If phishing scams are designed to fool people, why do so many still feel poorly executed?

For a long time, the answer was straightforward: most phishing attacks were mass‑produced.

Criminals would reuse the same emails and fake websites, sending them to thousands of people and relying on a small percentage to fall for the trick.

This technique hasn’t disappeared, but it is changing.

When generative AI first made headlines, there was a lot of discussion around “dynamic websites”. The idea was that instead of one fixed website for everyone, pages would be created in real time — shaped by who you are, where you’re located and the device you’re using.

For most legitimate businesses, this vision never really became reality. It was complicated, costly and often unnecessary.

Cyber criminals, however, don’t need perfect systems. They just need something realistic enough to convince you.

Security researchers have already demonstrated how these ideas could be applied to phishing. While this approach is still largely experimental, it offers a glimpse into the future of online scams.

Here’s how it works:

  • A victim clicks on a link and lands on a webpage that appears harmless
  • There’s no obvious malicious code baked into the site
  • Once loaded, the page asks a legitimate AI service to generate content
  • That content is built and executed directly in the visitor’s browser

The end result is a phishing page created specifically for that individual.

  • The wording can change
  • The layout can look different
  • The underlying code can vary each time

There’s no single fake website for security tools to detect and block because the scam doesn’t fully exist until someone opens it.

Before panic sets in, it’s important to note that this technique isn’t widespread yet. However, all the building blocks are already in use:

  • AI is being used to help write malicious code
  • Malware is increasingly assembled while it runs
  • AI‑assisted scams are becoming more common and more convincing

What does this mean for your business?

Phishing is no longer just about spotting bad spelling or clumsy design. Tomorrow’s scams are likely to be polished, personalised and very believable.

That’s why modern cyber security focuses less on never clicking the wrong thing and more on reducing the impact when someone inevitably does.

Effective protections still include:

  • Multi‑factor authentication
  • Secure, hardened browsers
  • Advanced email filtering and threat detection

Phishing isn’t going away — it’s simply getting smarter.

To stay protected, businesses need to assume the next scam will look professional and ensure their defences don’t rely on staff spotting obvious mistakes.

Want to understand how exposed your organisation might be? Contact GZD for tailored advice on improving your business’s IT security.

Give us a call  ‣  031 818 9060