Scammers use AI to create convincing phishing emails, clone voices, realistic videos

Dubai: For years, consumers were told to look for poor spelling, awkward grammar and strange-looking emails to identify scams. That advice is rapidly becoming outdated.
As artificial intelligence becomes more powerful and accessible, cybersecurity experts say scammers are using the same technology to create convincing phishing emails, clone voices, generate realistic videos and even develop malware that adapts to evade detection.
The result is a new generation of cyber threats that can fool even experienced internet users, making digital awareness just as important as antivirus software.
Get updated faster and for FREE: Download the Gulf News app now - simply click here.
"Gone are the days when the tell-tale signs of a scam exist. AI has enabled scammers to perfect their grammar but also create compelling and targeted content," said Imran Sheikh, Senior Director, Strategic Partnerships at TrendLife.
"Some clues that consumers should watch for are time-based pressure to act immediately or any other tactics that create a heightened sense of urgency. Scammers want you to be in a heightened state of anxiety to increase the likelihood you may make a decision against your own best interest."
Subhajeet Singha, Threat Intelligence Researcher at Acronis Threat Research Unit, said the biggest change is not simply that scams look better—they are becoming more effective.
"The clues have shifted from content to context. First, stop trusting how the message looks and start questioning what it asks you to do," he said. "No legitimate bank, government agency or service provider should ask you to urgently click a link and enter your password, OTP or payment details. Urgency is now the red flag, not grammar."
The growing concern comes as AI is increasingly being deployed on both sides of cybersecurity.
Technology companies are using advanced AI models to uncover software vulnerabilities that could otherwise remain hidden for years. Those discoveries eventually protect billions of users once software developers release security updates.
"When security researchers identify a deep vulnerability in a widely used app, developers of the app are notified and typically patch the vulnerability as soon as they can," Sheikh said. "Security researchers using AI can accelerate these discoveries and notify app developers at a much faster pace. But real protection happens when the app developer acts upon the information, issues the patch and consumers initiate the update of the app on their own devices."
Singha said the impact reaches far beyond large technology companies. "Your banking app on your phone does not exist in isolation," he said.
"It runs on top of iOS or Android, it connects through cloud infrastructure and uses open-source cryptographic libraries to keep your transactions safe. If there is a vulnerability hiding deep inside any of those layers, an attacker does not care whether you are a Fortune 500 company or a regular person checking your balance in Dubai."
Researchers say cybercriminals are also using AI to automate attacks and customise them for individual victims.
"AI-generated malware, scams and fraud already exist," Sheikh said. "Cybercriminals have found ways to leverage AI to automate a lot of what they do... AI lowers the cost of creating polymorphic malware—code that changes its own signature to evade detection—and enables highly personalised phishing at scale."
Singha said the industry is already seeing malware that uses AI while it is running.
"The biggest change is not just more malware; it is more adaptive malware," he said. "AI helps attackers personalize phishing, automate reconnaissance, adjust malicious behavior to the device environment, and make scams look more legitimate."
He urged consumers to keep operating systems updated, avoid unofficial app stores and review application permissions carefully.
The rapid adoption of free AI assistants is also creating fresh privacy concerns.
Residents are increasingly using chatbots to summarise medical reports, analyse contracts, draft emails and organise household finances.
"It depends on the provider," Sheikh said. "Free AI tools typically use the conversations or information we submit to them to improve their models unless users explicitly opt out of this. However, not all free AI tools offer the option to opt out."
His advice is straightforward. "Don't submit anything to such tools that you wouldn't post publicly such as bank statements, passport details, medical records, or work contracts."
Singha echoed the warning, saying many users underestimate how much personal information they reveal.
"Would you read your bank statement, medical report or passport details out loud in a crowded café?" he said. "If not, do not paste them into a free AI tool you do not fully trust."
Many of the latest smartphones now perform AI tasks directly on the device instead of sending information to cloud servers. Sheikh said local processing reduces some security risks because personal data remains on the phone rather than travelling across the internet.
"But on-device AI models become a new attack surface in their own right," he said, warning that future attackers may attempt to manipulate AI models directly. "Keeping your mobile device updated and running a reputable mobile security product remains the most effective way to stay protected."
Singha described on-device AI as "a net positive" overall but said consumers should not assume local processing makes devices immune to attacks. "People still need to be careful about what apps they install, keep their OS updated, and not assume that just because processing happens locally, everything is automatically safe."
Both experts also pointed to the rapid rise of AI-generated voice and video impersonation. "Deepfake-enabled fraud is rising sharply not just in the Gulf but around the world," Sheikh said. "Voice cloning has been used to imitate company executives as well as individual family members in crisis."
He recommends families agree on a private safe word to verify identities before sending money during emergencies. Singha said deepfakes are becoming increasingly difficult to detect visually, making independent verification more important than ever.
"If someone asks for money, OTPs, credentials, identity documents or urgent action, do not trust the video or voice alone," he said. "End the interaction and verify through a separate trusted channel."
Despite AI becoming more sophisticated, both experts believe the most effective defence remains remarkably simple. "As AI becomes engrained in our lives, it's critical that Gulf residents learn good digital and AI literacy skills," Sheikh said. "One of those is the power to pause."
Singha offered similar advice. "When any message, call, email, or notification creates a feeling of 'I need to do this right now,' that feeling itself is your warning signal," he said. "The attackers have AI now. The content they produce is going to be near-perfect. But they cannot take away your ability to pause and verify."