For years, the standard advice for spotting phishing was to look for bad spelling, clumsy grammar, and generic greetings. That advice is now dangerous, because it trains you to look for signals that no longer exist. The misspelled foreign prince is extinct. What replaced him writes fluent English, addresses you by name, and mentions the bank you actually use.

Why the scams got personal

Two things changed. First, AI writing tools erased the language tell. A scammer with no English at all can now produce a message indistinguishable in tone from your bank's real correspondence, and generate a hundred variants of it in a minute.

Second, and less discussed: breach data made personalization cheap. The same stolen datasets we cover elsewhere on this site tell an attacker your name, which services you hold accounts with, sometimes what you have bought and where you live. When a message references your real mobile carrier or a real purchase, it is not because someone researched you personally. Your row in a spreadsheet was simply merged into a template, along with fifty thousand other rows.

The result: the old filter, "does this look professional and does it know me," now passes the scams and fails some genuine emails. You need better tells.

The three tells that survive

Manufactured urgency. Real institutions almost never need you to act within the hour. Phishing almost always does, because urgency is not a stylistic choice, it is the mechanism. The message must make you act before you think, since thinking is fatal to it. Suspended accounts, packages returning to sender, unauthorized charges pending confirmation: the costume changes, the countdown never does. A useful rule: if the message created the urgency, the urgency is the tell.

The channel switch. The message arrives in one channel and pushes you into another: click this link, call this number, scan this QR code, "chat with our agent." Legitimate alerts point you to the place you already know: log into your account and check. Anything that insists on its own door instead of the front door is choosing terrain it controls.

The ask itself. Strip away the story and look at the request. It is always one of a short list: a password, a verification code, a payment, remote access to your device, or gift cards. No genuine institution asks for any of those out of the blue, and codes deserve special paranoia: as we covered in the two-factor guide, a code someone asked you for is a code being stolen in real time.

The one habit that beats all of it

Never enter through a door a message opened for you. If "your bank" emails, texts, or calls: hang up or close it, then reach the bank yourself, through the app on your phone or the address you type by hand. If the alert was real, it will be waiting in your account. This single habit defeats fluent phishing, personalized phishing, and phishing that has not been invented yet, because it removes the one thing every variant needs: you, arriving via their link.

If you already clicked

It happens to careful people, and shame is the attacker's best friend, so skip it and move. If you entered a password: change it now on the real site, along with anywhere it was reused. If you entered a code or approved a login prompt: change the password and check the account's active sessions and recovery settings, since the attacker may already be inside. If you entered card details, call the bank. And if the message knew things about you that felt uncomfortably specific, it is worth finding out exactly which breaches that data came from.

Curious why the scams know so much about you?

Our free scan shows which known breaches contain your email and exactly what data was exposed alongside it.

Run the Free Breach Scan →
Keep reading

Breach data is only half of what scammers know about you. The other half was collected legally, and is for sale right now:

What Data Brokers Know About You

People-search sites publish your address, relatives, and history without any breach at all. How the trade works and what removal actually involves.

← Back to all guides