// Employee Phishing Awareness Guide

Phishing is
smarter now.
So is your
protection.

Attackers now use AI to write perfect phishing emails. ESA fights back with the same AI technology — analysing every email automatically as you open it, explaining exactly what is suspicious before you click anything.

94%
of breaches start
with phishing
£35k
average BEC
fraud cost
2s
ESA analysis
time
// The problem

Why employees
keep getting caught

Emails look legitimate
Modern phishing emails pass Microsoft Defender, use correct branding, real names, and reference actual invoices. Even experienced staff cannot tell the difference at a glance.
74% of phishing emails pass technical filters
Urgency forces fast decisions
Phishing emails create artificial pressure — expiring passwords, missed payments, CEO requests. Employees under time pressure skip verification and click before thinking.
67% of clicks happen within 1 hour of receipt
AI makes phishing perfect
Attackers now use generative AI to write flawless phishing emails — perfect grammar, correct tone, personalised context. No spelling mistakes to spot. No obvious tells.
AI-generated phishing up 1,265% since 2022
// AI versus AI

Attackers use AI.
ESA fights back
with AI.

When AI writes the attack, only AI can reliably detect it. Traditional keyword filters and grammar checkers are useless against perfectly written phishing emails. ESA uses the same generation technology to understand intent — not just words.

How attackers use AI
The threat landscape in 2026
Generate personalised emails using publicly available LinkedIn and company data — your name, role, manager, recent projects
Write in perfect English with correct tone, matching the style of your organisation's internal communications
Craft convincing narratives — fake invoice disputes, CEO travel requests, IT alerts — that read as completely routine
Scale attacks to thousands of targets simultaneously with personalised content — what used to take weeks now takes minutes
Bypass awareness training by eliminating the obvious signals employees are trained to spot
Same attack — human vs AI written — both detected by ESA
Human written
"Dear Customer, ur password expireing today click here to reset thankyou IT Support"
85 HIGH — obvious tells
AI generated
"Hi Sarah, as discussed with your IT team, your Microsoft 365 credentials require renewal before end of business today to maintain uninterrupted access."
82 HIGH — infrastructure signals
ESA catches both — not by reading the text for errors, but by analysing the sending domain, authentication headers, and the social engineering narrative pattern. AI-generated text cannot fake a legitimate domain or pass DMARC checks.
How ESA fights back
AI that understands intent
Analyses sending infrastructure — domain age, registration history, authentication records. AI can write perfect text but cannot create a legitimate domain instantly
Reads the narrative intent of the email — not just keywords, but the combination of authority, urgency, secrecy, and financial request that defines social engineering
Detects display name spoofing — when the visible sender name claims one organisation but the actual email domain is different
Explains signals in plain English — not a black-box verdict, but a specific explanation your employee can act on
Patent pending architecture — 27 claims covering event-triggered AI analysis across email, collaboration, and ERP platforms
Why ESA catches AI-generated phishing
AI-generated phishing emails are linguistically perfect but infrastructurally flawed. They still come from newly registered domains. They still fail DMARC authentication. They still use urgency and authority patterns. ESA analyses all three layers simultaneously — text, infrastructure, and behavioural patterns — making AI-written emails no harder to detect than human-written ones.
Patent Pending GB2610008.1 · Filed 29 April 2026
// How ESA works

Pin once.
Protect always.

Pin the ESA taskpane once in Outlook and it analyses every email automatically as you open it — no button click needed. Covered by Patent Pending GB2610008.1.

1
Pin the taskpane once
Pin the ESA taskpane in Outlook once and it analyses every email automatically as you open it. Or click Check Safety at any time for an instant on-demand assessment. No technical knowledge required.
Pin once — automatic forever
2
AI analyses the signals
Azure OpenAI checks the sender domain age, DMARC/SPF/DKIM authentication, urgency language, social engineering narrative patterns, and link destinations — simultaneously.
Azure OpenAI · Under 2 seconds
3
Risk score and explanation
A score from 0 to 100 is generated. The threshold engine decides how to present the result — silent for safe emails, full warning panel for high-risk emails with plain-English signal explanations.
Patent Pending GB2610008.1
4
One-click action
Report to SOC, delete safely, or dismiss — all with one click. One-click reporting sends a complete AI-generated incident report to your security team automatically.
Actionable in seconds
ESA // Analysing email...
From
support@helpdesk-uk.com
Subject
Urgent: Your Microsoft 365 password expires today
Authentication
DMARC: FAIL · SPF: FAIL · DKIM: NONE
85
High Risk
HIGHDomain helpdesk-uk.com not associated with Microsoft. Registered 3 days ago.
HIGHSender domain (yahoo.com) does not match purported organisation (Microsoft).
MEDArtificial urgency — "expires today" pressure language detected.
Report to SOC
// Your role

What you need to do

ESA does the technical analysis. Your job is simple — follow these steps every time you receive a suspicious email.

01
Pause before you click
The moment you feel urgency — a password expiring, an invoice overdue, a CEO request — stop. Urgency is the attacker's primary weapon. A 10-second pause can prevent a £40,000 fraud.
🚨 Urgency = phishing signal. Always pause.
02
Pin the ESA taskpane
Pin the Email Safety Advisor taskpane once in Outlook. From that moment, every email you open is analysed automatically — no button click needed, no extra steps.
🛡️ Pin once. Automatic protection forever.
03
Read the signals
A score of 85 means HIGH risk — but read the signals too. They tell you which specific parts of the email are suspicious. Understanding why builds your instinct over time.
📖 Signals educate you while they protect you.
04
Take the recommended action
For HIGH risk — click Report to SOC. One click sends a complete incident report to your security team automatically. You never have to write anything or make a phone call.
📤 Report to SOC = one click, job done.
// Signal glossary

What ESA looks for

HIGH
Sender domain mismatch
The display name claims one organisation but the actual sending email address uses a different domain. Classic impersonation technique.
From: "Microsoft Support" <support@helpdesk-uk.com>
HIGH
New or suspicious domain
The sending domain was registered recently — days before the attack. Legitimate organisations use established domains, not freshly created ones.
helpdesk-uk.com — registered 3 days ago
HIGH
Authentication failure
The email failed DMARC, SPF, or DKIM checks — technical standards that verify the sender is who they claim. Failure means the email is likely spoofed.
DMARC: FAIL · SPF: FAIL · DKIM: NONE
MED
Urgency language
The email uses time pressure — "expires today", "act now", "within 24 hours". Legitimate organisations rarely demand immediate action via email.
"Your account will be suspended in 24 hours"
MED
Suspicious link
The link leads to a domain that does not match the claimed organisation, uses URL shorteners, or includes redirect chains to hide the final destination.
password-reset-portal.helpdesk-uk.com
LOW
Generic salutation
Addressed as "Hello" or "Dear Customer" rather than by name. Legitimate organisations that hold your data typically personalise communications.
"Hello," instead of "Dear [Your Name],"
// Your three actions

When ESA flags an email

Report to SOC
One click sends a complete AI-generated incident report to your security team. Risk score, all signals, and email metadata included automatically. No forms, no email chains.
When: Score is HIGH or CRITICAL
Delete Safely
Move the email to deleted items without opening any links or attachments. ESA logs the deletion alongside the risk assessment for your organisation's audit trail.
When: Score is MEDIUM — confirmed phishing
Mark as Safe
If you know the sender and the email is legitimate despite a medium score, mark it as safe. This helps ESA learn your trusted contacts over time.
When: You know the sender — false positive

Your role in
keeping us safe

ESA gives you the information. You make the decision. Together we create a layer of protection that no technical filter can provide — an informed, aware team that phishers and their AI cannot fool.

I will pause before clicking links in emails that create urgency or ask for sensitive actions
I will pin the ESA taskpane so it analyses every email automatically as I open it
I will read the signals — not just the score — to understand why an email is suspicious
I will report HIGH risk emails to my security team with one click, every time
Get ESA on Microsoft AppSource →