Jul 6 / Aneta Klosek

When Every Phishing Email Is Personal: The New Shape of Fraud

Fraud & Financial Crime

AI-Generated Phishing at Personalised Scale: What It Means for Fraud Typologies and Transaction Monitoring

Large language models can now draft thousands of individually tailored social engineering messages an hour. That shift is changing what fraud looks like upstream of the transaction — and what monitoring teams need to watch for.

For years, phishing detection leaned on a simple assumption: mass-produced scam messages would eventually give themselves away. Poor grammar, generic greetings, mismatched logos. Generative AI has quietly removed that assumption. Large language models can now produce fluent, context-aware messages referencing a real employer, a real project, or a real recent event, generated in seconds and at volumes no human fraud crew could match. Industry analysis from security vendors KnowBe4, SlashNext, and Hoxhunt indicates AI-generated content now appears in the large majority of phishing emails observed, with a meaningful share of business email compromise (BEC) messages assessed as primarily AI-written.

This is not a marginal improvement to an old technique. It is a change in unit economics. When the cost of producing one convincing, personalised lure approaches the cost of producing one thousand, fraud shifts from a volume-versus-quality tradeoff into something closer to industrial production — and that has direct consequences for how fraud typologies are evolving and how transaction monitoring programmes need to respond.

$16.6B Cybercrime losses recorded by FBI IC3 in 2024, up 33% year-over-year
$2.77B Losses tied to BEC incidents reported to FBI IC3 in 2024, across 21,442 incidents
Nov 2024 FinCEN issues its first alert dedicated to GenAI-enabled deepfake fraud, FIN-2024-Alert004

How the Fraud Typology Is Shifting

Personalised, AI-generated phishing rarely stays a standalone email problem. It is increasingly the entry point into fraud typologies that transaction monitoring teams already track — but it changes how those typologies present at the account level.

Account takeover, faster and less detectable

Credential-harvesting phishing feeding account takeover is a well-established pattern. What has changed is speed and believability at the lure stage. Once credentials are captured, the well-known post-access pattern still applies: rapid movement of funds via ACH or wire to mule accounts, frequently within minutes of login. What differs now is that more victims are being fooled in the first place, because the message referencing their actual bank, actual recent transaction, or actual colleague is no longer something a spam filter or a wary employee can dismiss on style alone.

Synthetic identity onboarding

FinCEN's November 2024 alert on generative AI fraud describes a related but distinct pattern: criminals using GenAI to fabricate or alter identity documents, photos, and videos to open new accounts and pass verification checks. The accounts are then used to funnel money tied to check fraud, credit card fraud, authorized push payment fraud, loan fraud, or unemployment fraud schemes.

Business email compromise, multimodal

AI is also extending BEC beyond email. Convincing written impersonation of an executive's tone is now regularly paired with voice cloning or deepfake video on a call, used to authorise wire transfers that would previously have required a live human impersonator with matching vocal and visual cues.

1

AI drafts personalised lure at scale

2

Credential theft or fraudulent onboarding

3

Account takeover or new account funded

4

Rapid transfer to mule or risky payee

What This Means for Transaction Monitoring

The practical implication is that content-based defences — the spam filter, the "look for the typo" training module — are losing relevance as a first line of defence. FinCEN's alert and related law-enforcement guidance point monitoring teams toward behavioural and account-level signals instead, including deepfake-detection flags on submitted photos or video, geographic or device data that is inconsistent with the identity documents on file, and newly opened accounts that show rapid transaction activity or high payment volumes to higher-risk payees such as gambling sites or digital asset exchanges.

Two design implications follow for monitoring programmes:

  • Move detection downstream of the message, onto the account. If the lure itself can no longer reliably be flagged, monitoring logic needs to weight what happens after contact — new-account velocity, device and geolocation inconsistency, and payee risk — more heavily than message-level indicators alone.
  • Treat onboarding and payments monitoring as one continuum. FinCEN's alert explicitly ties GenAI-enabled identity fraud at onboarding to downstream payment fraud typologies. Institutions that monitor these as separate stages risk missing the pattern that connects a synthetic identity to the transactions it later generates.
Regulatory reference point

FinCEN Alert FIN-2024-Alert004 (November 13, 2024) asks institutions filing a related Suspicious Activity Report to include the key term "FIN-2024-DEEPFAKEFRAUD" in the SAR narrative, to help the agency track how these schemes evolve across the sector.

The Compliance Takeaway

None of this means transaction monitoring needs to be rebuilt from zero. It means the weighting of existing controls should shift. Identity verification at onboarding, out-of-band verification for payment instruction changes, and dual-approval controls for high-value transfers all become more valuable precisely because they do not depend on a human correctly judging whether a message "feels" genuine. As FBI and FinCEN guidance both indicate, the lure is no longer the reliable tell it once was — the account behaviour that follows it still is.

Sources referenced:

FinCEN, Alert FIN-2024-Alert004, "Fraud Schemes Involving Deepfake Media Targeting Financial Institutions" (November 13, 2024), fincen.gov

Federal Bureau of Investigation, Internet Crime Complaint Center (IC3), 2024 Internet Crime Report

Disclaimer & Copyright

This article is published by AITHEA GmbH for informational and educational purposes only. It is intended to provide general insights into compliance, technology, and related topics, and does not constitute legal, regulatory, or professional advice. Readers should seek appropriate professional guidance before making decisions based on the content provided.

The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official position of AITHEA GmbH, its partners, or affiliated organisations.

Artificial intelligence (AI) tools are actively used in the creation of this content. AI may support the drafting of text and the improvement of structure, clarity, and readability. However, all content is based on human-defined topics, reviewed against relevant sources, and critically validated by the author(s). AI is not used as a source of truth, but as a supporting tool to enhance communication.

All content is the intellectual property of AITHEA GmbH unless otherwise stated. Reproduction, distribution, or translation for non-commercial purposes is permitted, provided that appropriate credit is given and the source is clearly acknowledged. For any commercial use, prior written permission is required. © Aithea, 2026.
Created with