AI and Phishing – Smarter Scams, Bigger Risks

Published | July 1, 2025

Author: Braden Hamilton
ITS Communications Intern
Summer 2025

AI’s presence is rapidly increasing, and while there are many benefits to AI, there has been a rise in AI’s use in phishing scams. As a W&L student, faculty, or staff member, it’s important to recognize that a compromised account can impact not only you, but all of campus.

What can Phishing Look Like?

According to Washington and Lee Chief Information Security Officer, Dean Tallman, the most prevalent kind of phishing scam the university has encountered in the past year is AI-powered polymorphic attacks. These attacks use AI technology to randomize and shift different components of an email, such as the subject line, content, sender’s display name, and introductions, making it significantly harder to tell if an email is a phishing email.

A recurring phishing email recently seen across campus is the fake invoice scam. While these messages can vary in appearance, they typically share three common traits:

The message says, “Thank you for your purchase – your card has been charged $$$” or something similar.
There is no receipt or order confirmation link provided.
The message encourages you to call the provided phone number if you have any questions.

Falling for this scam and calling the number can put your email, phone number, and even your debit or credit card details at risk.

Chart of compromised accounts, 13 in 2023, 1 in 2024, 3 thus far in 2025 — Since the start of increased security awareness efforts in 2023, we’ve seen a decrease in compromised accounts among both employees and students.

How Can I Prevent This?

Unfortunately, there’s no way to completely prevent phishing attacks. However, the best defense is education combined with proactive security measures, such as using multi-factor authentication apps (like Duo) and keeping your software up to date. Find out more about safe computing by visiting the ITS website.