Teaching Machines to Spot Liars: How NLP is Reshaping Phishing Detection


Posted on by Kumrashan Indranil Iyer

“Click here to verify your account.”

One click and that’s all it takes. A single email, cleverly disguised, perfectly timed, and an entire system can be compromised.

Phishing has evolved. What used to be easily dismissible scams full of typos and bad grammar are now polished, convincing messages crafted to trick even the most security-conscious employee. Some of these aren’t even written by humans anymore.

With generative AI tools in the mix, attackers can now spin up personalized phishing emails at scale. They’re fast, they’re targeted, and they’re increasingly difficult to distinguish from legitimate communication. The old rulebooks (blacklists, signature-based detection) weren’t built for this new game. So, how do we fight back? One answer: teach our machines to read between the lines.

When Emails Speak Deception

Phishing works because it plays on emotions like urgency, curiosity, fear, even empathy. Attackers know this. And traditional detection systems, which largely rely on rigid patterns and known indicators, often miss the subtleties of language that signal something’s off.

This is where Natural Language Processing (NLP) steps in. NLP gives machines the ability to understand text contextually, not just scan for keywords. Instead of asking “Is this word suspicious?”, an NLP-based system asks, “What is this message really trying to say?”

It’s less about looking for red flags and more about listening for whispers.

The Research That Sparked This

In the paper, Natural Language Processing for Phishing Detection: Leveraging AI to Spot Deceptive Content in Real Time, researchers (full disclosure, I am one of the researchers), explored how NLP could help spot phishing attempts in real time, not just based on sender info or links, but on “how” the message is written and “why” it might have been sent.

Researchers used transformer models like BERT to analyze email content, capturing both syntax and semantics. The system could detect subtle signs of manipulation, like urgency without justification, or tone that didn’t match a known sender’s usual style.

One core piece was building intent classifiers - models trained to detect signals like impersonation, coercion, or deceitful tone. We didn’t just want to know “what” the email said rather we wanted to know “what it was trying to do”.

The system also evolved with input. It could integrate new phishing patterns, expand its vocabulary dynamically, and adapt to different organizational communication styles. The goal was not just detection, but resilience.

A Scenario We All Dread

Picture this: It’s mid-April, and employees are neck-deep in tax season. An email lands in the inbox:

“Hi, John. Please review your W2 form here. HR needs confirmation by 3PM today to avoid payroll issues.”

Looks legit. But behind the scenes, an NLP model catches inconsistencies. The email tone doesn’t match past HR emails. The sender’s domain is close but slightly off. The language uses urgency and authority in a way that's typical of phishing attempts. It’s not just the words, it’s the intent. And that’s enough to flag it before John clicks.

What Makes This Hard

Attackers are getting better at evading NLP systems, using wordplay, misspellings, and even adversarial language tricks. Models also struggle with explainability i.e., when a message gets flagged. We need to be able to show “why” in a way a human analyst can trust.

And then there’s a multilingual challenge. Phishing isn’t an English-only sport. We need models that work across languages, cultures, and writing styles.

Why This Matters More Than Ever

The line between human and machine-generated content is blurring fast. Just as defenders began catching up with old-school phishing, attackers pivoted to AI-written deception. We can't rely solely on blacklists or static detection rules anymore.

With NLP, we’re entering a new phase, one where machines understand language deeply enough to sense when something feels “off,” even if it looks clean on the surface.

This isn’t about replacing human judgment. It’s about empowering our defenses with the kind of linguistic intuition that cybercriminals are already exploiting.

Phishing thrives on trust. NLP helps us challenge that trust, inspect it, and when needed withdraw it. By teaching machines not just to read but to understand, we stand a better chance of keeping pace with attackers who’ve already begun teaching theirs to deceive.

Contributors
Kumrashan Indranil Iyer

Independent Researcher,

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC™ Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs