In the fight against phishing, forward-thinking organisations are winning. But there’s a twist. The heightened vigilance that has empowered employees to detect suspicious emails is now creating a new dilemma: legitimate, business-critical messages are being flagged, ignored, or buried in spam folders. And in today’s AI-fuelled cyber landscape, that reaction may be as justified as it is damaging.
Phishing works and it’s reshaping trust
The release of generative AI tools has supercharged phishing attempts. KnowBe4’s Phishing Threat Trend Report 2025 (https://apo-opa.co/4kdUXIx) shows that more than 80% (https://apo-opa.co/3TNjJnN) of the analysed phishing emails were augmented by AI, and they’re far more convincing than before.
“The gut-check we used to rely on has been gamed – and even the large language models now being explored to help detect suspicious emails are also struggling,” says Anna Collard, SVP of Content Strategy&Evangelist at KnowBe4 Africa. “They’re forced to dig deeper, assessing tone, context, and subtler red flags.”
The result? Suspicion is now the default
And it’s not unwarranted. Maturing cybersecurity awareness and phishing simulation programs have helped sharpen employees’ scepticism (https://apo-opa.co/3GpDVcj). But this success has revealed a new problem: overcorrection.
Emails that are real – from HR, IT, legal, or sales – are now increasingly being misjudged. In some cases, they’re wrongly flagged as phishing by either people or systems.
In others, they’re simply ignored. The irony is that some of the most common and legitimate corporate communication traits are now the very ones that raise red flags:
- Urgency: “Sign this by COB today”; or when every email from a colleague is marked “urgent”
- Unexpected senders: e.g. HR tools or SaaS platforms
- Calls to action: “Click here to confirm”
- Stylistic quirks: overly polished copy, too many links or bold phrases
- Tech misalignments: emails from legitimate senders failing DMARC or DKIM checks
“Even just using a third-party sender domain can cause confusion,” says Collard. “If staff don’t expect it – or don’t recognise the platform – the message can get flagged.”
For good reason too, as according to KnowBe4’s Phishing Threat Trend Report (https://apo-opa.co/4kdUXIx) the top 5 legitimate platforms used to send out phishing emails include popular business tools such as DocuSign, Paypal, Microsoft, Google Drive, and Salesforce.
The cost of false positives
When real emails get sidelined, the impact is more than a missed message. Delayed IT updates, ignored HR deadlines, and lost sales opportunities can create serious ripple effects across operations. Deliverability issues also erode trust. And in high-stakes environments like healthcare, legal services or finance, false positives can become costly very quickly.
So, how do you write emails that get read – not flagged?
To combat this growing challenge, organisations need to stop thinking of phishing risk as purely a recipient problem. Legitimate internal emails need to look legitimate too.
Here’s how every team – from HR to IT to marketing – can write more trustworthy emails:
Write Like a Human, Deliver Like a Pro
|
Subject lines should set expectations Use clear, predictable language. Instead of “IMPORTANT: Read this now!”, try “Reminder: Benefits enrollment closes Friday”. |
Lead with context before asking for action Start with a reference point: “You recently submitted a travel claim…” or “As part of your onboarding…”. |
|
Limit urgency to what’s truly urgent Too many “ASAP”s will breed indifference. Use urgency sparingly – and explain why it matters. Remember: |
Minimise links and avoid vague CTAs Avoid phrases like “click here” or hyperlinking whole sentences. Provide a fallback path: |
|
Be cautious with tone and formatting Avoid shouty subject lines, gimmicky language, or inconsistent formatting that can trigger filters. |
Test before sending Run your email through spam-filter testing tools to see what might flag it (Mail-Tester.com or GlockApps.com). |
Get your digital paperwork in order
Even the best-written email may never reach its recipient if your authentication protocols aren’t properly configured. SPF, DKIM, and DMARC are three essential technical settings that help prove your email really came from your domain.
- SPF tells email providers which servers are allowed to send emails using your domain name — helping stop spammers from pretending to be you.
- DKIM adds a digital signature to your emails to prove they really came from you and weren’t changed along the way.
- DMARC brings SPF and DKIM together by setting rules for what to do with suspicious emails (like send them to spam or block them) and sends reports to your IT team so they can spot abuse.
“These protocols are a bit like a digital passport,” Collard explains. “Without them, even a genuine email may not make it through.”
But even technically sound emails can fall flat if they don’t look legitimate to the reader. That’s why it’s just as important to consider how your internal teams craft and send messages.
Internal brand security: don’t just train recipients – train senders too
Cyber awareness is often focused on detection. But to maintain deliverability and trust, sender behaviour matters too. Teach teams to avoid accidental red flags. Share templates and subject line guides. And ensure that employees – especially those sending to large groups – understand the basics of trustworthy communication.
Consistency is key. Make sure communications come from the same official addresses, follow familiar formats, and maintain a recognizable tone. This teaches recipients what to expect – and what to be cautious of – building a clearer line between legitimate messages and possible fakes.
“This is part of internal brand hygiene,” says Collard. “When your team consistently communicates clearly and predictably, you build trust over time – with both employees and clients. That trust makes your emails easier to recognise, safer to deliver, and more likely to be opened.”
In a world where AI can impersonate your tone and template with ease (https://apo-opa.co/3TPcb3X), your best defence is to sound like yourself – and help others know what to expect when you speak.
Distributed by APO Group on behalf of KnowBe4.
Contact details:
Anne Dolinschek
KnowBe4
Email: anned@knowbe4.com
TJ Coenraad
Red Ribbon
Email: tj@redribboncommunications.co.za