Email, Phishing, and Social Engineering

The Human Vulnerability

The most sophisticated security system in the world fails when a human clicks a bad link. Social engineering — manipulating people into giving up information or access — is responsible for the vast majority of successful attacks. And AI has made these attacks dramatically more convincing.

How Phishing Works

A phishing attack impersonates a trusted entity — your bank, your employer, Amazon, the IRS, a colleague — to trick you into revealing credentials, clicking a malicious link, or downloading malware.

Classic Phishing Red Flags

Urgency: "Your account will be suspended in 24 hours!" "Immediate action required!" Legitimate companies rarely create artificial emergencies via email.

Generic greetings: "Dear Customer" instead of your name. Though AI-powered phishing increasingly uses your real name.

Suspicious sender address: The display name says "Bank of America" but the actual email address is bankofamerica-security@gmail.com. Always check the actual address, not just the display name.

Unusual requests: Your bank will never ask for your password via email. The IRS will never demand payment via gift cards. Your CEO probably isn't emailing you personally to buy $500 in gift cards.

Bad links: Hover over links before clicking. The text might say "www.amazon.com" but the actual link goes to "www.amaz0n-security.com." On mobile, long-press links to preview the URL.

AI-Powered Phishing: The New Threat

Traditional phishing emails were often riddled with spelling errors and awkward phrasing — easy to spot. AI has eliminated these tells. Modern phishing emails are grammatically perfect, contextually relevant, and personalized using information scraped from your social media and data breaches.

AI can also generate convincing voice calls (vishing) and video calls (deepfake-enabled). If something feels off — even a call that sounds exactly like your CEO — verify through a separate channel before acting.

Using AI to Detect Threats

AI Prompt: Email Verification

I received a suspicious email. Help me determine if it's legitimate or a scam.

From (display name): [name shown]
From (actual email address): [full email address]
Subject: [subject line]
Content summary: [what the email says]
Any links in the email: [list URLs without clicking them]
Any attachments: [describe]
What they want me to do: [action requested]
Context: [am I actually a customer of this company? Is this expected?]

Please analyze:
1. Red flags that suggest phishing
2. Green flags that suggest legitimacy
3. How to verify this email through official channels
4. What to do if it's a scam
5. What to do if I've already clicked a link or provided information

AI Prompt: Scam Identification

Is this a scam? Help me evaluate.

Situation: [describe — text message, phone call, social media message, online listing, etc.]
What they're offering or requesting: [describe]
How they contacted me: [method]
What feels off: [your instinct]
Personal information they already seem to have: [if any]

Please:
1. Assess the likelihood this is a scam
2. Identify which type of scam this matches
3. Tell me what a legitimate version of this interaction would look like
4. Advise on next steps
5. Where to report this if it is a scam

Common Scam Patterns

Business Email Compromise (BEC): An attacker impersonates a company executive or vendor and requests a wire transfer or payment change. Often well-researched and targeted. Always verify payment requests through a separate communication channel.

Romance scams: Someone develops an online relationship and eventually asks for money. AI-generated profiles and conversations make these increasingly convincing.

Tech support scams: A pop-up or phone call claims your computer is infected. Legitimate companies never cold-call about computer problems.

Investment and cryptocurrency scams: Guaranteed returns, exclusive opportunities, pressure to act fast. If it sounds too good to be true, it is.

Package delivery scams: Texts claiming a package can't be delivered with a link to "update your address." These harvest payment information.

Protecting Yourself

Verify independently. If an email from your bank concerns you, don't click links in the email. Open a new browser tab and navigate to your bank's website directly. Call the number on the back of your card.

Slow down. Urgency is the attacker's primary weapon. Legitimate requests can wait for verification. Scams can't.

Enable email filtering. Gmail, Outlook, and most email providers have built-in spam and phishing filters. They catch most threats automatically.

Use email aliases. Services like Apple Hide My Email, SimpleLogin, or Firefox Relay let you create disposable email addresses for signups, keeping your real address private.

Report phishing. Forward phishing emails to reportphishing@apwg.org and to the impersonated company. Report to the FTC at ReportFraud.ftc.gov.

Next: the invisible surveillance in your daily browsing.

Passwords and AuthenticationBrowsers, Search, and Tracking