How to protect your business from phishing attacks

Phishing is involved in roughly 36% of all breaches (Verizon DBIR). In 2026, the old advice — "watch for typos and bad grammar" — is dead. AI-generated phishing is hyper-personalized, fluent, and pulls real context from LinkedIn and breach dumps. Defending a business now means stacking real controls, not training people to spot mistakes the attacker no longer makes.

How to avoid phishing traps

The defense stack that actually works:

• MFA on every account. Hardware keys (YubiKey, Google Titan) beat authenticator apps (1Password, Authy, Google Authenticator), which beat SMS — SMS is vulnerable to SIM-swap and should be considered a last resort. For executives and admins: hardware keys, no exceptions.
• Passkeys (FIDO2/WebAuthn). Passwordless auth is shipping in 2026 across Google, Microsoft, Apple and 1Password. Passkeys are phishing-resistant by design — they cannot be entered on a fake login page.
• Password manager for everyone. 1Password, Bitwarden or Dashlane. Eliminates password reuse, autofills only on the real domain (a built-in phishing check), surfaces breached credentials.
• Email auth done right. SPF, DKIM and DMARC properly configured (DMARC at p=reject, not p=none). This stops attackers from spoofing your own domain.
• Email gateway protection. Microsoft 365 Defender or Google Workspace advanced phishing protection out of the box; Mimecast, Proofpoint or Abnormal Security for enterprise tier.
• Browser hardening. Chrome Enhanced Safe Browsing on, link-scanning extensions for high-risk teams.
• Patch and update. OS, browser, plugins. Most exploitable phishing payloads target unpatched software.

Education matters but it is the last line, not the first. Hire a service like KnowBe4 or Hoxhunt to run quarterly simulated phishing — measure click rates, train repeat clickers individually.

How to spot suspicious messages

In 2026, look at structure, not language quality:

• Sender domain. Hover the name. support@arnazon-help.com and notifications@rnicrosoft.com (using rn instead of m) are typo-squatted lookalikes.
• Reply-to mismatch. The visible "From" says your bank; "Reply-To" goes to a Gmail address.
• Unexpected urgency or authority. "Your CEO needs you to wire $40K in the next hour." Real CEOs do not request wire transfers via email. Always verify out-of-band — call, ping on Slack.
• Unusual request from a known sender. A vendor suddenly asking you to update payment details to a new bank account. Verify by phone using a number you already have, not the one in the email.
• Link preview vs landing. Hover the link. The displayed URL and the actual destination should match. On mobile, long-press to preview.
• Attachments you did not request. Especially .zip, .iso, .htm, .docm. Open in a sandboxed viewer (Google Drive preview, Microsoft 365 Safe Attachments) — never download blindly.

How phishing actually works

Phishing is social engineering wearing a technical mask. The attacker impersonates a trusted entity — a bank, vendor, colleague, IT department — to extract credentials, payment, or action.

The mechanics in 2026 typically chain:

1. Reconnaissance. Scrape LinkedIn for org chart and titles. Pull recent breach data. Identify the target's vendor relationships.
2. Lure. Generate a fluent, contextual email using an LLM. Reference real names, real projects, real internal tooling.
3. Landing page. A pixel-perfect clone of Microsoft 365, Google, Okta, the bank login. Hosted on a typo-squatted or recently-registered domain. Sometimes proxied via reverse-proxy phishing kits (EvilProxy, Tycoon 2FA) that defeat MFA in real time by relaying session cookies.
4. Action. Credentials harvested, session token stolen, malicious OAuth app authorized, wire transfer initiated.

The real-time MFA bypass step is why passkeys and hardware keys matter — they bind authentication to the legitimate domain. A reverse-proxy phishing kit cannot replay a passkey assertion.

Common phishing patterns to know

• Business Email Compromise (BEC) / CEO fraud. Attacker impersonates an executive and asks finance to wire money or change payroll. Highest-cost category — FBI IC3 reports BEC losses in the billions annually.
• Vendor email compromise. Attacker takes over a real vendor's mailbox and asks your AP team to update banking details for upcoming invoices. Hardest to spot because the email is genuinely from a real person you trust.
• Spear phishing. Highly targeted, researched attack on one person — often an admin, exec, or developer with privileged access.
• Whaling. Spear phishing aimed at C-level. Often legal-themed ("subpoena", "regulatory filing").
• Smishing and vishing. SMS and voice phishing. Voice cloning of executives is now a viable attack — verify any unusual voice request via a second channel.
• Quishing. QR codes in emails or printed materials linking to phishing sites. Bypasses email link scanners because the URL is in an image.
• OAuth consent phishing. Attacker tricks the user into authorizing a malicious third-party app to read mail or files — no password needed, MFA does not help.

Tools that actually move the needle

In rough priority order for a small-to-mid business:

Skip the cheap antivirus — modern endpoint protection (Defender for Business, CrowdStrike, SentinelOne) covers AV and more for similar money.

Worried about your business security posture? Get my free security audit — I'll review your email auth, MFA setup and biggest exposures.