Phishing Attacks Aren’t New. But the Tactics Are.

Most business owners feel reasonably confident they could spot a phishing attempt.

We have all seen the obvious ones. Poor spelling. Strange email addresses. Messages claiming to be from a courier about a parcel you never ordered. For a long time, phishing relied on volume rather than quality. Attackers cast the net wide and hoped someone would click.

But while phishing isn’t new, the tactics being used against small and mid-sized businesses today are far more convincing, much more personalised and targeted, and can be very tricky to detect at a glance.

From obvious scams to believable deception

Traditional phishing emails were relatively easy to identify. They often included:

• Fake banking alerts asking you to “verify” details
• Suspicious invoice links
• Password reset requests you did not initiate
• Generic messages addressed to “Dear Customer”

Fortunately, most teams have been trained to spot those red flags with greater awareness and more sophisticated security tools – all great news. The challenge is that attackers continue to adapt their skills and toolsets as well. 

Today’s phishing attempts are often well-written and relevant to your business. They may reference real suppliers, genuine projects or ongoing conversations. In some cases, they originate from accounts that have already been compromised within a trusted partner organisation. Spotting a scam is more of a subtle art than spotting obvious errors. 

The rise of AI written phishing

One of the biggest shifts we are seeing is the use of AI to craft phishing emails. An email that once looked suspicious can now read almost exactly like a colleague or supplier, with the same tone and urgency. 

For busy directors, finance teams and office managers juggling multiple responsibilities, that makes the line between legitimate and malicious increasingly blurred, and therefore much harder to catch.

Vendor impersonation and supply chain risk

Another evolving tactic is vendor impersonation. Rather than pretending to be your bank, attackers increasingly impersonate organisations you already trust. That might be your accountant, HR system supplier, or even a member of your own finance team.

In some cases, the attacker compromises one business and then uses that legitimate email account to target its clients. The message looks real because, technically, it is coming from a real address.

This is where third party risk becomes very real for SMEs.

You might think you have strong security internally. You might have multi factor authentication in place. You might run regular updates. But if a supplier in your chain is breached and used as a gateway, you are still exposed.

Many business owners believe, understandably, that their company is too small to be targeted. In reality, smaller businesses are often seen as accessible entry points into larger networks. It’s not always about the most recognisable name, but more about the easiest route. 

Business email compromise

One of the most concerning developments in phishing is Business Email Compromise.

In these cases, attackers gain access to a genuine email account, often through an earlier phishing attempt. Instead of acting immediately, they monitor conversations and learn how your business operates. They see who approves payments, how invoices are handled and how suppliers communicate.

At the right moment, they step in. They reply to an existing email thread, perhaps asking for updated bank details or an urgent payment with no suspicious link or obvious error. And from the outside, it looks like normal business activity.

For growing organisations without dedicated security oversight, this can be extremely difficult to detect. And because it often targets finance processes directly, the impact can be immediate. This goes beyond clicking the wrong link, this comes down to exploited trust and routine. 

The real impact on your business

It is easy to think of phishing as just an email problem. In reality, the consequences can be far wider.

A successful phishing attack can lead to fraudulent payments, unauthorised access to sensitive data, or ransomware being introduced into your systems. That can result in downtime, disruption to client service and a significant drain on internal resources while the issue is investigated and resolved.

There’s also the reputational impact. Clients need your capability, sure, but they also need security. In sectors such as professional services, finance and consultancy, trust is fundamental. A breach can undermine that confidence overnight.

And then there is the human impact. When an incident occurs, directors question processes. Teams feel embarrassed or anxious. Internal trust can take a hit.

Most cyber incidents are not caused by incompetence. They are caused by increasingly sophisticated tactics that are designed to catch good people out.

Outsourcing the complexity and the stress

This is where having the right IT partner matters.

Cybersecurity can’t just be bolted on, it should be a fundamental part of your business foundations with configuration, monitoring, testing and improvements continually optimised. It requires understanding how email systems, identity management, user permissions and supplier access all interact.

For many growing businesses, that level of oversight is simply not realistic to manage internally alongside day-to-day operations.

Working with a trusted managed service provider means outsourcing not just the technology, but the complexity and stress that comes with it.

At Confidence IT, our approach is proactive rather than reactive. That includes properly configuring Microsoft 365 security settings, implementing sensible MFA policies, monitoring for unusual behaviour and supporting teams with practical, jargon free awareness training. It also means taking ownership when something does not look right, so you are not left navigating an incident alone.

We deliberately manage fewer endpoints so we can provide a higher level of service and attention. That focus allows us to understand how each client operates, who their key suppliers are and where potential risks may sit. 

Most importantly, it is about partnership.

Phishing is evolving. So should your protection.

Phishing will continue to change with new convincing tactics and technology. That’s a given. The good news is that with the right layers of protection in place, the risk can be significantly reduced without you needing to become a cybersecurity expert yourself. But you do need to ensure someone is taking responsibility for it.

If you would like an honest, straightforward conversation about how well protected your business really is, our team is here to help. We’ll take the headache out of managing your IT systems, we won’t bombard you with jargon or scare tactics, and we’ll let you get back to what you know best – running your business.