Phishing Attacks Are Getting Harder to Spot — What Small Businesses Need to Know

Phishing remains the single most common way attackers gain initial access to an organisation's systems. It has been the top entry vector in cybersecurity breach reports for years — not because it's unsophisticated, but because it works reliably, it's cheap to execute at scale, and it's getting better at defeating the defences most small businesses have in place.

This guide explains how modern phishing actually works, why the advice to "just look for typos" is dangerously inadequate, and what a proportionate response looks like for a small organisation.

What Phishing Is — and Isn't

Phishing, in its broadest form, is any attempt to deceive a person into taking an action that benefits the attacker — clicking a link, opening an attachment, entering credentials, approving a payment, or divulging information. The term comes from the idea of casting a wide net: sending deceptive emails to large numbers of people in the hope that a small percentage will take the bait.

Spear phishing is a targeted variant: emails crafted specifically for the individual recipient, using personal information gathered from public sources — LinkedIn profiles, company websites, social media — to make the deception more convincing. Business email compromise (BEC) is a further refinement: the attacker impersonates a known individual — a supplier, a senior colleague, a solicitor — to authorise a fraudulent payment or action.

Why Phishing Is Getting Harder to Spot

The "look for bad grammar and spelling mistakes" advice that has been given to staff for twenty years is now almost useless. Here's why:

AI-Generated Content

Generative AI tools have made it trivially easy to produce grammatically perfect, contextually appropriate phishing emails in any language. The traditional indicators of a phishing attempt — awkward phrasing, inconsistent formatting, implausible scenarios — are no longer reliable signals. A phishing email can now read like it was written by a native English speaker with sector-specific knowledge, because in many cases it was generated by a tool trained on exactly that kind of content.

Brand Impersonation at Scale

Attackers create convincing replicas of legitimate websites — banks, delivery companies, government services, software providers — that are visually indistinguishable from the real thing. The only reliable indicator is the domain name, and domains are increasingly obscured by URL shorteners, legitimate redirectors, and look-alike domains that differ from the real one by a single character.

Legitimate Service Abuse

One of the most effective current phishing techniques involves using legitimate services to deliver the attack: a malicious file shared via OneDrive or Google Drive, a credential harvesting page hosted on a legitimate cloud platform, a phishing link embedded in a DocuSign notification. Email security filters that check for malicious links cannot reliably flag links pointing to trusted platforms like Microsoft and Google.

Caller ID Spoofing and Vishing

Voice phishing (vishing) — phone calls from attackers impersonating IT support, banks, or HMRC — has grown significantly. Caller ID can be spoofed to display any number, including your bank's official contact number. AI voice cloning means that some attacks now use a convincing replica of a known colleague's voice.

What Awareness Training Does and Doesn't Achieve

Security awareness training is valuable and we recommend it. But its limitations need to be understood. Simulated phishing campaigns consistently show that even well-trained staff click on realistic phishing emails. Training reduces the rate; it does not eliminate it. In an organisation of 20 people, if your training programme gets the click rate down to 5%, you still have a 65% chance that someone clicks on a targeted phishing campaign.

Training addresses the human layer. It should be combined with technical controls and — critically — with the ability to detect what happens after someone clicks.

Technical Controls That Reduce Phishing Risk

Several technical measures reduce the probability of a phishing email reaching a staff member and the probability of it succeeding if it does:

• DMARC, DKIM, and SPF: Email authentication standards that prevent attackers from spoofing your domain — both for inbound email filtering and to prevent your domain being used in attacks against your clients and partners.
• Multi-factor authentication (MFA): The single most effective control against credential phishing. If an attacker obtains a username and password via a phishing page, MFA prevents them from using it — in most cases.
• DNS filtering: Blocking known-malicious domains at the DNS layer, before a connection is established.
• Endpoint detection: Identifying malicious activity on a device that has been compromised via phishing, before the attacker can escalate privileges or move laterally.

Why Detection After the Click Matters Most

No combination of training and technical controls achieves 100% prevention. The organisations that contain phishing incidents with minimal damage are those that detect the attacker's activity after the initial compromise — the malware execution, the credential theft, the lateral movement — quickly enough to intervene before significant damage is done.

This is where continuous monitoring becomes critical. A named analyst watching your network 24/7 will see the indicators of a post-phishing compromise — unusual process execution on an endpoint, credential use from an unexpected location, unusual outbound connections — and act on them. The damage from a phishing incident is determined less by whether someone clicks, and more by how quickly the click is detected and contained.