I Got Phished by an AI-Powered Email. Here's Exactly How It Worked

Let me set the scene. It was a Tuesday morning, I had three Slack threads open, two unread PRs, and somewhere between my second coffee and my third I clicked a link in an email from what I was completely convinced was my bank.

It wasn't.

I caught it within about four seconds — the URL was wrong, and by then I'd already mentally flagged something off about the page styling. I closed the tab, changed my password, reported it, and spent the next hour picking apart the email I'd received. What I found is what prompted this post.

What Made This Phishing Email Different

I've seen hundreds of phishing emails over the years. You know the type: mismatched fonts, obvious grammatical errors, generic "Dear Customer" salutations, urgent warnings about accounts being "temporariliy suspended." This was nothing like that.

This email:

• Addressed me by my first name (not surprising — data breaches are everywhere)
• Referenced my actual bank's current UI design and branding accurately
• Had perfect grammar and a completely natural, calm tone (no urgent threats)
• Referenced a plausible recent change ("following our updated security policy from March 15th")
• The sender domain was one character off from my bank's domain — not an obvious fake

The tone is what got me. Security professionals have been saying for years that urgent, scary language is a red flag. This email had none of that. It was politely informational. "We've updated our authentication process and your next login may require an additional step." That's it. Completely calm, completely believable.

How This Was Almost Certainly Built

After some research into current phishing kits (a genuinely unsettling rabbit hole), here's what these operations are doing now. They scrape current bank marketing pages to match design language and terminology. They use LLMs to generate variations of the email body — dozens of different tones, different pretexts, tested for open rates. They A/B test subject lines the same way legitimate marketing teams do. The whole operation has become professionalized and AI-assisted at scale.

The specific technique that almost got me — the calm informational tone with a plausible policy-change pretext — is apparently one of the highest-performing formats in recent phishing research. The urgency-based approach trained us to look for urgency. Remove the urgency and a lot of us stop looking.

What Actually Saved Me

The URL. I had a split-second gut feeling that the link text in the email and the destination URL didn't match perfectly. I hover over links as muscle memory at this point — I don't even consciously decide to do it. That habit, developed over years of being security-paranoid, is what made the difference.

What You Should Actually Change

Stop looking for urgency and fear as your primary phishing signals. Those signals are increasingly being removed from high-quality attacks. Instead:

• Check every URL before clicking, especially in banking, HR, and payment emails
• If an email references any account change, navigate to the site directly in a new tab rather than using any link in the email
• Set up a hardware security key or passkey for your critical accounts — phishing can steal passwords and TOTP codes, but passkeys are domain-bound and can't be stolen via a fake site
• Enable login notifications on everything important so you know immediately if someone uses your credentials

The AI-powered phishing wave is real and it's significantly better than anything we've trained ourselves to spot. Update your mental model for what a dangerous email looks like.