Free Cyber Security AssessmentGet your personalised report in under 10 minutes
TheLogic IT Solutions Logo20 Years in Business
← Back to Blog

9 June 2026

AI Just Made Phishing Personal. Here's How to Stay Ahead in 2026

For years the advice for spotting a phishing email was simple: look for bad spelling, broken grammar, a sense of panic and a dodgy link. If it looked off, it probably was.

That advice is now worthless.

Generative AI has handed criminals fluent, native-quality English, the ability to copy a specific person's writing style, and the means to do it at scale. The clumsy "Dear Customer" message is being replaced by an email that reads exactly like it came from your finance director, because, in effect, it was written to sound like them.

Why 2026 is different

Three things have changed at once:

  • The writing is flawless. No typos, no odd phrasing. The tells we spent years training staff to spot are gone.
  • It's personalised. Attackers scrape LinkedIn, your website and breached data to reference real colleagues, real suppliers and real invoices.
  • It's multi-channel. A convincing email is now backed up by a follow-up text, or even a voice note cloned from a few seconds of someone's audio.

The result is business email compromise that doesn't feel like a scam. It feels like a normal Tuesday.

The attack that's actually catching people

The pattern we see most often: an email, apparently from a senior person, asking someone in finance to change the bank details on an invoice or push through an urgent payment. It references a genuine supplier. The tone is right. The timing, end of month or just before a holiday, is deliberate.

By the time anyone phones to check, the money has gone.

What actually defends against this

You can't train your way out of perfect-looking emails on their own. The fix is layered, and most of it isn't glamorous:

  • MFA everywhere. Still blocks more than 99% of account takeovers, which is how attackers get inside your mailbox to study you in the first place.
  • A payment-change rule that can't be skipped. Any change to bank details is verified by a phone call to a known number. No exceptions, no "but the email said it was urgent".
  • Email authentication (SPF, DKIM, DMARC) configured properly, so your domain can't be trivially spoofed.
  • Microsoft 365 Defender or equivalent, to catch impersonation and malicious links before they reach the inbox.
  • Training that has caught up. Teach people to verify, not just to "spot the typo", because the typo is gone.

The mindset shift

Stop telling people to look for mistakes. Start telling them to slow down on anything involving money, credentials or urgency, and to confirm it through a second channel. The question is no longer "does this look fake?" It's "have I actually confirmed this is real?"

Where to start

If you're not sure how exposed you are, that is the thing to fix first. Our free cyber security assessment takes about four minutes and gives you a prioritised action plan, including whether your email authentication and Microsoft 365 protections are genuinely configured or just assumed to be.

The criminals have upgraded their tools. The reassuring part is that the defences that work haven't changed much, you just have to actually have them switched on.