If you only harden one thing this year, make it your inbox. Industry reporting consistently puts email at the start of the overwhelming majority of cyberattacks—around 91% begin with a phishing message. For a small business or non-profit, a single wrong click can mean a drained bank account, a hijacked email account, or stolen donor data.

The good news: you don't need to be technical to defend yourself. You need a handful of habits and a healthy dose of suspicion. Let's start with the fundamentals that have always worked—then look at what AI has changed.

The fundamentals that still work

These checks take seconds, they cost nothing, and they catch the vast majority of phishing—AI-written or not.

  1. Read the real sender address, not the display name. The name shown in your inbox ("PayPal Service Team") is free to fake. Click or tap to expand the actual address. If it says [email protected] instead of a real @paypal.com, you're done.
  2. Hover before you click. On a computer, rest your cursor over any link and read the true destination in the bottom corner of the window. On a phone, press and hold. If the text says paypal.com but the link points somewhere else, don't click.
  3. Distrust manufactured urgency. "Act within 24 hours." "Your account will be suspended." "Immediate action required." Pressure is designed to stop you from thinking. Real organizations give you time and a way to verify.
  4. Be wary of generic greetings. "Dear Customer" or "Dear User" from a company you actually do business with is a quiet warning. (AI is changing this one—more below.)
  5. Never hand over credentials, payments, or gift cards by email. No legitimate bank, vendor, or boss asks you to log in through an emailed link or buy gift cards. Treat any such request as a scam until proven otherwise.
  6. Inspect the domain character by character. Look-alikes swap or add letters: rnicrosoft.com (r + n looks like m), paypa1.com (the number one), your-bank-secure-login.com.
  7. Treat unexpected attachments as guilty until proven innocent. Surprise invoices, "voicemails," and shipping labels—especially .zip or .html files, or anything that asks you to "enable macros."
  8. Ask: does this even make sense? An invoice for something you didn't buy, a reset you didn't request, a delivery you're not expecting. Context is your best filter.

Read one up close

Here's a phishing email dressed up to look like it came from PayPal, shown the way it would land in Gmail. Each numbered flag is something you can check in under ten seconds.

An annotated fake PayPal phishing email A mock PayPal email with six numbered red flags: a look-alike sender address, a generic greeting, a 24-hour deadline threat, a link that really points to an unrelated domain, a request for password and card number, and flawless professional grammar. Your PayPal account access has been limited P PayPal Service Team <[email protected]> to you Dear Valued Customer, We have detected unusual sign-in activity on your account. To protect you, your access will be permanently suspended within 24 hours unless you verify your identity immediately. Verify My Account → link really goes to: paypal.secure-login-update.ru To restore full access, please confirm your password and the card number linked to your account. PayPal Inc. · 2211 North First Street, San Jose, CA 95131 Please do not reply to this automated message. 1 2 3 4 5 6
A made-up example for training. The six markers map to the list below.
  1. Look-alike sender address. "PayPal Service Team" looks fine, but the real address is paypa1-account-verify.com—not paypal.com. The display name is theater; the address is the truth.
  2. Generic greeting. "Dear Valued Customer." The company you bank with knows your name.
  3. A ticking clock. "Permanently suspended within 24 hours." The deadline exists to rush you past your own judgment.
  4. The link doesn't go where it says. The button reads "Verify My Account," but hovering reveals it points to paypal.secure-login-update.ru—a domain that has nothing to do with PayPal.
  5. It asks for secrets. Your password and full card number. No real provider needs you to email those or type them into a link.
  6. It reads perfectly. Clean spelling, professional formatting, a real-looking footer. That used to be reassuring. It isn't anymore—see below.

What AI changed (and what it didn't)

The mechanics of phishing are the same. What's changed is how convincing the bait can be, and how cheaply it scales.

"Spot the typo" is dead

For years, the easiest tell was bad English—awkward grammar, misspellings, strange phrasing. Generative AI writes in fluent, on-brand, error-free prose. The absence of mistakes now tells you nothing. Flag #6 above is the new normal, not a green light.

Personalization at scale

Spear phishing—a message tailored to you—used to take real effort, so attackers saved it for high-value targets. AI removes that cost. Feed a model your name, role, employer, a recent LinkedIn post, and the name of your actual manager or a vendor you use, and it produces a personalized lure in seconds. "Dear Customer" is being replaced with "Hi Sarah—quick follow-up on the Quanta invoice from last week."

It's not just email anymore

The same tools clone voices and faces. A polished email can now be backed up by a deepfaked voicemail "from the CEO," or a video call that looks real enough to approve a transfer. Treat an urgent voice or video request for money or access with the same suspicion you'd give a strange email.

New habits for the AI era

  • Verify out of band. This is the single most powerful habit. For anything involving money, credentials, or access, confirm through a channel you already trust—call the person on a number you already have, not the one in the message.
  • Be most suspicious when it's polished and urgent. AI removes the typos but not the pressure. Flawless writing plus a deadline is the signature of a modern scam, not proof it's legitimate.
  • Watch for "right facts, wrong ask." The message knows your project or your boss's name but pushes you to do something unusual—change banking details, buy gift cards, log in "to confirm."
  • Let the technology help. Email authentication (SPF, DKIM, and DMARC) helps your mail system flag spoofed senders, and multi-factor authentication means a stolen password isn't game over. These are worth setting up once.

It really happens: the $100 million invoice

Between 2013 and 2015, a man named Evaldas Rimasauskas ran a phishing scheme against two of the most sophisticated companies on earth—Google and Facebook—and walked away with roughly $100 million. He didn't break any code. He registered a company using the same name as Quanta Computer, a real hardware supplier both firms used, then emailed convincing fake invoices. Employees in accounts payable paid them. According to the U.S. Department of Justice, he pleaded guilty in 2019; most of the money was ultimately recovered—but the lesson stands.

The defense was never a better firewall. It was a phone call to confirm the invoice.

And it's not just the giants

In 2015, the networking company Ubiquiti disclosed it lost $46.7 million to a "CEO fraud" scheme—spoofed emails impersonating executives that instructed the finance team to wire money to attacker-controlled accounts. In 2020, attackers phoned Twitter employees, talked their way into internal tools, and hijacked high-profile accounts—a reminder that phishing isn't only an email problem. If it can happen to them, the fix isn't being a bigger company. It's building the habit of verifying.

Your 30-second gut check

  • Do I recognize the sender's real address—not just the name?
  • Was I actually expecting this?
  • Is it pushing me to act right now?
  • Does every link go where it claims to?
  • Is it asking for money, a login, or access?
  • If anything feels off: stop, and verify through a channel you already trust.