I Asked a Security Expert to Review My Inbox — Here Is What She Found

Last month, I asked a friend — a senior security analyst at a Fortune 500 company — to look at my inbox and tell me which emails were phishing attempts.

She found three I'd missed. One was disguised as a Notion sharing notification. Another looked exactly like a Google Drive alert. The third was a fake invoice from a vendor I actually use.

I've been writing about cybersecurity for years, and I still almost fell for them.

That conversation turned into a longer discussion about how phishing has evolved, why traditional advice no longer works, and what regular people can actually do to protect themselves. Here's what she told me — with her permission, under the condition I don't use her real name. We'll call her Sarah.

Q: Phishing used to be obvious — bad grammar, Nigerian prince stuff. What changed?

Sarah: Everything. The old phishing playbook died around 2023-2024 when attackers started using AI to write their emails. You can't spot phishing by grammar anymore because the grammar is perfect. The formatting is perfect. The sender addresses are close enough that you won't notice unless you're specifically looking.

What we're seeing now is hyper-targeted phishing — what we call spear phishing — at consumer scale. Attackers scrape your LinkedIn, your social media, your company website. They know your boss's name, your recent projects, the tools you use. So the email says "Hey, here's the updated Q1 report from David" and David is your actual manager and Q1 is the actual quarter you're in.

The sophistication gap between state-sponsored attacks and regular cybercrime has basically collapsed. A teenager with ChatGPT and a $20 phishing kit can produce emails that would have required a professional team five years ago.

Q: So what should people actually look for now?

Sarah: Stop looking at the content and start looking at the context. I tell everyone the same three things:

First, check the action, not the message. Every phishing email wants you to do something — click a link, download a file, enter credentials, transfer money. If an email creates urgency around an action ("Your account will be suspended in 24 hours!"), that's a red flag regardless of how legitimate it looks.

Second, verify through a different channel. If your "boss" emails you asking to buy gift cards, don't reply to the email. Walk over to their desk, call them, or send a separate Slack message. If a "vendor" sends an invoice with new payment details, call the vendor directly using the number on their website — not the number in the email.

Third, hover before you click. This is still the single most effective habit. On desktop, hover over any link and look at where it actually goes. On mobile, long-press. If a link says it goes to google.com but the URL shows g00gle-security.sketchy-domain.com, you know what's up.

Q: What about AI-generated voice calls? I keep hearing about those.

Sarah: Voice cloning is real and it's terrifying. We've had cases where attackers cloned a CEO's voice from a quarterly earnings call — there's 45 minutes of clean audio right there on YouTube — and used it to call the CFO requesting an emergency wire transfer.

The defense is the same: verify through a different channel. If someone calls you with an urgent financial request, hang up and call them back on their known number. Establish a verbal password or code phrase with family members for emergency situations. It sounds paranoid until you realize a three-second voice sample is enough to create a convincing clone.

For businesses, we're starting to recommend that any financial transaction above a certain threshold requires multi-person authorization AND out-of-band verification. No single phone call should be able to move money.

Q: Are regular people actually at risk, or is this mostly a corporate problem?

Sarah: Regular people are the primary target now. Corporations have gotten better at security — they have email filters, security teams, training programs. Regular people have Gmail and hope.

The attacks targeting individuals are different but just as dangerous. Fake package delivery notifications that install malware. Romance scams that use AI-generated photos and conversations. Fake tech support calls. Fraudulent investment schemes promoted through social media.

Last year, the FBI's Internet Crime Complaint Center reported over $12.5 billion in losses from cyber fraud. That's not corporations — that's regular people losing their savings, their identity, their peace of mind.

Q: What's the minimum security setup you'd recommend for a regular person?

Sarah: Five things. Takes about an hour total:

1. Password manager. I don't care which one — Bitwarden, 1Password, whatever. Just stop reusing passwords. This single change eliminates about 60% of your risk.

2. Two-factor authentication on email and banking. Use an authenticator app, not SMS. If someone compromises your email, they can reset every other password you have. Protect it accordingly.

3. Software updates on automatic. I know the popups are annoying. I don't care. Most attacks exploit known vulnerabilities that were patched months ago. Update your stuff.

4. Freeze your credit. All three bureaus. It's free, it takes ten minutes, and it prevents anyone from opening accounts in your name. Unfreeze temporarily when you need to apply for credit.

5. Be skeptical by default. This is the hardest one because it's a mindset shift. Assume every unexpected email, call, or message might be an attack until proven otherwise. It's not paranoia — it's pattern recognition based on current threat data.

Q: Any final advice?

Sarah: The biggest mistake people make is thinking they're not important enough to be targeted. Attackers don't care who you are. They care what you have access to — your bank account, your email contacts, your employer's network. Everyone is a target. The only question is whether you're a hard target or an easy one.

Make yourself slightly harder to attack than the average person, and attackers will move on to someone else. That's the reality of it. You don't have to be perfect. You just have to not be the easiest victim in the room.