn't actually need you to buy gift cards.
What to do about it
Three layers, in order of impact. Turn on MFA on every account so a stolen password isn't enough. Run quarterly phishing simulations so your team gets used to spotting them. Use a modern email security service (we deploy Microsoft Defender or ESET Mail Security) that catches most of these before they hit an inbox.
Why the old warning signs no longer work
For years, staff were taught to spot phishing by its mistakes: clumsy grammar, odd phrasing, obvious spelling errors. Generative AI has erased those tells. Today’s phishing emails are fluent, correctly formatted, on-brand and often personalised using information scraped from your website or LinkedIn. The result is that the single most relied-upon filter, that an email simply reads wrong, no longer catches the dangerous messages.
The signals that still hold up
Three checks remain reliable. First, the sender domain: hover over the address and confirm it genuinely matches the organisation, not a lookalike. Second, urgency: any message demanding immediate action, payment or credential entry deserves a pause. Third, unexpected requests: a sudden change of bank details or an out-of-character instruction from a senior staff member should always be verified through a second channel. Teaching staff to slow down and verify beats teaching them to spot typos.
A layered defence is the only reliable answer
Because no single person catches every message, the protection has to be layered. Modern email filtering removes most threats before they reach an inbox. Multi-factor authentication means a stolen password alone is not enough to cause harm. Regular awareness training keeps the team alert to current tactics. Together these controls turn a single point of failure into several, which is exactly what a small business needs when the attacker only has to get lucky once.
What to do the moment something looks wrong
Speed matters once a suspicious message arrives. Staff should know not to click, not to reply, and to report it through a single agreed channel so it can be checked quickly. If credentials may have been entered, passwords should be changed immediately and active sessions revoked, which is far easier when multi-factor authentication and central identity management are already in place. We set up that reporting button, monitor for compromised accounts, and respond fast when something gets through. The aim is not to make every staff member a security expert, but to make the safe response the obvious and easy one.
Training that reflects how attacks really work
Generic security training ages quickly. The most effective approach uses short, regular refreshers tied to the tactics actually circulating, rather than a single annual session that everyone forgets by lunchtime. Realistic simulations, run with care and never to catch people out, help staff recognise the pressure and urgency that real attacks rely on. We run that programme for clients so the team stays current, and so security awareness becomes part of normal working life instead of a once-a-year tick-box exercise that changes nothing.