Why Phishing Scams Are Getting Harder to Spot
If phishing scams are designed to fool people, why do so many still look obvious? For years, the answer was simple: most scams were sent out in bulk. The same email. The same fake login page. Sent to thousands of people in the hope that a few would click.
That approach still exists, but it’s changing.
When generative AI first appeared, there was a lot of discussion around “dynamic websites” - pages that could change depending on who was visiting, where they were located, or what device they were using. For most businesses, that idea never really took off. It was expensive, complicated and usually unnecessary.
Cyber criminals don’t have the same standards. They don’t need perfect systems. They just need something believable enough to work.
Security researchers have already demonstrated how AI could be used to create phishing pages dynamically. It’s still largely experimental, but it offers a glimpse of where scams are heading.
Instead of sending victims to one fixed fake website, attackers can now build pages in real time. Someone clicks a link and lands on what appears to be a harmless webpage. Behind the scenes, the site uses legitimate AI tools to generate content as the page loads. The phishing page is effectively built live in the user’s browser. That means the wording, layout and even the code can be different every time someone visits. There’s no single fake website for security systems to identify and block because the scam doesn’t fully exist until the moment it’s opened. This isn’t widespread yet, but the technology behind it already is.
AI is increasingly being used to write malicious code, malware is becoming more adaptive, and AI-assisted scams are growing more convincing.
For businesses, that changes the conversation around cyber security. Phishing is no longer just about spotting poor spelling or badly designed emails. The next generation of scams will look polished, professional and far more convincing than many people expect.
That’s why modern cyber security isn’t built around the idea that people will never click the wrong thing. Instead, it focuses on reducing the damage if they do. Measures like multi-factor authentication, secure browsing tools and advanced email filtering still make a huge difference, even when a phishing page looks genuine.
The reality is simple: phishing isn’t disappearing. It’s evolving. Businesses need to assume that future scams will look legitimate and make sure their security doesn’t rely on spotting obvious mistakes alone.
Want to understand how exposed your business could be? Get in touch with the team at GSP Solutions.
Written by Ruaridh Anderson, Graduate Cyber Security Apprentice at GSP Digital Solutions