AI Phishing and Impersonation: The New Era of Business Email Compromise

Even the most security-savvy employee can be caught off guard by a convincing email.

Even the most security-aware employee can be caught off guard by a convincing email. The rise of AI phishing has changed the rules of social engineering. Attackers no longer rely on poorly written messages or obvious scams, they’re now creating personalised, fluent, and timely communications that feel real.

Staff now need to understand and recognise a whole new generation of threats where authenticity can be faked, and trust can be weaponised.

From Copy-Paste Scams to AI-Powered Precision

In the early days of phishing, spotting an attack wasn’t too difficult. Dodgy email addresses, awkward grammar, and unrealistic promises were the giveaway signs. But all that has changed.

Today’s attackers are using AI phishing techniques to write in natural language, mimic internal tone, and even adapt to an organisation’s brand voice. With just a few publicly available details, such as a LinkedIn profile, a company press release, or an email signature, they can generate messages that look and sound like they’ve come straight from inside your organisation.

If you haven’t seen it yet, Cyber Police is our award-winning eLearning series that turns real cyber threats into gripping stories. Using drama and realism, it shows how everyday actions can lead to major security breaches, helping employees recognise risks, change behaviour, and build lasting awareness. In the case that inspired Season 4, Episode  1, a spear-phishing campaign targeted senior executives at a hotel group. The emails appeared to come from a finance team member, directing recipients to a fake login portal. Credentials were harvested, funds were transferred overseas, and the entire operation was executed with unnerving accuracy.

AI made it possible for the attackers to:

• Imitate tone and style: By analysing real messages, they produced emails that matched how internal teams actually write.
• Personalise at scale: AI can quickly create hundreds of variations of the same scam, making each one feel uniquely relevant.
• React in real time: Chatbots and automation tools allow criminals to respond to replies instantly, sustaining the illusion of legitimacy.

This resulted in an attack that feels human, but isn’t.

While the scenarios in Cyber Police are fictional, they’re inspired by real incidents; the same types of attacks that have already impacted organisations around the world and continue to do so every day.

Why Modern and AI Phishing Work So Well

If you think your people wouldn’t fall for a fake email, think again. The most successful phishing campaigns don’t rely on technical tricks; they exploit human behaviour.

Three factors make these modern scams so effective:

1. Trust. We’re wired to trust communication that looks familiar. If a message comes from a known name, uses the right tone, and references current projects, our natural response is to act quickly rather than question it.
2. Authority. Cybercriminals understand hierarchy. Messages that appear to come from a manager, director, or client trigger an automatic desire to comply, especially when deadlines or consequences are mentioned.
3. Speed. Urgency is the social engineer’s best friend. “Please authorise this payment immediately.” “Can you log in to approve this update?” These phrases push people into action before they’ve had a chance to think critically

Combine these psychological levers with the precision of AI, and you’ve got a threat that feels almost impossible to detect without proper awareness and controls.

It’s not that employees aren’t being cautious, it’s just that the messages are too good.

Building Better Defences Against AI-Driven Phishing

Technology alone won’t solve this problem. Firewalls, filters, and secure email gateways are essential, but they can’t catch everything, especially when the threat comes disguised as a trusted colleague.

Organisations need a layered defence that combines process, technology, and people.

1. Verification Processes
   Encourage employees to verify any unexpected or high-value requests through a secondary channel, such as a phone call, Teams message, or face-to-face check. Clear procedures should make it easy (and expected) to double-check before acting.
2. Multi-Factor Authentication (MFA)
   Even if credentials are stolen, MFA adds an extra barrier. However, attackers are learning to bypass MFA using AI-powered voice phishing and deepfake prompts, so awareness of these tactics is just as important as the technology itself.
3. Continuous Awareness Education
   Doing some awareness education with your team once just isn’t enough. Simulated phishing campaigns, bite-sized learning, and scenario-based exercises help keep awareness front of mind. It’s important that employees feel confident identifying and reporting suspicious activity.
4. Email Security Tools
   Modern email security solutions use machine learning to detect unusual patterns, like logins from unexpected locations or changes in communication style. Combined with human vigilance, these tools provide strong defence against evolving threats.

Turning Awareness into Behaviour Change

Knowledge is only half the battle. Real resilience comes when people understand why they’re being targeted, and how their actions can stop an attack in its tracks.

That’s where storytelling comes in. Traditional training often struggles to make an impact because it talks about risk rather than showing it. But when employees see the consequences of a single click brought to life through real-world drama, like in the Cyber Police series, awareness becomes memorable.

By combining practical learning with emotional impact, organisations can transform cyber awareness from a box-ticking exercise into genuine behaviour change.

Working with MetaCompliance

Phishing isn’t going away, it’s evolving. As AI tools make impersonation faster, smarter, and more convincing, every organisation needs to strengthen its human layer of defence. That’s why we created the Cyber Police series, part of our wider suite of Human Risk Management awareness tools.

Cyber Police is a live-action series that turns real cyber threats into unforgettable stories, helping organisations change behaviour and strengthen their human defences.

Each season tackles the attacks employees are most likely to face – from phishing and ransomware to deepfakes – reimagining them as gripping, realistic episodes that stay with viewers long after they’ve finished watching.

By seeing threats through the eyes of those affected, employees develop stronger awareness, sharper instincts, and the confidence to respond effectively when it matters most.

Find out more about how Cyber Police turns real cyber threats into unforgettable stories.