Republished on December 21 with a new cybersecurity report into predicted AI threats for 2025, echoing recent FBI warnings.
‘Tis the season to be worried—at least when it comes to the alarming rise in attacks targeting Gmail, Outlook, Apple Mail and other email users. So, little surprise that the FBI has launched a new campaign warning email users how to stay safe. The only trickster you should see this holiday season, the bureau says, is the Naughty Elf.
“Scammers,” the FBI warns, “often offer too-good-to-be-true deals via phishing emails or ads. Such schemes may offer brand-name merchandise at extremely low prices, offer gift cards as an incentive, or offer products at a great price, but the product you receive is different than ordered.”
Their advice drills down to three key things to check for with every unsolicited email that arrives in your inbox before you click your way into trouble: Check the sender’s email address; check any URL before you click or certainly before you engage; and check the spelling and grammar of the email itself, as well as the URL.
We have seen a surge in phishing and fraudulent web domains this holiday season, with all threats on the rise. Aided by AI, it’s now easier for attackers to create compelling emails and websites, mimicking logos and other product imagery, even polishing their copy to make it more convincing and compelling with less mistakes.
The best advice remains to ignore marketing emails—especially when holiday season research suggests most of these are now either scams, fraud or worse. If you see an offer you like, navigate through to it by accessing the website directly or using a search engine. Albeit you also need to watch for SEO poisoning. It has become a more dangerous online world than ever, and you really do need to be careful.
All that said, the FBI’s phishing attack advice hasn’t changed:
- “Remember that companies generally don’t contact you to ask for your username or password.
- Don’t click on anything in an unsolicited email or text message. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.”
Google’s Gmail team has just issued its own advice, warning that “since mid-November, we’ve seen a massive surge in email traffic compared to previous months, making protecting inboxes an even greater challenge than normal.” The team says it “blocks more than 99.9% of spam, phishing and malware in Gmail” for the platform’s more than 2.5 billion users. While security has improved, the company has issued its own advice for users:
- “Slow it down. Scams are often designed to create a sense of urgency, and often use terms like “urgent, immediate, deactivate, unauthorized, etc.” Take time to ask questions and think it through.
- Spot check. Do your research to double-check the details of an email. Does what it’s saying make sense? Can you validate the email address of the sender?
- Stop! Don’t send. No reputable person or agency will ever demand payment or your personal information on the spot.
- Report it. If you see something suspicious, mark it as spam. You’ll be making your Inbox cleaner and helping billions of others too.”
With perfect timing, one such email attack made headlines of its own yesterday, with the Daily Dot reporting that “a tech expert is warning his followers to be on the lookout for the latest Apple email scam.” Initially posted on TikTok, Scott Polderman warns other users that “the reason this is working so good for hackers is because they catch you unexpectedly. And, unfortunately, it’s really working well with those who are less tech-savvy.” That last point is critical—while those reading this article might be savvy to such attacks, in reality most users are not and remain vulnerable.
In his TikTok video, Polderman shows an email purporting to come from Apple with instructions as to how to keep your account. safe and secure. The format of the email closely resembles an Apple original, and it seems the kind of email users might receive to check their settings. The email even includes details as to how you might set up a legacy contact after death, such that someone will then be given access to your account. Polderman notes that even the fine print at the foot of the email “is basically verbatim what you would see on the Apple website.”
But just as the FBI advises, checking the actual email sender quickly outs the scam. “This shows me it is not from Apple.com.” This is always the first thing to check. Click on the name that is likely all you’ll see in your email app and which is easy to mimic. But the underlying full email address is the tell.
Scammers are clever and will come up with a form of words that could be an email address from a genuine business, but it will be complex and will not come from the genuine domain. While it’s possible to mimic even this, it’s usually not done. Most of the mass of phishing attacks can be detected with this simple check. Never treat any email as genuine until you’ve done at least that.
But beware—while this is an easy phishing tell, more sophisticated attacks find ways around this. That even includes hijacking real email addresses, such that emails are sent from actual addresses making the scam much harder to detect. But if the email purports to come from a global brand like Apple or Microsoft or Meta, then their basic email domain will not have been hijacked.
I did a spot check of the last 25 phishing emails I had received, and all fell foul of this test, albeit the copy and imagery are now very difficult to detect per the FBI’s AI warning. Scammers are getting better at tricking email users, that much is as clear as the Apple logo and typography in Polderman’s video. And AI is critical to making everything look and feel more real. You can’t take any single test for sure. And so the advice not to click links or open attachments in any of your emails remains.
But while telltale signs still exist, all indications for 2025 warn threats will become more sophisticated as AI tools are continually improved. In its newly published 2025 cybersecurity predictions, McAfee focuses on this risk, highlighting the “emerging threats consumers may encounter as cybercriminals exploit advanced AI technology. From hyper-realistic deepfakes and live video scams to AI-driven phishing, smishing, and malware attacks, these predictions reveal how cybercrooks are using AI-powered tools to craft increasingly sophisticated and personalized cyber scams.”
The security firm lists its predictions with AI stitched throughout. “As AI continues to mature and become increasingly accessible,” Abhishek Karnik, the company’s Head of Threat Research warns, “cybercriminals are using it to create scams that are more convincing, personalized, and harder to detect. From deepfakes that blur the line between real and fake to AI-driven text message, email, social, and live video scams, the risks to trust and safety online have never been greater.”
Some of the report’s AI highlights are detailed below—but the entire report is worth a read. Having these threats in mind can only be helpful as we enter 2025.
- The use of AI to develop “highly realistic fake videos or audio recordings that pretend to be authentic content from real people,” echoing the FBI’s same warning. “As deepfake technology becomes more accessible and affordable,” McAfee says, “ even people with no prior experience can produce convincing content. With easy-to-use AI tools and accessible tutorials, scammers are finding it easier than ever to manipulate trust and deceive people.”
- Again, echoing the FBI’s own warnings, McAfee also points to AI “giving cybercriminals the ability to easily create more personalized and convincing emails and messages that look like they’re from trusted sources, such as banks, employers, or even family members. They can craft these scams quickly and with precision, making them more difficult to detect and increasing their success rate. As AI tools become more accessible, these types of attacks are expected to grow in sophistication and frequency.”
- And beyond visual tricks, AI is also now driving the malware threat, with bad actors “using AI-powered tools to create smarter, more adaptive malware that can increase its effectiveness. For example, advanced tools like OCR (Optical Character Recognition) technology – which scans images or documents and turns the text in them into editable and searchable digital text – can now extract sensitive information, such as cryptocurrency wallet keys, directly from screenshots or documents. As AI capabilities grow, so does the sophistication of these threats, making them more effective and dangerous.”
The good news is that AI can also be used by the good guys as well, and we have now seen development releases from Microsoft and Google showing that AI is being deployed in Edge and Chrome to use their own tools to detect threats that people are unlikely to find on their own, unaided.
An example would be checking a website against the brand it purports to represent, or looking for signals that suggest a threat, such as asking for certain kinds of financial or personally sensitive information.
What’s still missing is the same kind of detection being fully and properly applied to on-device email. While billions of emails are detected and blocked by platforms, too many still get through. It’s a constant source of surprise how obvious phishing emails with obvious telltales make it into an inbox whole some legitimate emails still get caught out mistakenly. AI will fix all this—and that’s can’t happen soon enough. New advances in on-device AI mean this can be done while preserving user privacy.
All that said, the FBI’s simplest message is still its best: ”If it looks like it’s too good to be true, that’s because it is.”
