In the fight against phishing, forward-thinking organisations are winning. But there's a twist. The heightened vigilance that has empowered employees to detect suspicious emails is now creating a new dilemma: legitimate, business-critical messages are being flagged, ignored, or buried in spam folders. And in today's AI-fuelled cyber landscape, that reaction may be as justified as it is damaging.

Phishing works and it's reshaping trust

The release of generative AI tools has supercharged phishing attempts. KnowBe4's Phishing Threat Trend Report 2025 ( ) shows that more than 80% ( ) of the analysed phishing emails were augmented by AI, and they're far more convincing than before.

“The gut-check we used to rely on has been gamed – and even the large language models now being explored to help detect suspicious emails are also struggling,” says Anna Collard, SVP of Content Strategy&Evangelist at KnowBe4 Africa.“They're forced to dig deeper, assessing tone, context, and subtler red flags.”

The result? Suspicion is now the default

And it's not unwarranted. Maturing cybersecurity awareness and phishing simulation programs have helped sharpen employees' scepticism ( ). But this success has revealed a new problem: overcorrection.

Emails that are real – from HR, IT, legal, or sales – are now increasingly being misjudged. In some cases, they're wrongly flagged as phishing by either people or systems.

In others, they're simply ignored. The irony is that some of the most common and legitimate corporate communication traits are now the very ones that raise red flags:



Urgency :“Sign this by COB today”; or when every email from a colleague is marked“urgent”

Unexpected senders : e.g. HR tools or SaaS platforms

Calls to action :“Click here to confirm”

Stylistic quirks : overly polished copy, too many links or bold phrases Tech misalignments : emails from legitimate senders failing DMARC or DKIM checks

“Even just using a third-party sender domain can cause confusion,” says Collard.“If staff don't expect it – or don't recognise the platform – the message can get flagged.”

For good reason too, as according to KnowBe4's Phishing Threat Trend Report ( ) the top 5 legitimate platforms used to send out phishing emails include popular business tools such as DocuSign, Paypal, Microsoft, Google Drive, and Salesforce.

The cost of false positives

When real emails get sidelined, the impact is more than a missed message. Delayed IT updates, ignored HR deadlines, and lost sales opportunities can create serious ripple effects across operations. Deliverability issues also erode trust. And in high-stakes environments like healthcare, legal services or finance, false positives can become costly very quickly.

So, how do you write emails that get read – not flagged?

To combat this growing challenge, organisations need to stop thinking of phishing risk as purely a recipient problem. Legitimate internal emails need to look legitimate too.

Here's how every team – from HR to IT to marketing – can write more trustworthy emails:

Write Like a Human, Deliver Like a Pro