top of page

AI Makes Phishing Better

  • Feb 23
  • 3 min read

The Verification Flow You Add Before Clicking Anything

Phishing emails used to be easy to spot: broken grammar, weird formatting, and obvious urgency.

Now attackers can use AI to write clean, professional messages that look like they came from a real coworker, vendor, or executive. The email “sounds right,” and that’s the danger.

You don’t need paranoia. You need a repeatable verification habit your team can follow in under a minute.

This post gives you a Click Verification Flow you can adopt before anyone clicks a link, opens a file, or changes payment details.


Why It Matters

Phishing works when people are rushed. AI makes it easier to exploit that rush by:

  • Matching your company’s tone

  • Mimicking vendor language

  • Producing believable “invoice,” “DocuSign,” or “account update” messages

  • Tailoring urgency without sounding sloppy

The goal isn’t to teach everyone email forensics. It’s to prevent one expensive mistake.

TEC Tip: The best anti-phishing training isn’t awareness. It’s a workflow.

A Quick Real-World Scenario

A finance team member receives an email that looks like it came from a vendor contact. It’s polite, well-written, and references a real project. The message asks for a “quick update” to ACH details and includes a PDF.

It feels normal, until you notice the reply-to address is slightly different and the request bypasses the usual approval process.

Using the flow below, the employee pauses, verifies via a known channel, and routes it to IT. No click. No payout. No cleanup.

Same inbox. Different outcome.


The Click Verification Flow (Copy/Paste)

Use this flow before you:

  • Click a link

  • Open an attachment

  • Scan a QR code

  • Share credentials or MFA codes

  • Change payment details or vendor banking info

  • Approve access, invoices, gift cards, or payroll changes


Step 1: Identify The Ask (What Are They Trying To Make You Do?)

  • Click a link

  • Open a file

  • Log in

  • Pay / wire / change banking

  • Share information

  • Approve access

  • Act fast “today” or “within the hour”

If the ask involves money, access, or credentials, treat it as high-risk.

TEC Tip: Urgency is the oldest trick in the book. AI just makes it sound more polite.

Step 2: Verify The Sender (Don’t Trust The Display Name)

Check:

  • The full email address (not just the name)

  • The reply-to address (if different)

  • The domain spelling (one extra letter, swapped characters)

  • Whether the tone matches past messages from that person

If anything is off, do not continue.


Step 3: Verify The Link Or Attachment (Before You Touch It)

For links:

  • Hover to preview the destination

  • Confirm the domain is exactly the real one

  • Watch for lookalike domains and odd subdomains

For attachments:

  • Treat unexpected PDFs, ZIPs, and “secured documents” as suspicious

  • Be cautious with “invoice” and “payment” attachments, even if the email looks real

If you weren’t expecting it, you verify first.


Step 4: Use The “Known Channel” Rule (The Only Rule That Matters)

If the email involves money movement, access changes, or credentials:

Verify outside email using a known channel:

  • Call the number you already have on file (not the one in the email)

  • Message the person in Teams/Slack using their known account

  • Use your vendor portal contact method

  • Ask a manager to confirm through an established approval path

If they push back on verification, that’s your answer.

TEC Tip: Verification isn’t rude. It’s standard operating procedure.

Step 5: Apply The “Two-Person Rule” For High-Risk Actions

For:

  • Wire/ACH changes

  • Gift card requests

  • New vendor setup

  • Password resets and MFA changes

  • “CEO urgent request” scenarios

Require a second approver or a documented process step.

One person can be fooled. Two people slow attackers down.


Step 6: Report It The Right Way (So You Don’t Fight Alone)

If your gut says it’s wrong:

  • Don’t click

  • Don’t reply

  • Forward/report it to IT/security (whatever your process is)

  • If you already clicked, report immediately (fast reporting reduces damage)


A “Suspicious Email” Response Script (So Staff Don’t Improvise)

If someone needs a polite, professional reply, use this:

“Thanks for the note. Before we proceed, we need to verify this request through our standard process. Please confirm by contacting us through our normal channel (phone/portal/Teams). Once verified, we’ll take the next step.”

Short. Neutral. No accusations. No engagement.


Where This Fails (And How To Fix It)

Phishing defense breaks when:

  • People are rewarded for speed over correctness

  • Approval steps live only in someone’s head

  • Vendor changes don’t require verification

  • Staff are afraid to “bother” leadership

Fix it by making verification normal:

  • A posted workflow

  • A known-channel contact list for key vendors

  • A two-person rule for money and access changes

TEC Tip: If your process depends on “someone noticing,” it will eventually fail.

How TEC Can Help

  • Build a simple phishing verification workflow tailored to your team

  • Implement approval steps for vendor payment changes and access requests

  • Align email security tools with training so alerts match real behavior

  • Run practical tabletop scenarios so staff can practice without panic

280 Shuman Blvd. #230

Naperville, Illinois 60563

(630)305-7486

White Flat.png
  • LinkedIn
  • Facebook
  • Youtube

© 2021 TEC Services Consulting Inc. All rights reserved.

bottom of page