WhiteMail
Back to blog
·WhiteMail Security Team#weekly-report#ai-phishing

Weekly Security Report #3 — the end of catching phishing by typos

For a generation, the most reliable phishing tell was bad writing. Odd grammar, misspellings, stilted phrasing — train people to spot the awkwardness and you caught a large share of attacks.

That signal is gone. This week made it plain again.

This week

The credential-phishing and impersonation samples we looked at were, almost without exception, fluent. Clean grammar. Correct tone. Localized properly into the recipient's language, including Korean that read like a native colleague wrote it. Several even matched the house style of the brand they imitated.

Generative AI did this. Producing a flawless, personalized lure in any language is now trivial and free. The "look for typos" advice we taught users for twenty years has quietly expired.

Technique in focus: when the surface is perfect

If grammar, tone, and formatting are no longer evidence, what is left?

The intent is left. An attacker can polish the wording infinitely, but they cannot change what the message needs you to do — and that goal is inherently suspicious:

  • get a credential entered on a page they control,
  • get money moved to an account they own,
  • get a security step (MFA, verification) bypassed or "re-confirmed,"
  • get you to act now, before you check with anyone.

Fluency hides the seams. It does not change the ask. A perfectly written email that still needs you to urgently re-enter your password on a link is exactly as dangerous as a clumsy one — arguably more, because it no longer trips your instinct.

What you can do

  • Stop grading emails on how they are written. Polish is no longer signal. Judge what is being requested and whether the request makes sense for the relationship.
  • Re-anchor user training on intent and action, not surface quality. "Does this email want a credential, a payment, or a security step bypassed?" travels much further than "does it look professional?"
  • Verify the action through a trusted channel, regardless of how legitimate the wording feels.

This is why SA-04 (Intent) reasons about what a message is trying to achieve rather than how it is phrased. When the surface stops being evidence, intent is what is left to read — and WhiteHat reads it on every email.


Curious whether polish is fooling you? Paste a clean-looking message into the Analyze console and see what SA-04 makes of its intent.