The End of the “Spot the Phishing Email” Era

For years, phishing advice has leaned heavily on the idea that dangerous emails look dangerous.

Watch for spelling mistakes.
Hover over the link.
Look for odd grammar.
Be suspicious of greetings like “Dear Most Esteemed Account Holder”.

And to be fair, that advice had its moment. Plenty of phishing emails used to look like they had been written during a fire drill by someone with only partial access to a keyboard.

But that era is ending.

Not because every attacker has become brilliant. That would almost be flattering. The bigger issue is that attackers no longer need to be brilliant. AI and automation now help criminals write cleaner messages, imitate tone, produce believable fake login journeys, translate naturally, tailor lures, and scale campaigns quickly.

The National Cyber Security Centre has warned that AI is likely to increase the volume and impact of cyber attacks, especially by improving social engineering. Microsoft’s 2025 Digital Defense Report describes attackers using AI and automation across phishing, impersonation, and multi-stage attacks. Verizon’s DBIR also shows a wider shift: attackers are not only tricking people, they are exploiting weaknesses in systems, identities, and processes.

So the old question, “Will someone spot the phishing email?” is becoming less useful.

The better question is:

What happens when the phishing email is good?

Phishing Is No Longer Just an Email Problem

The email is often only the opening move.

A convincing message might lead to a fake Microsoft 365 login page. That might lead to stolen session tokens. That might lead to mailbox access. That might lead to invoice fraud, internal impersonation, client data exposure, or further attacks against suppliers.

In other cases, the message may not look like a traditional phishing email at all. It could be a QR code. A Teams message. A shared document. A phone call. A fake MFA prompt. A device-code login trick. A request to “quickly approve” something that feels routine because, on a busy Tuesday afternoon, almost everything feels routine.

That is the point.

Modern phishing works because it blends into normal business behaviour. The attacker does not need the target to do something wildly unusual. They need them to do something ordinary in the wrong context.

Sign in here.
Approve this.
Open that.
Call this number.
Confirm these bank details.
Grant this app permission.

None of those actions are inherently suspicious. They happen every day inside functioning organisations. Which means the real defence is not just teaching people to spot bad emails. It is designing business processes that make risky actions harder to complete by accident.

The Problem With Making Employees the Security Filter

There is a subtle problem with a lot of security awareness advice: it quietly asks every employee to become a part-time fraud analyst.

Finance staff are expected to detect payment scams while closing month-end. HR teams are expected to identify malicious documents while handling sensitive people issues. Directors are expected to inspect login prompts between meetings. Everyone is expected to notice the one strange thing in a sea of normal work.

This is not a serious operating model.

It is a bit like running a restaurant where the food safety process is “everyone sniff the chicken and hope for the best”. Useful instinct? Occasionally. Reliable control? Absolutely not.

People matter enormously in cybersecurity, but they should not be the only control between a convincing scam and a serious incident.

A stronger model assumes that people will sometimes be busy, distracted, helpful, tired, trusting, or under pressure. In other words, human.

Good security design accounts for that.

The Expertise Is in the Workflow

The organisations that handle phishing well tend to have one thing in common: they treat it as a workflow problem.

They ask where trust is created, changed, and abused.

Who can approve a payment?
How are supplier bank details changed?
Who can grant access to sensitive files?
What happens when someone receives an unexpected MFA prompt?
How are password resets verified?
Which accounts have administrator rights?
What alerts would trigger if an attacker signed in successfully?
How quickly could access be revoked?

These are not just technical questions. They are operational questions.

A phishing attack succeeds when it finds a soft spot in the way work happens. Sometimes that soft spot is a person clicking a link. Sometimes it is an over-permissioned account. Sometimes it is a missing approval step. Sometimes it is a mailbox rule nobody notices. Sometimes it is a backup that exists in theory but has never been restored.

The expert move is not to shout “be careful” more loudly.

The expert move is to reduce the number of moments where a single mistaken click can become a business incident.

Verification Needs to Be Designed, Not Improvised

One of the most practical ways to reduce phishing risk is to make verification boringly consistent.

Boring is good here. Boring is underrated. Boring is the cardigan of cybersecurity: not glamorous, but often exactly what the situation needed.

Payment detail changes should be verified through a trusted channel, not by replying to the same email thread.

Unexpected MFA prompts should be treated as suspicious unless the user has just initiated a login.

Requests for sensitive data should follow a known process, even when they appear to come from someone senior.

New app permissions should be reviewed before being granted.

Admin accounts should not be used for day-to-day work.

Access should be removed promptly when people leave or change roles.

These controls do not need to make work painful. In fact, the best controls make decisions easier. They remove the awkwardness from saying, “I need to verify this first.”

That matters because attackers often rely on social pressure. Urgency. Authority. Helpfulness. Politeness. The tiny discomfort of challenging someone.

A good process gives people permission to pause.

Identity Is Now the Main Battleground

Many phishing attacks are not really about the email. They are about identity.

The attacker wants access: to an inbox, a cloud account, a finance platform, a document library, an admin portal, a payroll system, or a supplier relationship.

This is why identity controls have become so important.

MFA is essential, but it is not the finish line. Poorly configured MFA can still be worked around through prompt bombing, token theft, adversary-in-the-middle techniques, or social engineering. That does not make MFA useless. Far from it. It means MFA needs to sit inside a wider identity strategy.

That includes conditional access, device trust, least privilege, admin account protection, risky sign-in detection, app consent controls, strong recovery processes, and regular access reviews.

It also includes something very simple: knowing which accounts matter most.

Not all accounts carry the same risk. A compromised test account with no access is inconvenient. A compromised finance mailbox, director account, HR account, or global admin account is a very different animal. Not literally, thankfully. Cybersecurity has enough problems without adding wildlife.

Awareness Training Still Matters, But It Has to Mature

None of this means awareness training is dead. It means awareness training has to grow up.

Annual training that tells people “don’t click suspicious links” is not enough. People need practical, contextual guidance tied to the way they actually work.

What does a suspicious payment request look like?
What should someone do if they approve an MFA prompt by mistake?
How should a Teams impersonation attempt be reported?
What does a fake file-sharing notification look like?
Who should verify a bank detail change?
What happens after someone reports a suspicious email?

Training should also avoid turning mistakes into shame. If people think they will be blamed, they report slowly or not at all. That delay is often more damaging than the original click.

A useful security culture treats reporting as a positive action. Fast reporting can be the difference between a contained incident and a long afternoon involving lawyers, insurers, clients, and the sort of spreadsheet nobody wants to maintain.

The Practical Checklist for Leaders

If you want to understand whether your organisation is ready for modern phishing, ask these questions:

Do we protect our most important accounts differently from normal accounts?

Do we have MFA everywhere important, and is it configured properly?

Can we detect suspicious sign-ins, unusual locations, risky devices, or abnormal mailbox activity?

Do we restrict app permissions and third-party access?

Do we have a clear process for payment changes and sensitive data requests?

Can employees report suspicious messages quickly?

Do we test whether people know what to do after a mistake?

Are leavers removed from systems promptly?

Do we review access regularly?

Have we tested whether backups can actually be restored?

Do we know what we would do in the first hour of an account compromise?

This is where mature cybersecurity becomes visible. Not in a dramatic wall of dashboards. Not in a 97-page policy nobody has read since it was created. But in whether the organisation can answer basic questions about access, verification, detection, and recovery.

The Real Shift

AI has not made phishing unbeatable. It has made weak process easier to exploit.

That distinction matters.

The answer is not to assume every employee can outwit every scam. The answer is to build an environment where one convincing message does not have a clear path to money, data, systems, or reputation.

That means layered controls. Sensible identity management. Clear verification rules. Better reporting habits. Tested recovery. Practical training. Regular review.

The future of phishing defence is not about spotting every fake email.

It is about designing organisations where fake emails have fewer places to go.

Sources used:
NCSC: https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat
Microsoft Digital Defense Report 2025: https://www.microsoft.com/en-us/corporate-responsibility/cybersecurity/microsoft-digital-defense-report-2025/
Verizon DBIR: https://www.verizon.com/business/resources/reports/dbir/