One of the easiest ways for a hacker to steal your account is to trick you into giving them your password through phishing. Artificial intelligence tools have changed the phishing landscape and it’s important for everyone at Cornell to learn how to spot ever-more-sophisticated attacks on your NetIDs. 

Better Writing 

You could once spot a phish because of obvious spelling errors, bad grammar, and weird formatting. Just as Copilot can polish your latest email draft, AI can draft cleaner and more convincing messages. With enough context (public talks and memos for example), they can even mimic the style of an executive or university leader. 

Targeted Personalization 

It takes little for a hacker to use AI to scrape public social media accounts for personal details they can then use to tailor a message to you (and your closest 4,000 friends). This means your custom-created phish looks different from your neighbor’s custom-created phish, making it harder to spot. This kind of phishing is three times more likely to fool the recipient. 

Is it Real or is it Deepfake? 

AI powered voice cloning and video deepfakes have already cost companies millions of dollars. It can take as little as three seconds of audio for AI to re-create a voice and use it in a phishing attack. 

Speaking of Voice… 

Phishing isn’t just for email anymore! AI can coordinate attacks across media – for example sending an email, followed by a phone call, text, or even videoconferencing where deepfake image or voice take over. 

Yes, But Cornell Has Phish Filters! 

Yes, and AI helps phishing adapt in real time, to help bypass the tools used by security software. 

What Hasn’t Changed 

Despite all the technology, phishing still relies on three important levers of our emotions: 

• urgency (“act now!”) 
• authority (“your boss needs this”) 
• fear or curiosity ("what did I do?" or "what's this about?")

AI just makes these triggers more believable and better targeted. 

Report Suspicious Phishing 

Phishing is a $20 billion industry in the US alone, so don’t expect it to go away any time soon. Stay on guard - if you receive a suspicious email, use the email’s built-in tools to report the message to the IT Security Office. If your account is hacked or compromised, contact the ITSO right away.