Corporate Phishing: How to Spot It in the Age of AI Attacks

9 min read · AstraLoop Studio

For years, anti-phishing training revolved around a simple checklist: grammar mistakes, pixelated logos, implausible email addresses, English (or Italian) that read like a bad machine translation. Teach staff to distrust the badly written email, and half the problem was solved.

That playbook is now obsolete. AI-generated attacks produce flawless emails, tailored to the recipient, in the right tone, with not a single typo. Italy's 2026 Clusit Report shows the country accounting for roughly 10% of global incidents, with a 23% jump in severe attacks in the first quarter and SMBs targeted in 72% of cases. Phishing remains the most common way in, and it has become far harder to recognize.

In this guide we cover how to spot corporate phishing now that AI has erased all the old tells, what the new warning signs look like (voice and video deepfakes included), and why the only defense that truly holds isn't the human eye but a phishing-resistant authentication setup. For the bigger picture, this topic is part of a complete cybersecurity audit for SMBs.

Illustration of a fishing hook disguised as a flawless AI-generated email in front of a laptop

Why the old detection method no longer works

Traditional phishing used to give itself away. The people behind it were often foreign, relied on rough translation tools, and recycled generic templates blasted to millions of addresses. The result was clumsy, and that clumsiness was your defense.

Generative AI has flipped three things.

  • The language is flawless. A language model writes polished business copy, complete with your industry's jargon. The grammar mistake as a warning sign is dead and buried.
  • The message is personalized. By cross-referencing LinkedIn, your company website, and past data breaches, attackers craft emails that mention your name, your role, a real project, a vendor you actually use. It's called spear phishing, and AI makes it cheap at industrial scale.
  • The volume has exploded. What once required a native-speaking copywriter is now churned out by a script in seconds, in a thousand different variants designed to slip past filters.

In other words: you can no longer rely on the gut feeling that "this email looks off." Emails now look perfectly normal. You need a method that doesn't depend on the message's surface polish.

The new warning signs of AI-generated phishing

If AI has cleaned up the form, the content and logic of the attack remain the same. Here's where to shift your attention.

1. The psychological lever: urgency, authority, secrecy

Every scam of this kind is built to make you act before you think. The markers stay the same no matter how well written the message is:

  • Artificial urgency ("by 5pm or we lose the supplier", "the account will be frozen today").
  • Invoked authority (a request that comes "from the CEO", "from admin", "from the bank").
  • Secrecy ("don't mention this to anyone", "it's a confidential deal").
  • A detour from the normal process (a wire transfer requested by email instead of through the accounting system, an IBAN change announced at the last minute).

When these three levers — urgency, authority, and secrecy — show up together, treat the message as suspicious regardless of how convincing it looks. It's the signature of the fake-CEO scam, also known as Business Email Compromise.

2. The channel changed for no reason

A supplier you've always exchanged PDFs with suddenly sends a link to a portal to "confirm your details." Your accountant writes from a domain that looks similar but isn't quite right. A colleague messages you on WhatsApp about something that normally goes through email. An unjustified channel switch is one of the most reliable signals left.

3. The sender is almost right

AI doesn't forge the domain — it exploits inattention. Lookalike domains such as supplier-inc.com instead of supplierinc.com, or .net instead of .com. The display name reads "John Smith – Administration," but the real address behind it is an anonymous Gmail account. Always hover over the actual address before replying.

4. The link and the attachment don't match the text

The text says "log in to the bank's portal," but the link points somewhere else. The attachment is named "invoice.pdf" but is actually an HTML file or a zip archive. No amount of AI polish changes the fact that the malicious payload still has to come from somewhere.

Illustration of a cloned deepfake voice in a scam phone call, with a shield and a key protecting the target

The worst frontier: voice and video deepfakes

This is where things get dramatic. Phishing no longer arrives only in writing. In Italy, audio deepfakes have grown by more than 300% compared to 2023, and the phenomenon has already caused real damage.

A now widely cited case: an SMB in Lombardy transferred €28,000 to a fake CFO whose voice had been cloned by AI from a few seconds of publicly available audio. The employee heard a familiar voice, an authoritative tone, an urgent request. He complied. This attack is called vishing (voice phishing), and the deepfake variant makes it almost impossible to catch "by ear."

Signals to watch for when you get a suspicious call or voice message:

  • A request for money, credentials, or a procedural exception made during the call itself.
  • Reluctance to be called back on a verified number ("no, let's stay on this line").
  • Micro audio anomalies: flat intonation, absent breathing, odd latency, clipped sentences.
  • Pressure not to involve anyone else.

We covered this scenario in depth in our piece on the CEO deepfake scam and how to defend against it. The most effective operational rule is simple and extremely powerful: always verify on a second, independent channel. If someone calls asking for an urgent wire transfer, hang up and call back the number you already have on file. No real emergency survives a thirty-second counter-check.

Why training alone isn't enough (and what replaces it)

Training matters, but it has a structural limit: it asks tired, pressured, distracted people to spot deceptions engineered to be indistinguishable from the real thing. Sooner or later someone gets it wrong. The odds are unforgiving — it only takes one click out of a few thousand emails.

The defense that holds up doesn't try to make the user infallible — it makes their mistake irrelevant. Even if an employee enters their credentials on a fake page, the attacker shouldn't be able to use them. This is where phishing-resistant multi-factor authentication comes in.

Yes to MFA, but not all MFA is equal

Many companies believe they're protected because they use SMS-based MFA or an app OTP code. The problem is that these methods are phishable: a cloned login page can capture the six-digit code too, and real-time adversary-in-the-middle attacks relay it instantly. Classic MFA raises the bar, but it doesn't stop a well-engineered modern attack.

Authentication methodPhishing-resistant?Notes
Password onlyNoShould be abandoned, full stop.
SMS OTPNoInterceptable, SIM swap, real-time phishing.
App code (TOTP)WeaklyBetter than SMS, but the code can still be stolen on a fake page.
Push notification with number matchingPartiallyReduces MFA fatigue, doesn't stop AiTM.
FIDO2 security keys / passkeysYesBound to the real domain: a fake page simply won't work.

The key difference with passkeys and FIDO2 hardware keys is that the authentication factor is cryptographically bound to the legitimate domain. If an employee lands on a cloned page, the passkey simply won't activate, because the domain doesn't match. Human error gets neutralized by the technology. This is the true "phishing-resistant MFA" referenced by national cybersecurity agencies and international guidelines.

Rolling out passkeys on email, back-office systems, and admin access is one of the highest-return moves an SMB can make. It doesn't eliminate phishing, but it makes it far harder to turn one click into a financial loss.

Want to know how exposed you are to AI attacks and phishable MFA? Request a review of your anti-phishing defenses and we'll tell you where to act first.

A five-step action plan for your company

Recognizing phishing is the first step. Reducing its impact takes process and technology together. Here's the priority order we recommend for an SMB.

  1. Two-channel rule on payments. Every wire transfer above a set threshold, every IBAN change, every exception gets confirmed verbally on a verified number. Put the rule in writing.
  2. Phishing-resistant MFA on critical accounts. Passkeys or FIDO2 keys on email, admin, remote access, and admin accounts. These first, everything else after.
  3. Email domain protection. Configure SPF, DKIM, and DMARC correctly to make it harder to spoof your domain and to protect your customers. We cover this in detail in this guide to SPF, DKIM, and DMARC.
  4. Simulation-based training, not slide decks. Regular simulated phishing campaigns, calibrated to the latest AI-driven attacks, are worth more than an annual course forgotten within a week.
  5. Email filters and third-party vetting. Advanced anti-phishing filters and, on the vendor side, attention to supply-chain risk: 30% of breaches involve third parties, and it's an explicit obligation under the NIS2 directive for companies in scope.

Phishing, GDPR, and liability: what's really at stake

A successful phishing attack isn't just about lost money. If it leads to access to customers' or employees' personal data, it becomes a data breach under GDPR, with a notification obligation to the data protection authority within 72 hours in the cases the law covers. And with NIS2 fully in force in 2026, security accountability can no longer be delegated to IT — it falls directly on the CEO and the board.

This changes the economics. The cost of an incident for an SMB usually ranges between €35,000 and €250,000, factoring in downtime, recovery, and legal consequences. Investing in prevention, strong authentication, and a verification process costs a fraction of that, and today it's also a requirement for cyber insurability and regulatory compliance.

If you want to know where you're exposed before an attacker finds out first, a vulnerability assessment and a review of your anti-phishing defenses are the most concrete starting point. The right question isn't "if" you'll receive a well-crafted attack, but "what happens when someone falls for it."

In short

AI has made phishing indistinguishable at a glance: no more mistakes, personalized emails, cloned voices. The new warning signs are behavioral (urgency plus authority plus secrecy, a channel switch, a detour from the normal process), not cosmetic. And the strongest defense isn't an employee's eye — it's an infrastructure that neutralizes their mistake: phishing-resistant MFA with passkeys, a two-channel rule on payments, a protected email domain, and third-party vetting. Less paranoia, more process.

Frequently asked questions

How do you spot a phishing email today if it no longer has grammar mistakes?

Shift your focus from form to the behavior being requested. The reliable signals are artificial urgency, invoked authority (the fake CEO or bank), a request for secrecy, and any detour from the normal process, such as a wire transfer requested by email or a last-minute IBAN change. Always check the real sender address and where links actually point.

What is vishing, and why are voice deepfakes so dangerous?

Vishing is phone-based phishing. With AI, an executive's voice can be cloned from just a few seconds of publicly available audio, making the scam sound convincing. In Italy, audio deepfakes have grown by more than 300% compared to 2023. The defense is to hang up and call back a verified number already on file.

Does SMS-based MFA protect against phishing?

Only partially. An SMS or app OTP can be stolen on a fake login page or relayed in real time by adversary-in-the-middle attacks. It's better than a password alone, but it isn't phishing-resistant. For real protection you need passkeys or FIDO2 hardware keys, cryptographically bound to the legitimate domain.

What does phishing-resistant MFA mean?

It's authentication where the factor is bound to the site's real domain. With passkeys or FIDO2 keys, if an employee lands on a cloned page, authentication simply won't activate because the domain doesn't match. In practice, human error gets neutralized by the technology.

Does a successful phishing attack carry legal obligations?

Yes. If it compromises customers' or employees' personal data, it becomes a data breach under GDPR, potentially requiring notification to the data protection authority within 72 hours. With NIS2 in force in 2026, accountability falls directly on the CEO and board, no longer solely on IT.

How much does a phishing incident typically cost an SMB?

Generally between €35,000 and €250,000, factoring in downtime, system recovery, any transferred funds, and legal consequences. Prevention (strong MFA, a two-channel rule on payments, email domain protection) costs a fraction of that figure.

Talk to us: together we'll assess where your company is vulnerable and how to make a single click harmless, with passkeys, verification processes, and a tailored audit.