The Anatomy of a Modern Phishing Attack: How to Teach Your Team to Spot Them

April 3, 2026

Phishing is the single most common way businesses get breached. Not zero-days. Not sophisticated nation-state attacks. Just a regular person clicking a regular-looking link on a regular Tuesday morning.

The reason phishing works is simple: attackers got much better, and the old training advice hasn’t kept up. “Watch for bad grammar and spelling” was reasonable in 2014. Today’s phishing emails are written by AI, personalised from LinkedIn data, and sent from compromised real email accounts at companies you already do business with.

The Four Phishing Variants Every Business Will See

1. Credential Harvesting

The classic. An email says your Office 365 password is expiring, your DocuSign is pending, your shared Dropbox file is ready. The link leads to a near-perfect clone of the real login page. You type your password. The attacker now owns your account.

What to watch for: the URL, always. login.microsoftonlin3.com, office.o365-login.net, docusign-secure-portal.app. The page will look identical — the only tell is the address bar.

2. Business Email Compromise (BEC)

An email comes from your CEO or CFO: “Can you process a wire transfer to this supplier today? It’s urgent. Don’t discuss on Teams, I’m in meetings.” The signature looks right. The writing style matches.

BEC works because attackers study your org chart on LinkedIn, watch your email for weeks after compromising an account, then strike during a travel day when face-to-face confirmation isn’t possible. BEC losses in Canada alone exceed $200M annually — dwarfing all other cyber fraud categories combined.

3. Vendor Impersonation

An email appears to come from a real vendor you pay regularly: “We’ve changed our banking details — please update remittance for future invoices.” The attacker has often actually compromised the vendor’s email first, so it really does come from them.

4. AI Voice Cloning (vishing)

New and terrifying. Your “CEO” calls your finance lead’s mobile. The voice is a perfect clone, trained on 30 seconds of LinkedIn video. They ask for a wire. Several Canadian businesses have lost six figures this way in the past year.

The Red Flags That Still Work

What to Train Your Team to DO, Not Just Spot

The 30-Second Rule for Financial Requests

Any request to move money, change banking details, buy gift cards, or transfer credentials gets a 30-second phone or in-person verification through a channel the person already trusts — not the number in the email signature, the number already in their phone contacts.

The Report Button

Install a Phish Report button in Outlook and Gmail. Make it easier to report than to delete. Your security team or MSP can then triage, pull other copies, and warn everyone else.

Password Manager, Always

Password managers auto-fill only on legitimate domains. On a phishing clone, the manager won’t fill — and that absence is a giant tell. “Why isn’t this filling?” has saved thousands of credentials.

Assume Compromise, Not Purity

Everyone clicks eventually. The goal is that a click doesn’t become a breach — which means MFA, EDR, and a reporting culture, not just vigilance.

A Training Format That Works

Instead of annual one-hour courses nobody remembers, run quarterly simulations — send your own fake phishing emails and measure click rates — paired with 3-5 minute monthly videos on specific threats. Short, frequent, and real beats long and theoretical.

The Quick-Win Checklist

  1. Enforce MFA on every account — no exceptions for executives
  2. Turn on your email platform’s built-in phishing filters
  3. Add external-email warning banners
  4. Set up SPF, DKIM, and DMARC so attackers can’t spoof your domain
  5. Roll out a phish-report button and train everyone to use it
  6. Write a one-page financial-request verification process
  7. Run one simulated phishing campaign per quarter

None of this is expensive — most is already included in your Microsoft 365 or Google Workspace plan and just needs configuring. If you’re not sure where you stand, get in touch for a free review.