FL – 003 | AI Augmented Phish

LOG ID: FL-003
CLASSIFICATION: Recent Attack Vectors
SECURITY STATUS: Active / Tactical Analysis
SUBJECT UNDER AUDIT: LLM Generative Text/ Social Engineering Lures
PRIMARY AUDITOR: Paul Mindra (AI Integrity Auditor)

Purpose

Verify whether an email or message is a likely AI‑augmented phishing attempt and collect defensible artifacts.

Quick risk indicators

  • Unexpected request for money, credentials, or urgent action.
  • Hyper‑personalized content referencing obscure personal details.
  • New or odd sender domain or short‑lived landing pages.
  • Multiple channels repeating the same request.

Immediate actions

  1. Do not click links or open attachments.
  2. Preserve the message by saving the raw source (EML or “view source”) and taking screenshots.
  3. Isolate the account if credentials or access were exposed.

Step‑by‑step checks

  1. Save artifacts — raw email source, attachments, screenshots, timestamps.
  2. Header analysis — extract Received lines, originating IPs, SPF/DKIM/DMARC results.
  3. Resolve links safely — use a sandbox or URL resolver; record final host, IP, and TLS certificate.
  4. WHOIS and domain age — check registration date and registrar for sender and landing domains.
  5. Search for clones — paste unique phrases into search engines to find near‑identical messages.
  6. Compare language — match tone and phrasing against known legitimate communications from the purported sender.
  7. Check for automation signals — many similar messages, rapid timestamps, or templated variations across recipients.
  8. Trace infrastructure — map redirects, hosting providers, and payment endpoints to identify common infrastructure.
  9. Hash and timestamp artifacts — compute file hashes and note collection times for chain of custody.
  10. Write a one‑paragraph verdict with risk level and recommended next steps.

Evidence to collect

  • Raw message source; full headers; attachments; URLs and resolved IPs; WHOIS records; screenshots; search results showing clones.

High‑confidence red flags

  • Spoofed headers or Received chains that don’t match claimed origin.
  • Domain age under 30 days for sender or landing site.
  • Identical message text appearing across multiple domains.
  • Payment instructions pointing to unregulated processors or crypto wallets used by multiple domains.

Interpretation guide

  • High risk: multiple red flags present. Quarantine, notify security, preserve artifacts.
  • Medium risk: some indicators present. Monitor, increase vigilance, request independent verification.
  • Low risk: headers, domain history, and corroboration are clean. Document and close.

Escalation and reporting

  • Report to IT or security with collected artifacts.
  • Notify hosting and payment providers for takedown if fraud is confirmed.
  • If funds were transferred contact banks and law enforcement immediately.

One‑line script to verify on the phone

“Please hold while I confirm this through a separate channel; I’ll call you back on a number I already have.”

Print Summary FL – 003
Return To Archived Summaries

The AI Integrity Auditor Shield

© 2026 The AI Integrity Auditor.
Verified Sovereignty through Forensic Truth.