In short: Phishing used to be easy to spot — broken grammar, generic greetings, obvious urgency. Generative AI has erased those tells. Modern scam messages are fluent, personalised with details scraped from breaches and social media, and increasingly delivered by cloned voices. Defence has shifted from "spot the typo" to "verify the channel and protect the second factor".
What changed
Attackers now generate thousands of unique, well-written messages that reference your real employer, a recent purchase, or a service you actually use. Voice cloning needs only seconds of audio to imitate a colleague or family member on a call. The message quality is no longer a signal, because the quality is now perfect.
The signals that still hold
The channel. Real institutions do not ask for passwords, codes or payments over unexpected messages. If a request arrives out of the blue, the medium itself is the red flag, not the wording.
Urgency plus secrecy. "Act now, and don't tell anyone" is a manipulation pattern, whether written by a human or a model.
The destination. Hover before you tap. A polished email can still only send you to a domain the attacker controls — and the domain rarely matches the real one exactly.
Build defences that don't depend on your judgement
Because the message can now be flawless, the durable protections are the ones that work even when you are fooled for a moment:
Use a password manager. It autofills only on the genuine domain, so a look-alike site gets nothing — the manager silently refusing to fill is itself a warning. Prefer app-based or hardware two-factor over SMS, which is more easily intercepted and phished. And verify any high-stakes request through a second, known channel: call the person back on a number you already have.
Where a VPN fits
A VPN is not an anti-phishing tool — it will not stop you from typing a password into a convincing fake. But it protects the layer phishing sometimes rides on: on untrusted networks it prevents an attacker from redirecting your traffic or injecting fake login pages, and it stops the harvesting of the browsing metadata that makes the next tailored lure so convincing. Think of it as reducing the raw material attackers use to personalise the attack. For the account side, our security guides walk through 2FA and password managers step by step.
