The thing that used to make scam emails obvious was the spelling. “Dear Valued Costumer, we have detected suspicous activty on you’re account.” You could almost laugh at it.

That tell is gone.

AI can now write a phishing email that’s grammatically flawless, sounds exactly like your bank, references real recent news, and is personalized with your name, your employer, and details scraped from your LinkedIn and social media profiles. The Nigerian prince got a software upgrade — and he’s a lot harder to spot now.

Voice cloning is part of this story too — and it’s one of the scariest parts. But I’ve covered that separately in The “Hi Mom” Scam Is Getting Scary Good, including the one simple thing every family should do about it. Read that one if you haven’t.

What I want to cover here is the broader AI scam toolkit that goes beyond the phone call.

The Grammar Tell Is Gone

For years, bad spelling and awkward phrasing were reliable signals that an email wasn’t legitimate. Real banks and government agencies have editors. Scammers operating out of internet cafes, not so much.

AI killed that signal.

Modern AI tools can generate perfectly written emails in any style — your bank’s tone, your HR department’s tone, your insurance company’s tone. They can be localized for any language or cultural context. They can reference the name of your actual bank, your real account type, a recent transaction that somehow got scraped from your data.

When you can no longer rely on “well, it looks professional enough,” you have to look harder at what’s being asked of you.

Deepfakes: When Seeing Isn’t Believing

Video used to be the gold standard of proof. If you saw it, it was real.

Not anymore.

AI can generate convincing video of real people saying things they never said. A video “from your CEO” asking employees to wire funds for an urgent acquisition. A clip of a “financial advisor” you trust recommending a suspicious investment. A fake news segment that looks real enough to share.

This technology isn’t perfect yet — there are still tells if you know what to look for (unnatural blinking, weird lip sync, lighting inconsistencies). But it’s improving fast, and the bar to create one is dropping.

If a video is asking you to do something unusual — send money, share credentials, keep something quiet — treat it with the same skepticism you’d give a cold call.

Hyper-Personalized Phishing

Old-school phishing was a numbers game. Send a million generic emails, hope a few people click. Easy to spot because it wasn’t about you — it was addressed to “Dear Customer” and could have been sent to anyone.

The newer version is different. AI tools can scrape your social media, your LinkedIn, your company website, news mentions, and public records — and build a profile of you in minutes. The result is a phishing email that knows your boss’s name, references your recent project, mentions the conference you just attended, and comes from what looks like a colleague’s email address.

When an email seems to know a lot about you, that’s not a reason to trust it. It may be exactly the opposite.

What You Can Do

Ignore the polish. A well-written, professional-looking email or message is no longer evidence that it’s legitimate. Judge by what’s being asked, not how it looks. (For the classic phishing red flags that still apply, see How to Spot a Phishing Attack.)

Check the actual email address — not just the display name. Your email client shows a friendly name like “Chase Bank” or “Your IT Department,” but the real sending address is right behind it. Scammers can’t easily spoof a legitimate domain like chase.com — email authentication protections make that very hard. What they can do is register something like chase-secure-alerts.com or supportchase.net, set it up properly, and send you a technically “legitimate” email from a fake domain. The content looks real. The address doesn’t — if you actually look at it.

Watch out for Business Email Compromise. This is where it gets really convincing. If a scammer manages to break into a real email account — a vendor, a colleague, even someone at your company — they’re now sending from a genuine, authenticated domain. Combine that with AI writing in the compromised person’s voice and style, and the result is nearly indistinguishable from the real thing. If you get an unusual request from a known contact — wire a payment, share credentials, approve something urgent — call them directly before acting.

Slow down when there’s urgency. “Act now.” “Don’t tell anyone.” “This expires in 24 hours.” Scammers — AI-powered or not — depend on you not taking a breath. That pressure is the tell.

Verify through a channel you control. If your bank emails you about suspicious activity, don’t click the link in the email. Go directly to your bank’s website or call the number on the back of your card. If your “boss” emails you asking for something unusual, pick up the phone and call them.

Be stingy with what you post publicly. Voice samples, video, personal details, your employer, your travel schedule — all of it is raw material. The less there is to scrape, the less there is to weaponize.

Talk to your older relatives. Seniors are disproportionately targeted by all of these tactics. Make sure they know the playbook before a scammer tries it on them.

Bottom line: AI hasn’t invented new scams — it’s just made the old ones a lot harder to detect. The defense hasn’t changed much: slow down, verify through channels you trust, and be suspicious of anything that’s trying to rush you.