AI-Powered Phishing Is Getting Harder to Spot — Here's What Eugene Businesses Need to Know
Phishing attacks have always been the number-one way cybercriminals get into business networks. But something changed in 2024 and into 2025: the emails are getting remarkably good.
For years, the advice was simple — look for bad grammar, suspicious links, and generic greetings. That advice is now outdated. AI tools let attackers generate perfectly written, personalized emails at scale. They can pull your name, your company, your vendors, and even your clients' names from public sources and craft a message that looks completely legitimate.
What AI-Powered Phishing Looks Like
A dental practice manager in Lane County recently received an email that appeared to be from their dental supply vendor, referencing a real pending order, asking them to update payment information for the upcoming delivery. The email had no typos. The logo looked right. The tone was professional.
It was fake. Fortunately, a staff member called the vendor directly before clicking anything. Not every business is that lucky.
This is business email compromise (BEC) — and AI is making it worse.
Why Traditional Defenses Aren't Enough
Standard spam filters look for known malicious links, suspicious domains, and pattern-matched language. AI-generated phishing emails often:
- Come from newly registered domains that haven't been flagged yet
- Use legitimate link shorteners or redirects
- Reference real details pulled from your company website or LinkedIn
- Pass SPF, DKIM, and DMARC checks if attackers have set up their domain correctly
This doesn't mean email filtering is worthless — it still catches the majority of attacks. But it means you cannot rely on filters alone.
What Actually Works
Multi-factor authentication (MFA) is the single most effective control. Even if an employee's credentials are stolen through a phishing attack, MFA prevents the attacker from using them. This is not optional anymore — it should be enforced for every user, on every system.
Email security training that uses real simulations is more effective than annual video training. Monthly phishing simulations that show employees what they missed — and why — change behavior over time. The goal isn't to trick employees. It's to build the habit of pausing before clicking.
A clear "when in doubt, call" policy costs nothing. Employees should know that calling a vendor or colleague directly to verify a suspicious request is not just allowed — it's encouraged.
Advanced email filtering with AI-aware detection (like Microsoft Defender for Office 365 Plan 2) can catch more sophisticated attacks than basic filters. It's not foolproof, but it raises the bar significantly.
The Lane County Context
Eugene-area businesses are not immune to national threat trends. Ransomware groups and BEC actors don't distinguish between Portland and Eugene. They run automated campaigns that target businesses based on industry and size — and dental practices, law firms, and professional services firms are among the most frequently targeted.
If your staff hasn't had security awareness training in the past year, or if MFA isn't enforced across your Microsoft 365 environment, those are your two highest-priority items.
Next Steps
Call us at 541-359-3111 or book a free security assessment. We'll review your email security configuration, MFA status, and staff training program — and tell you honestly where your gaps are.
Need help protecting your business?
Ask Erik serves small businesses and healthcare practices throughout Lane County.