There was a time when phishing emails were easy to spot. Bad grammar. Weird formatting. A sense of urgency that bordered on comedy. "DEAR VALUED CUSTOMER YOUR ACCOUNT HAS BEEN COMPROMISED PLEASE CLICK HERE IMMEDIATELY."
Those days are over. And if your organization is still relying on built-in Microsoft 365 or Google Workspace filtering to protect against phishing, you're bringing a butter knife to a gunfight.
What Modern Phishing Actually Looks Like
Here's a real scenario we've seen play out multiple times with Utah businesses: an employee gets an email from what appears to be their CEO, sent from the correct-looking email address, referencing a real project they're working on. The email asks them to approve a wire transfer or share login credentials for a vendor portal. It's well-written. The tone matches how their CEO actually communicates. There are no suspicious links — just a request.
That's Business Email Compromise (BEC). It's not malware. It's not a link to a fake login page. It's social engineering — and it's responsible for more financial losses than any other type of cybercrime, including ransomware.
According to the FBI's Internet Crime Report, BEC losses in 2023 exceeded $2.9 billion. In the United States. In one year.
Why Traditional Filters Miss This
Legacy email filtering — and this includes Microsoft Defender for Office 365's built-in protection — works primarily on signatures and rules. It looks for known malicious links, known bad sender domains, known attachment types. It's good at what it does. The problem is what it doesn't do:
- It doesn't analyze the intent and context of an email's text
- It doesn't detect impersonation that uses legitimate-looking domains (like m1crosoft.com or your-company-invoices.com)
- It doesn't catch emails that have no links or attachments but are asking for something dangerous
- It doesn't adapt to the specific communication patterns of your organization
AI-generated phishing exploits all four of these gaps simultaneously. An attacker can use publicly available tools to scrape LinkedIn, learn who your executives are, understand your business context, and craft a completely personalized email — in seconds — that passes every signature-based filter with flying colors.
The Rise of AI-Assisted Phishing
We're not speculating about a future threat. This is happening right now, and the barrier to entry has collapsed. Tools that were once exclusive to sophisticated nation-state actors are available to anyone with a credit card and a grudge. The grammar and spelling errors that used to be the tell? Gone. The awkward phrasing? Gone. What remains is a clean, convincing, contextually appropriate email that sounds exactly like it came from someone you trust.
One of our clients — a 35-person professional services firm in Salt Lake County — nearly wired $85,000 to a fraudulent account after receiving a BEC email that perfectly mimicked their CFO's writing style, referenced an ongoing project by name, and was sent on a Friday afternoon when the CFO was traveling. The only reason it didn't work was that the employee had been trained to call and verify any wire request over a certain amount. Training helped. An AI-aware email security tool would have caught it before it ever landed in the inbox.
What AI-Powered Email Security Does Differently
We use Inky for our clients because it approaches email security the way a human would — by reading and understanding the content, not just scanning for known-bad signatures. Here's what that looks like in practice:
| Threat Type | Traditional Filter | Inky (AI-Powered) |
|---|---|---|
| Known phishing links | ✓ Catches it | ✓ Catches it |
| Malicious attachments | ✓ Catches it | ✓ Catches it |
| Brand impersonation (fake Microsoft login page) | Sometimes | ✓ Catches it |
| CEO fraud / BEC with no links | ✗ Misses it | ✓ Catches it |
| Vendor impersonation | ✗ Misses it | ✓ Catches it |
| AI-generated spear phishing | ✗ Misses it | ✓ Catches it |
When Inky catches a suspicious email, it doesn't just quarantine it — it places a visible warning banner inside the email itself, explaining why the email was flagged. This is genuinely useful because it turns every flagged email into a micro-training moment for your employees. They see the reasoning. They learn what to look for. Over time, your team gets better at recognizing suspicious emails even without the tool.
Training Still Matters — But It's Not Enough Alone
We're big advocates for security awareness training. Employees who know what to look for make better decisions. But training has limits. No matter how well-trained your team is, someone will eventually have a bad day, be distracted, and click something they shouldn't. Or they'll encounter an AI-generated email so convincing that no amount of training would have flagged it.
The combination that actually works: trained employees plus AI-powered email filtering. Defense in depth. Neither one alone is sufficient. Together, they close the gap substantially.
If you want to know what's actually making it through your current email filter right now, we can show you. It's usually more than people expect.