The Scams That Broke the Old Rules

For a long time, the best way to spot a scam was to look for a mistake.

You looked for the misspelled word in the subject line, the blurry logo, or the "Dear Customer" greeting that felt a little too generic. It was a game of spot the difference. If the email looked sloppy, you knew it was a fake.

That strategy worked because scammers were limited by their own reach. They were casting wide nets, hoping to catch the few people who wouldn't notice a typo.

In 2026, the typos are gone.

AI doesn't misspell words. It doesn't get your name wrong. It has likely scanned your social media profile and knows where you went to school and which conference you attended last Tuesday. The spot-the-difference era is over.

The question has to change. Instead of asking whether a message looks real, we have to start asking what it is trying to get us to do.

We run IT for Alberta businesses, and attacks like the ones below land in client inboxes every week.

Imagine an email lands in your inbox on a Tuesday morning. It is from a lawyer you don't know, but the firm is real and the signature block is clean. The subject line reads, "Quick question on the Edmonton office lease." The email congratulates you on the expansion, mentions the LinkedIn post you wrote last week, and explains that their legal team flagged a conflict in standard lease language that usually costs tenants money at signing. There is a redline attached. They would like your thoughts before your Thursday meeting.

Every detail checks out. The expansion is real. The Thursday meeting is on your calendar. The LinkedIn post is three days old. You might not even remember writing it.

The message is an AI-generated fake, assembled from public information in about five minutes. The attacker has never met you, has never been to your city, and knows nothing about lease law. What they have is a scraper, a language model, and your name.

The only part of the email worth trusting or doubting is the request at the end: open this attachment. The flattery, the specificity, the perfect grammar, none of it is evidence of legitimacy. It is decoration around an ask.

The same pattern shows up on websites. You are trying to open a document a supplier sent you. The page flickers, a window slides in over the document, and a message tells you something went wrong: the file failed to load, or your browser needs an update, or you need to verify you are human. The branding is correct. The design is clean. But instead of a download button, the page gives you a line of code and asks you to copy it, open your computer's command terminal, and paste it in.

This is called ClickFix, and it is the fastest-growing attack of the last two years. It works because the scammer knows that if they send you a virus, your security software will probably catch it. If they can get you to run the command yourself, you are opening the door and inviting them in. Security software cannot protect you from you.

A page you did not go looking for should never ask you to paste a command into a terminal. That is not how legitimate software fixes itself. Any page that does is the problem, not the fix.

Text is one thing. Voice is another.

AI can now clone a recognizable version of a human voice from less than five seconds of audio. A podcast clip, a video on social media, or a voicemail greeting. Any of those is enough. If your voice has ever been online, a usable copy of it is available to anyone who wants one.

Your phone rings on a Saturday afternoon. The caller is your daughter. She is crying. There has been a car accident, she has been taken in by police, and she needs bail money sent right now. She sounds exactly like herself. She asks you not to tell her mother yet, because she is ashamed.

The sophistication is not really the point. The emotional shortcut is. When you are scared for someone you love, you do not pause to look for red flags. You act.

The pattern to watch for is three things together: urgency, secrecy, and an untraceable payment method. Any one of them on its own is just life. All three at once is a machine talking to you. A real relative in a real emergency will accept, "I am going to call you back on the regular number I have saved." A scammer will not.

It is 11:43 on a Tuesday night. Your phone buzzes on the nightstand. It is a login approval prompt, the kind most important accounts now send when someone tries to sign in. You tap deny and roll over. It buzzes again. Deny. Again. And again. By the tenth one you are half-awake and irritated, and you approve just to make the buzzing stop. Then you fall asleep.

The login you just approved was real. Somebody had your password. The prompt on your phone was the last thing standing between them and your account, and you waved it through. That second step, the one you bypassed, is called multi-factor authentication, and it is the single strongest defense most people have. MFA fatigue is an attack on the person holding the phone.

Every MFA prompt is asking a question: did you just try to sign in? If the answer is no, the only correct answer is deny, no matter how many times it buzzes. Noise you did not cause is not a reason to approve something. It is a reason to change your password.