AI MADE PHISHING EMAILS PERFECT. HERE'S HOW TO PROTECT YOURSELF.

In February 2024, a finance worker at Arup (the engineering firm behind the Sydney Opera House) wired $25 million to criminals.

He wasn't careless. He was on a video call with his CFO and senior leadership.

Every face was real. Every voice matched perfectly. And every single person on that call was an AI-generated deepfake.

This is the new reality.

AI-generated phishing emails now achieve a 54% click-through rate compared to just 12% for traditional phishing. Over 82% of phishing emails use AI in some form. The old red flags—bad grammar, weird formatting, obvious typos—are gone.

So what do you do when "looks legit" means nothing?

The 3-second hover rule

Before you click any link in any email, hover your cursor over it for three seconds. Look at the actual URL that appears. If the domain doesn't match exactly who it claims to be from (think "micros0ft.com" instead of "microsoft.com"), don't click.

Three seconds. That's it.

This won't catch everything. Deepfakes still require verification calls on known numbers. But most attacks still come through email links, and this simple habit stops most of them cold.

Your one action today

Pick three emails in your inbox right now and practice the hover. Build the muscle memory before you need it.

The criminals have AI. Your best defense is still attention.