If phishing scams are supposed to trick people, why do so many of them still feel clumsy?
For years, the answer was simple: Most scams were mass-produced.
The same email, the same fake website, sent to thousands of people and hoping a few would fall for it.
That approach is still around, but it’s starting to evolve.
When generative AI first appeared, there was a lot of talk about “dynamic websites.”
Instead of one fixed site for everyone, pages would be generated on the spot, shaped by who you are, where you are, and what device you’re using.
That future never really arrived for everyday businesses. It was complex and rarely worth the effort.
Cybercriminals, however, don’t need perfect systems.
They need something convincing.
Security researchers have shown how this idea could be used for phishing. While it’s still largely experimental, it gives a clear picture of the next generation of scams.
A victim clicks a link and lands on a webpage that looks harmless. There’s no obvious malicious code sitting on the page.
Once it loads, the page asks a legitimate AI service to help generate content.
That content is then assembled and run directly in the person’s browser.
The result is a phishing page that’s created especially for that visitor.
The wording, layout, and code can all be different every time. There’s no single fake website for security systems to spot and block – because the scam doesn’t fully exist until someone opens it.
Before you panic, this method isn’t widespread yet. But the building blocks are in use.
AI is being used to write malicious code, malware is increasingly assembled as it runs, and AI-assisted scams are becoming more common.
For you, this changes the rules slightly.
Phishing is no longer just about spotting bad spelling or sloppy design.
Future scams may look even more polished, personalized, and completely legitimate. Some will appear to come from legitimate senders.
That’s why modern protection focuses less on “don’t ever click the wrong thing” and more on limiting the damage if someone does.
Tools like multi-factor authentication, secure browsers, and email filtering still work, even when a fake page looks convincing.
Remember this: phishing isn’t going away.
To stay protected now, you must assume the next scam will look professional and make sure your defenses don’t rely on people spotting obvious mistakes.