Phishing Emails Are Getting Smarter—Here’s How to Spot Them

Phishing scams aren’t what they used to be. The days of poorly written emails from fake princes are long gone. Today’s attacks are slick, convincing, and often nearly identical to legitimate communications—making them harder for busy employees to spot.

For small and medium-sized businesses, phishing remains one of the biggest cyber threats. In fact, over 90% of breaches begin with a phishing email.

Here’s how modern phishing scams work, real examples of what we’re seeing locally, and practical tips to protect your business.

Recent Phishing Tactics We’re Seeing in Small Businesses

1. CEO Impersonation (Business Email Compromise)

A recent example we caught: An email appeared to come from a company’s CEO requesting a wire transfer to a vendor.

• The email address was off by just one letter.

• The tone matched the CEO’s typical writing style.

• It was marked “urgent” to pressure the recipient into acting fast.

How to spot it: Always verify payment requests in person or via a known phone number—never just by email.

2. Microsoft 365 Login Page Spoof

We’ve seen phishing emails disguised as “unusual login activity” alerts from Microsoft. Clicking the link takes the user to a fake login page that looks identical to the real thing.

• These pages steal your username and password in seconds.

How to spot it: Check the URL. Microsoft login pages always start with https://login.microsoftonline.com. Anything else is fake.

3. Fake Invoices from Known Vendors

Attackers are spoofing vendors that companies regularly work with.

• The invoice looks legitimate, but the payment details have been changed to the attacker’s account.

How to spot it: Compare invoice details to past records and confirm payment details directly with the vendor before processing.

4. Direct Deposit Change Scam (Employee Impersonation)

We recently saw a case where attackers impersonated an employee and emailed the HR department requesting a direct deposit change.

• The email used the employee’s full name, job title, and even copied their signature line.

• If HR had processed the change without verifying, the next paycheck would have been routed to the attacker’s account.

How to spot it: Always verify payroll changes in person or over a verified phone number—never rely solely on email requests.

5. Package Delivery Notifications

Attackers send fake alerts from UPS, FedEx, or USPS claiming a package can’t be delivered without action.

• The link directs the recipient to a malicious website or downloads malware.

How to spot it: Check tracking numbers directly on the carrier’s website—don’t click links in unsolicited emails.

How to Protect Your Business

Even the smartest employees can fall for a well-crafted phishing email. Protecting your business requires layers of defense:

• Employee Training – Regular phishing simulations and awareness training.

• Multi-Factor Authentication (MFA) – Even if passwords are stolen, MFA adds a security barrier.

• Email Filtering & Security Tools – Block many phishing emails before they reach inboxes.

• Incident Response Plan – Make sure your team knows what to do if someone clicks a suspicious link.

Bottom Line

Phishing isn’t going away—it’s evolving. The good news? With the right awareness and security measures, your business can dramatically reduce the risk.

If you’d like to test your team’s phishing awareness or strengthen your email security, Encompass IT can help. Book a discovery call today.