Phishing doesn’t look like “Prince from a faraway land” anymore.
The sloppy spelling, weird phrasing, and obvious scams your team learned to ignore? Those still exist, but they’re not the main threat. Attackers are now using generative AI to write convincing emails with clean grammar, local details, and realistic branding.
And it’s working.
Recent reports show phishing and social engineering are involved in the majority of incidents worldwide; often in the 70–77% range depending on the study and sector. In other words: most attacks don’t start with “hacking the firewall.” They start with someone clicking a link or trusting the wrong email.
If your last phishing training was “before AI,” it’s out of date.
How AI Has Changed Phishing
AI hasn’t invented phishing, but it’s made it:
- Faster: Attackers can generate hundreds of tailored messages in minutes.
- Cleaner: No more broken English and weird formatting by default.
- More targeted: AI tools can ingest public information (LinkedIn, websites, press releases) and produce spear-phishing that sounds like your world.
That leads to emails that:
- Use the right tone for your industry
- Reference real vendors, tools, or local locations
- Look like routine work: invoices, DocuSign, bank updates, HR forms
To a busy human, those look like “just another task,” not an obvious red flag.
What AI-Phishing Looks Like Around Milwaukee
We see patterns repeat across manufacturers, clinics, law firms, and other SMBs in the Milwaukee area.
Common examples:
1. Fake invoices from “known” vendors
An email that looks like it’s from a vendor you actually use:
- Correct logo and color scheme
- A real contact name scraped from LinkedIn
- A believable “updated invoice attached” message
The goal: get Accounts Payable to pay a fake bill or change routing details.
2. Spoofed exec / owner emails
An email that appears to be from:
- The owner asking for a quick payment
- A director requesting gift cards for “staff appreciation”
- A CFO asking to “rush a wire before close of business”
The wording is much better than it used to be. Fewer typos. More “corporate.”
3. “Update this payment info” messages
These show up as:
- “We’ve changed banks; please use this account moving forward.”
- “Due to an audit, our billing address and ACH details are updated.”
Attackers know most businesses don’t have a formal process to verify these changes. They rely on speed and routine: “just update the vendor and move on.”
Why Legacy Phishing Training Falls Short
Traditional phishing training assumes:
- Bad grammar and spelling
- Random, generic messages
- Obvious scare tactics (“Your account will be deleted in 1 hour!”)
In the AI era, those assumptions are dangerous.
What’s changed:
- Red flags are more subtle
It’s less about “Is the grammar bad?” and more about: - Does this request match our normal process?
- Does the sender usually ask me for this type of thing?
- Is there another channel I can use to confirm?
- Attackers know your tech stack
Fake emails now reference: - DocuSign / Adobe Sign
- Microsoft 365 / Teams
- Salesforce, QuickBooks, etc.
The branding and language feel familiar, so people click faster.
- Volume is up
AI makes it cheap to try thousands of variants. It only takes one person on one busy day to slip.
If your training is based on old examples, users learn to spot attacks that are already extinct and miss the ones that matter now.
The New Skills Your Team Actually Needs
Modern phishing defense is less about spotting typos and more about building habits.
Here’s what we focus on with Milwaukee teams:
1. “Money and urgency” reflex
Any email that mixes money and urgency should trigger a pause:
- “We need this payment updated today.”
- “Can you buy gift cards before the end of the day?”
- “We need to switch bank accounts right away.”
Teach staff: this is where you slow down, not speed up.
2. Out-of-band verification
Build a simple rule:
No changes to payment details, payroll, or banking
based on email alone.
Confirm via:
- A known phone number
- A verified portal
- An internal Teams/Slack message to the real person
3. Role-based awareness
Front desk, AP, HR, clinicians, attorneys, leadership; they all see different attacks. Training should reflect:
- The types of requests they get
- The systems they log into
- The consequences they care about (time, patient data, client trust, etc.)
4. Safe reporting, not shaming
People won’t report near-misses if they get mocked for clicking the wrong thing. We push a culture of:
- “Thank you for reporting it”
- Quick triage, not blame
- Learning from close calls
What Our “AI-Era Phishing Drills” Look Like
At Stamm Tech, we’ve updated our approach to match this new reality.
For Milwaukee and SE Wisconsin clients, our phishing program includes:
- AI-shaped simulations
Campaigns that mimic: - Vendor invoice changes
- Exec gift card requests
- SaaS login prompts (M365, Google, Salesforce, etc.)
- Short, role-specific refreshers
10–15 minute sessions that focus on: - Real examples from their role
- Quick “do this, not that” guidance
- One or two habits to practice, not a 60-minute lecture
- Metrics that actually matter
Not just “who failed,” but: - How quickly people reported suspicious emails
- Which roles or departments need different examples
- How behavior changes over time
The goal isn’t perfection. It’s steady improvement, and a team that feels confident saying, “Something about this email feels off.”
Where to Start (Even If You’re Not a Client Yet)
If your last phishing training was pre-AI, here are three practical steps:
- Update your examples
Swap out the old “Nigerian prince” slides for: - Fake invoices
- Gift card scams
- SaaS login pages your team actually uses
- Write down your money rules
Clarify: - How you verify payment changes
- Who can approve wires or ACH changes
- What to do if someone clicks something suspicious
- Schedule a modern phishing drill
Whether you use us or another partner, ask specifically for: - AI-style templates
- Role-based reporting
- A constructive debrief
If you want to see what our AI-era phishing drills look like in practice, or you’d like a quick review of your current training, we’re happy to talk.
Milwaukee teams don’t need more fear.
They need clear, modern examples and a simple playbook.