I write about cybersecurity for a living. I have published dozens of articles about phishing attacks, social engineering, and how to spot malicious emails. I thought I was immune. Last month, I received an email that looked exactly like it came from my bank — perfect grammar, correct branding, personalized with my name and the last four digits of my account number. I clicked the link without thinking twice. Here is what happened next.
The Email That Fooled Me
The email arrived at 9:47 AM on a Tuesday — right when I was rushing through my inbox before a meeting. The subject line said Unusual activity detected on your account ending in 4821. The sender appeared to be alerts@mybank.com (it was actually a lookalike domain with a subtle character substitution). The email body was flawless — no spelling errors, no awkward phrasing, correct logo, correct color scheme, and it addressed me by my full name. It even referenced a recent transaction I had actually made, which made it feel completely legitimate.
What Happened When I Clicked
The link took me to a page that looked identical to my bank login page. I entered my username and password before my brain caught up with my fingers. The page then asked for my one-time password, which is when alarm bells finally went off. My bank never asks for OTP on the login page — they send it after you initiate a transaction. I immediately closed the browser, changed my banking password from my phone, and called my bank to report the incident.
How the Attack Was Constructed
After reporting the incident, I investigated the email headers and the phishing page. The email was sent through a compromised legitimate email server, which is why it passed SPF and DKIM checks. The phishing page was hosted on a newly registered domain that was less than 24 hours old. The page used a real-time proxy that forwarded my credentials to the real bank site and captured the session — a technique called adversary-in-the-middle phishing. The attackers likely used AI to generate the personalized email content, pulling my name and transaction details from a previous data breach.
Why AI Makes Phishing Exponentially More Dangerous
Traditional phishing emails were easy to spot — bad grammar, generic greetings, suspicious links. AI-generated phishing eliminates all of these red flags. Large language models can generate perfectly written, contextually relevant emails that are personalized to each target using information scraped from social media, data breaches, and public records. The email I received was indistinguishable from a legitimate bank communication because it was written by an AI that had been trained on thousands of real bank emails.
How to Protect Yourself
After this experience, I have changed my approach to email security completely. First, I never click links in emails — I always navigate to websites directly by typing the URL. Second, I use a hardware security key for two-factor authentication, which cannot be phished even by adversary-in-the-middle attacks. Third, I use a password manager that only auto-fills credentials on the correct domain — it would not have filled my password on the phishing page because the domain was wrong. Fourth, I have enabled login notifications on all my accounts so I am immediately alerted if someone accesses my account from a new device.
The Uncomfortable Truth
The uncomfortable truth is that no one is immune to phishing in the age of AI. If a cybersecurity professional who writes about these attacks daily can be fooled, anyone can. The solution is not to rely on your ability to spot phishing emails — it is to implement technical controls that protect you even when you make a mistake. Hardware security keys, password managers, and direct URL navigation are your best defenses against modern phishing attacks.
