Spotting Phishing & Scams with AI

Phishing is the attack you are most likely to face this week. A convincing fake message lands in your inbox or texts, you click in a hurry, and your password or money is gone. The good news: AI is an outstanding phishing-detection partner. In this lesson you will build a repeatable habit for analyzing any suspicious message in under a minute.

What You'll Learn

The universal warning signs of phishing and scams
A step-by-step AI workflow for analyzing suspicious messages
How to safely investigate links and senders without clicking
Why AI-written phishing is harder to spot — and how to adapt

The Universal Warning Signs

Most phishing shares the same DNA. Train your eye for these red flags:

Urgency and fear. "Your account will be closed in 24 hours!" Pressure stops you from thinking.
A request to click a link or open an attachment you did not expect.
A mismatched or odd sender address. The display name says "Apple" but the address is support@apple-verify-account.ru.
Requests for credentials, codes, or payment. Real companies do not ask for your password by email.
Generic greetings. "Dear Customer" instead of your name (though AI is making personalization easier).
Look-alike domains. paypa1.com (with a number 1), microsft-support.com, or extra words like -secure-login.
Too good to be true. You won a prize you never entered for.

Any one of these is a yellow flag. Two or more is a red flag. The safe default for anything suspicious is: do not click, do not reply, verify independently.

The AI Phishing-Check Workflow

Here is the exact routine to run whenever something feels off. Open ChatGPT or Claude and use this prompt, pasting the message text (with your personal details removed):

Act as a phishing-detection expert. Analyze this message for signs of phishing or a scam. List each red flag you find, rate the overall risk as Low, Medium, or High, and tell me the single safest action to take. Do not assume it is safe just because it looks polished. Here is the message: [paste here]

The AI will return a structured breakdown — far more thorough than a quick glance. For example, paste a fake message and it will flag the look-alike domain, the artificial urgency, and the credential request, then recommend going to the official site directly.

For checking whether a sender domain or website is legitimate, switch to Perplexity so you get sourced answers:

Is "secure-paypal-billing.com" an official PayPal domain? What is PayPal's real domain, and how can a beginner verify a website's legitimacy?

Investigating Links Without Clicking

Never click a suspicious link to "see where it goes" — that is exactly what attackers want. Instead, investigate safely:

Hover, do not click. On a computer, hover your mouse over a link to preview the real URL at the bottom of the screen. On mobile, press and hold to preview without opening.
Read the domain right to left. The true site is the part just before the first single slash. In apple.com.verify-account.ru/login, the real domain is verify-account.ru — not Apple.
Ask AI to decode it. Paste the visible link text and ask: "Break down this URL and tell me the actual domain a beginner should worry about."
Use the official app or type the address yourself instead of trusting any link.

The New Challenge: AI-Written Phishing

Here is the uncomfortable truth: attackers now use AI too. The classic advice "look for bad spelling and grammar" is obsolete, because AI writes flawless, professional, perfectly localized messages. Modern phishing can even reference real details scraped from your social media.

So adapt your defenses. Stop relying on how a message is written and focus on what it asks you to do:

Does it create urgency? Does it ask for credentials, codes, or money? Does it push you to an unexpected link?
Verify through a separate, trusted channel. If "your bank" emails you, call the number on the back of your card — not the number in the email.
Slow down. Almost every successful phishing attack relies on the victim acting fast. The pause is your superpower.

A Quick Hands-On Exercise

Find a promotional or "verify your account" email in your own inbox (a real but harmless one is fine). Remove any personal details, then run the phishing-check prompt above in both ChatGPT and Claude. Compare their risk ratings and red flags. Even on a legitimate email, you will learn to read messages the way an analyst does. This is a habit you can run for the rest of your life in under sixty seconds.

Your Homework for This Lesson

Save the phishing-check prompt into your "My AI Security Prompts" note. The next time you receive any unexpected message asking you to click, log in, or pay, run it through the prompt before doing anything else. Build the pause-and-check reflex now, before it counts.

Key Takeaways

Phishing shares universal red flags: urgency, unexpected links, mismatched senders, credential requests, and look-alike domains.
Use an AI "phishing-detection expert" prompt to get a structured red-flag analysis and risk rating in seconds.
Investigate links by hovering, reading the domain right to left, and asking AI to decode the URL — never click to "check."
AI-written phishing is grammatically perfect, so judge a message by what it asks you to do, not how it is written.
Verify urgent requests through a separate trusted channel, and always slow down — the pause is your best defense.

Spotting Phishing & Scams with AI

What You'll Learn

The universal warning signs of phishing and scams
A step-by-step AI workflow for analyzing suspicious messages
How to safely investigate links and senders without clicking
Why AI-written phishing is harder to spot — and how to adapt

The Universal Warning Signs

Most phishing shares the same DNA. Train your eye for these red flags:

Urgency and fear. "Your account will be closed in 24 hours!" Pressure stops you from thinking.
A request to click a link or open an attachment you did not expect.
A mismatched or odd sender address. The display name says "Apple" but the address is support@apple-verify-account.ru.
Requests for credentials, codes, or payment. Real companies do not ask for your password by email.
Generic greetings. "Dear Customer" instead of your name (though AI is making personalization easier).
Look-alike domains. paypa1.com (with a number 1), microsft-support.com, or extra words like -secure-login.
Too good to be true. You won a prize you never entered for.

Any one of these is a yellow flag. Two or more is a red flag. The safe default for anything suspicious is: do not click, do not reply, verify independently.

The AI Phishing-Check Workflow

Here is the exact routine to run whenever something feels off. Open ChatGPT or Claude and use this prompt, pasting the message text (with your personal details removed):

Act as a phishing-detection expert. Analyze this message for signs of phishing or a scam. List each red flag you find, rate the overall risk as Low, Medium, or High, and tell me the single safest action to take. Do not assume it is safe just because it looks polished. Here is the message: [paste here]

For checking whether a sender domain or website is legitimate, switch to Perplexity so you get sourced answers:

Is "secure-paypal-billing.com" an official PayPal domain? What is PayPal's real domain, and how can a beginner verify a website's legitimacy?

Investigating Links Without Clicking

Never click a suspicious link to "see where it goes" — that is exactly what attackers want. Instead, investigate safely:

Hover, do not click. On a computer, hover your mouse over a link to preview the real URL at the bottom of the screen. On mobile, press and hold to preview without opening.
Read the domain right to left. The true site is the part just before the first single slash. In apple.com.verify-account.ru/login, the real domain is verify-account.ru — not Apple.
Ask AI to decode it. Paste the visible link text and ask: "Break down this URL and tell me the actual domain a beginner should worry about."
Use the official app or type the address yourself instead of trusting any link.

The New Challenge: AI-Written Phishing

So adapt your defenses. Stop relying on how a message is written and focus on what it asks you to do:

Does it create urgency? Does it ask for credentials, codes, or money? Does it push you to an unexpected link?
Verify through a separate, trusted channel. If "your bank" emails you, call the number on the back of your card — not the number in the email.
Slow down. Almost every successful phishing attack relies on the victim acting fast. The pause is your superpower.

A Quick Hands-On Exercise

Your Homework for This Lesson

Key Takeaways

Phishing shares universal red flags: urgency, unexpected links, mismatched senders, credential requests, and look-alike domains.
Use an AI "phishing-detection expert" prompt to get a structured red-flag analysis and risk rating in seconds.
Investigate links by hovering, reading the domain right to left, and asking AI to decode the URL — never click to "check."
AI-written phishing is grammatically perfect, so judge a message by what it asks you to do, not how it is written.
Verify urgent requests through a separate trusted channel, and always slow down — the pause is your best defense.

Spotting Phishing & Scams with AI

What You'll Learn

The Universal Warning Signs

The AI Phishing-Check Workflow

Investigating Links Without Clicking

The New Challenge: AI-Written Phishing

A Quick Hands-On Exercise

Your Homework for This Lesson

Key Takeaways

Quiz

Spotting Phishing & Scams with AI

What You'll Learn

The Universal Warning Signs

The AI Phishing-Check Workflow

Investigating Links Without Clicking

The New Challenge: AI-Written Phishing

A Quick Hands-On Exercise

Your Homework for This Lesson

Key Takeaways

Quiz