Network Brainiacs
Tip #50·Phishing

Phishing year in review.

What phishing tactics worked this year, what got old, and what to train your team on for next year. A quick annual review.

Phishing evolves every year. The attacks that worked three years ago fail today. The attacks that'll work next year are already being tested. Here's what the trailing twelve months taught us about phishing against small and mid-sized businesses, and what to train on next.

What landed hardest this year

  • AI-generated phishing — grammatically perfect, locally-aware, personalized. The old 'spot the typos' advice stopped working.
  • MFA fatigue — attackers with leaked passwords spamming approve prompts until users tapped yes.
  • QR-based phishing (quishing) — bypassing every email filter by embedding a phish as an image.
  • Vendor email compromise — real vendor inboxes sending real-looking invoices with changed banking.
  • Deepfake audio — still rare but growing fast, particularly against finance teams.

What fell off

Obvious misspellings, 'Nigerian prince' style scams, and clumsy domain spoofing are basically gone — filters catch them and so do humans. Generic mass phishing with misspelled domains has dropped to a trickle. Attackers moved up the food chain.

Two year-defining incidents

A CFO at a small services firm approved a wire based on a voicemail that sounded exactly like the CEO.

Red flag: Voice was cloned from a podcast interview. The policy of 'voice is not authorization' wasn't in place. $180K gone.

An ops manager clicked a QR code in an email claiming to be a Microsoft MFA reset.

Red flag: Landed on a credential harvester on her personal phone — no EDR, no URL filtering. Credentials and MFA token captured.

Training priorities for the coming year

  • Assume every phishing email looks legitimate — no more 'spot the typo' training.
  • Code words for financial authorizations — voice is no longer verification.
  • QR code skepticism — preview URLs, never scan for logins.
  • MFA fatigue awareness — unsolicited prompts = compromise.
  • Verbal callback for banking changes, always.

Refresh training yearly.

An annual 30-minute team session on what's new keeps your team's instincts current. We run these for clients.

Do this today
  • 1Update phishing training content — retire the 'spot the typos' slide.
  • 2Roll out code words for financial authorizations.
  • 3Train teams on AI-generated phishing, quishing, and MFA fatigue.
  • 4Review your phishing simulation provider — are their templates current?
  • 5Schedule the annual refresh for the same time every year.

Want help securing your business?

Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.

Schedule a quick security review

Keep reading

Tip #1 · Phishing

Stop clicking links in emails.

Most cyberattacks start with a simple click. Here's why the click matters more than the email, and the one habit that stops most of them.

ReadTip #3 · Phishing

Spot the urgency trick in phishing emails.

If an email is pressuring you to act right now, slow down. Urgency is the most common phishing tactic because it bypasses the part of your brain that thinks critically.

Read
Back to all tips