The advice your bank gave you ten years ago about spotting scams is largely obsolete. Watch for typos, generic greetings, and clumsy English. Be suspicious of unsolicited contact. Trust your instincts. These cues worked because scammers operated at scale and could not afford to customize. Two things have broken that assumption: the cheap availability of large language models and the cumulative leakage of personal data over the last decade. Together they have produced a new generation of scams that look right because they actually are tailored.
This is not an argument for paranoia. It is an argument for updating the heuristics, since the old ones are now actively misleading.
What changed in the last three years
A scammer used to need a list of phone numbers and a script. Now the same scammer can buy a database that includes your name, employer, address history, family members, recent purchases, and the last four digits of cards used at breached retailers. They can run that data through a language model that produces a personalized message in seconds, in any language, with no telltale errors. The cost per attempted contact has collapsed while the apparent legitimacy of each contact has soared.
The result is messages that name your kid’s school, reference a real flight you have booked, or impersonate a coworker who actually exists, complete with a plausible reason they might be reaching out. Voice cloning has made phone calls similarly suspect; thirty seconds of someone’s voice from a video call or voicemail is enough to generate convincing audio of them asking for help.
The cues that still work
The new environment makes message-level cues less useful. The cues that still work are structural. Urgency is one. Almost every scam tries to compress your decision time, because thinking is the enemy. A real bank, employer, or government agency rarely needs an answer in the next five minutes. If a message creates pressure to act quickly, that pressure itself is the signal.
Channel switching is another. Scammers want to move you off your normal communication path, often to text, WhatsApp, or a phone call. The reason is that they cannot replicate a verified email thread or an authenticated portal as cleanly. Authentic requests usually live where they normally live. If your boss texts you with a strange request, calling the number you already have for them, on a different channel, is the right response.
What to do with this
Two practices help. First, treat any urgent financial or sensitive request as suspect by default, no matter how convincing the surface details, and verify through an independent channel before acting. Second, use the technical defenses that still work: a password manager that will not autofill on the wrong domain, two-factor authentication on important accounts, and a moment of friction before money moves anywhere new.
Talk about scams with older relatives. The scams aimed at them are usually the most personalized and the highest-stakes, and the cultural reluctance to discuss them lets the scammers operate longer.
The takeaway
The professional, polished scam is the new normal. The cues you grew up with were designed for amateurs and no longer apply. Update the heuristics: structural skepticism, independent verification, and friction before consequential action.
Leave a Reply