April 3, 2026
Phishing is the single most common way businesses get breached. Not zero-days. Not sophisticated nation-state attacks. Just a regular person clicking a regular-looking link on a regular Tuesday morning.
The reason phishing works is simple: attackers got much better, and the old training advice hasn’t kept up. “Watch for bad grammar and spelling” was reasonable in 2014. Today’s phishing emails are written by AI, personalised from LinkedIn data, and sent from compromised real email accounts at companies you already do business with.
The classic. An email says your Office 365 password is expiring, your DocuSign is pending, your shared Dropbox file is ready. The link leads to a near-perfect clone of the real login page. You type your password. The attacker now owns your account.
What to watch for: the URL, always. login.microsoftonlin3.com, office.o365-login.net, docusign-secure-portal.app. The page will look identical — the only tell is the address bar.
An email comes from your CEO or CFO: “Can you process a wire transfer to this supplier today? It’s urgent. Don’t discuss on Teams, I’m in meetings.” The signature looks right. The writing style matches.
BEC works because attackers study your org chart on LinkedIn, watch your email for weeks after compromising an account, then strike during a travel day when face-to-face confirmation isn’t possible. BEC losses in Canada alone exceed $200M annually — dwarfing all other cyber fraud categories combined.
An email appears to come from a real vendor you pay regularly: “We’ve changed our banking details — please update remittance for future invoices.” The attacker has often actually compromised the vendor’s email first, so it really does come from them.
New and terrifying. Your “CEO” calls your finance lead’s mobile. The voice is a perfect clone, trained on 30 seconds of LinkedIn video. They ask for a wire. Several Canadian businesses have lost six figures this way in the past year.
sarah.finance@webmail123.ru. Hover or tap to reveal.microsoft.com but hovering shows it points elsewhere.Any request to move money, change banking details, buy gift cards, or transfer credentials gets a 30-second phone or in-person verification through a channel the person already trusts — not the number in the email signature, the number already in their phone contacts.
Install a Phish Report button in Outlook and Gmail. Make it easier to report than to delete. Your security team or MSP can then triage, pull other copies, and warn everyone else.
Password managers auto-fill only on legitimate domains. On a phishing clone, the manager won’t fill — and that absence is a giant tell. “Why isn’t this filling?” has saved thousands of credentials.
Everyone clicks eventually. The goal is that a click doesn’t become a breach — which means MFA, EDR, and a reporting culture, not just vigilance.
Instead of annual one-hour courses nobody remembers, run quarterly simulations — send your own fake phishing emails and measure click rates — paired with 3-5 minute monthly videos on specific threats. Short, frequent, and real beats long and theoretical.
None of this is expensive — most is already included in your Microsoft 365 or Google Workspace plan and just needs configuring. If you’re not sure where you stand, get in touch for a free review.