Phishing is still the number one way attackers get in
Part of our guide: Phishing, scams & account security
Year after year, the same finding shows up in breach reports: phishing is the most common way attackers gain their first foothold. Not zero-day exploits, not exotic malware — a convincing email and a busy person. Understanding why it works, the forms it now takes, and what actually moves the needle is one of the highest-return things a business can do for its security.
Why phishing keeps working
Phishing works because it targets people, not technology. A well-crafted message creates urgency — a fake invoice, a password-expiry warning, a note that looks like it’s from a manager — and urgency makes people skip the careful checks they would normally make.
Attackers have also raised their game. Modern phishing emails are well written, copy real branding, and increasingly use information scraped from social media to feel personal. AI tooling has made flawless, tailored messages cheap to produce at scale — the era of obvious typos and broken English is largely over. Our piece on AI-powered scams and deepfakes covers where this is heading.
It’s not just email anymore
“Phishing” now spans several channels, and your team should recognize all of them:
- Spear phishing — a targeted message aimed at a specific person, often referencing real colleagues, projects, or vendors to seem legitimate.
- Business email compromise — a request to move money or change banking details from a “trusted” sender. It’s the most expensive form; see our guide to business email compromise.
- Smishing — phishing by SMS, like a fake delivery or bank-fraud text. The same playbook drives bank impersonator scams.
- Vishing — phishing by phone, where a caller poses as IT support or your bank to talk you into credentials or access.
- Quishing — a QR code that leads to a malicious site, slipping past defences that only scan links.
- MFA-fatigue and adversary-in-the-middle — newer tactics that try to defeat multi-factor authentication by spamming approval prompts or proxying a real login page to steal the session.
What it looks like
An employee gets an email that appears to come from Microsoft: their password is expiring, click to keep their account active. The page looks exactly right, so they sign in. Nothing seems to happen — but the attacker now has the password, and on a poorly protected account, a way in. From there they read the inbox, learn how the business talks about money, and set up a quiet inbox rule to hide their tracks while they plan a fraudulent payment. One click, weeks of exposure. This is also how many ransomware attacks begin — see how attackers break into small businesses.
What actually reduces the risk
No single control stops phishing — but layered together, these make a real difference:
- Multi-factor authentication (MFA). If a password is stolen, MFA can stop it from being useful. This is the highest-impact change most businesses can make; our guide on how to roll out MFA walks through it. Favour phishing-resistant methods over simple approval prompts where you can.
- Email filtering. Good filtering catches a large share of malicious messages before anyone sees them.
- Regular, realistic training. Short, frequent training — including simulated phishing — keeps awareness high without overwhelming staff.
- Endpoint detection. When a link does get clicked, detection and response can catch what happens next, before it becomes a breach.
- A clear reporting path. Make it easy for staff to report suspicious emails, and thank them when they do. A reported phish is an early warning — and the response should be blameless, so people speak up fast.
The signs to teach
Train staff to slow down when a message shows the classic tells:
- Urgency or threats — “act now or your account will be closed.”
- A request for credentials, payment, or a banking-detail change.
- A link or QR code that doesn’t match the supposed sender (hover before clicking).
- An unusual sender address hiding behind a familiar display name.
- Anything out of process — a request to skip the normal approvals “just this once.”
When in doubt, don’t use the link or number in the message — go to the site directly or call a known number. If someone has already clicked, our guide on what to do after a phishing click covers the first hour. Suspected scams can also be reported to the Canadian Anti-Fraud Centre.
Assume some will get through
Even with strong controls, some phishing will succeed — so the goal is also to limit the damage when it does. That means monitoring for unusual activity, being able to isolate a compromised account or device quickly, watching for stolen credentials surfacing on the dark web, and having a response plan ready before you need it.
That combination — reducing what gets through and containing what does — is the core of what a managed security service provides.
Want help tightening your defences against phishing? Get in touch — we’re happy to talk it through.