Oct 27, 2025
Phishing has significantly leveled up since clumsy, typo-filled scam emails first dropped in inboxes. Now, AI-written messages can sound exactly like your boss, your bank, or your favorite retailer. Attackers now go beyond email, texting shipment notices (smishing), and even making AI-generated voice calls that clone a coworker or family member (vishing) to pressure you into sharing credentials, reading out MFA codes, or moving money.
Blade Technologies' Scott Schaffer sat down with Fox2Now to inform people of what to look out for in identifying phishing. In this guide, you’ll learn the latest red flags to watch for, fast verification steps that stop most scams, and simple controls that protect both individuals and organizations. Whether you manage a team or just want to keep your family safe, this playbook will help you stay a step ahead of AI-powered social engineering.
How Does Phishing Work?
Even in the AI era, phishing is still a social engineering tactic at its core, using psychology to push you into a quick, risky action. Phishing messages are fake emails, texts, or voice messages that appear to be sent by somebody you know, such as an employer, your bank, or another organization. They might have a similar format to messages you're used to seeing and use a similar email address or phone number. Phishing messages often contain a website link asking you to enter private information, purchase something, or provide payment.
When you take a closer look, you might notice that the email address or phone number is different than your contact, words are misspelled, and a web address is altered from the company's official site. Phishing attempts, whether through email, SMS, or voice calls, require a simple defense mindset: pause, verify, then proceed. Use a known channel to confirm requests (your saved bank/vendor number or official app) and navigate to accounts via bookmarks or typed URLs instead of email/text links.
New Red Flags: AI-Powered Phishing
AI has supercharged phishing by making messages fluent, on-brand, and tailored at scale. Attackers use generative tools to write flawless emails, mirror a company’s tone, and localize language. AI can scrape compromised CRMs to reference your role, projects, or vendors while deploying brand-perfect templates with convincing logos, look-alike domains, and cloaked links. Modern “phish kits” even adapt after detection, rotating URLs, fingerprinting devices, and tailoring content by geography or IP so the same campaign can look different to every recipient.
The bottom line? Grammar mistakes are no longer a reliable tell.
Defend against AI phishing by first throwing out the assumption that polish means legitimacy. Verify unexpected requests through a known channel, open accounts through bookmarks or direct URLs, and require process checks for money movement and account changes. Paired with user training and technical controls like email authentication, advanced filtering, and phishing-resistant MFA, you can blunt AI’s speed and scale.
Types of Phishing (Beyond Email)
Phishing is any message or prompt that tries to trick you into a risky action like clicking on a link, opening a file, sharing credentials/MFA codes, or moving money. While email remains common, attackers now reach you through text messages, phone calls with AI-cloned voices, and QR codes.
Smishing (SMS Phishing)
Smishing uses text messages posing as delivery alerts, bank notices, payroll updates, or MFA prompts, often with shortened links. Because phones encourage quick taps, victims land on convincing spoof sites that steal credentials or install malicious apps. Treat unexpected texts like pop-up ads: don’t tap links, don’t install apps from a text, and verify in the official app or by typing the URL. Enable carrier spam filters and silence unknown senders to reduce noise.
Vishing (AI Voice Spoofing)
Vishing uses phone calls, often with AI-cloned voices, to impersonate executives, banks, or IT providers. The caller manufactures urgency (wire transfers, password resets, OTP approvals) and pressures you to act “before cutoff.” Voice alone is not identity. Hang up and call back using a saved, known number, establish a code phrase for executive approvals, and never read MFA codes aloud. If a call demands secrecy or speed, slow down and verify.
QR Code Phishing
QR code phishing places malicious codes in emails, flyers, parking meters, or packages, sending you to credential-stealing pages or fake “app updates.” Because QR scans bypass the habit of hovering to preview links, it’s easy to miss the destination. Check physical context (does a reputable brand really tape a QR to a meter?), prefer typing known URLs or using official apps, and inspect the link preview on your phone before opening. If in doubt, don’t scan.
What Should I Do If I Clicked on a Phishing Link?
Phishing links can vary from message to message. Some links take you to a website that will ask for private information or to make a payment. Some links could cause malware to be downloaded on your computer or other hacking issues
.
If you click on a link, let your IT team know right away so they can back up your data and implement proper security measures. If you entered credentials or an MFA code, change that password immediately from a clean device, sign out of all sessions, revoke app tokens, and reset MFA.
How Do I Report a Phishing Attempt?
If you've received a phishing message, regardless of the method, let your IT department know. Even if you didn't click on a link or engage with the email, it's still important for others to be aware.
If the phishing message you received was not work-related, you can report attempts to the Federal Trade Commission. They also provide great information and more details about fraud and phishing attempts.
How Do I Protect Myself from Phishing?
Knowing the signs of a phishing attempt and being diligent are important steps to take in preventing an attack. By understanding how to spot a phishing attempt can protect both yourself and your company. Look out for misspelled words, altered email addresses, and word choice that is different than normal. Stay up-to-date on the latest methods of AI phishing and never assume that a polished message means it is legitimate.
If you receive a message from your employees that looks suspicious and asks you to purchase something on a company card or provide sensitive information, always verify with that person. Message the person through another channel or call them to double-check if they sent the email.
Other ways to protect yourself from phishing include:
- Don't click on links that look suspicious.
- Don't provide personal information like social security or credit card numbers over the phone or via email.
- Don't open an attachment from a user that doesn't seem real.
- Use multi-factor authentication to protect your login credentials.
Companies like KnowBe4 offer in-depth security awareness training for companies of all sizes. A yearly, comprehensive IT security training for employees is a great way to make sure everybody is aware of the latest scams and how to prevent them.
Ongoing training is also essential in preventing phishing attempts. For more information about security training and what to do if you think you may have experienced a cyberattack, contact Blade.
Protect Yourself and Your Business from Phishing with Blade
Phishing has adapted, using AI to make scams more convincing across email, SMS, voice, and even QR codes. The good news is your defenses are simple and consistent: slow down, verify through a known channel, use bookmarks instead of links, follow payment/IT reset processes, and adopt phishing-resistant MFA wherever possible. If something slips through, act quickly and report the incident.
If you need help bolstering your defenses, Blade Technologies can train your team on AI threats, run realistic phishing simulations, fine-tune your email security, and provide 24/7 network monitoring and data breach remediation. To get started, contact our experts today.
Contact Us