Forget everything you think you know about phishing. The Nigerian prince retired years ago. What replaced him is far more dangerous, and honestly? A lot more impressive from a technical standpoint.
I spent the last month reviewing phishing reports from businesses across Europe, and the sophistication of current attacks is genuinely unsettling. Let me walk you through what's actually landing in inboxes right now.
The Thread Hijack
This is the one that keeps me up at night. Attackers compromise one email account, then reply to existing conversation threads with malicious links. The recipient sees a reply from someone they've been talking to, in a conversation they recognise, and clicks without thinking.
One accounting firm lost £140,000 this way. The attacker jumped into a thread about an actual invoice, swapped the bank details, and the payment went out before anyone noticed.
AI-Generated Impersonation
The writing quality of phishing emails has gone through the roof. Attackers are using AI to mimic writing styles, match the tone of previous messages, and even reference real events. A phishing email from "your CEO" now sounds exactly like your CEO, right down to their habit of starting emails with "Quick one - ".
Grammar mistakes used to be the giveaway. That's gone. You can't rely on spotting bad English anymore.
The Fake Security Alert
These arrive disguised as legitimate warnings: "Unusual login detected," "Your password expires in 24 hours," "Action required: verify your identity." They're pixel-perfect copies of real notifications from Microsoft, Google, or your email provider.
The difference? The link goes to a credential harvesting page that looks identical to the real login screen. You type your password, the attacker captures it, and you get redirected to the real site so you never suspect anything happened.
What Actually Protects You
Training is important, but it's not enough when the attacks look this good. You need technical layers working for you:
SPF, DKIM, and DMARC - These three protocols verify that emails claiming to come from your domain actually come from your domain. Without them, anyone can send emails that appear to be from your address. With them, forged emails get rejected before they reach anyone.
Spam filtering at the server level - Good email hosting includes aggressive spam and phishing filters that analyse links, attachments, and sending patterns before messages reach your inbox.
Two-factor authentication - Even if an attacker captures your password, they can't get in without the second factor. This single feature prevents the vast majority of account compromises.
Email encryption - TLS encryption in transit means your messages can't be intercepted and read between servers.
The Human Element
Look, no system is perfect. But the gap between businesses with proper email infrastructure and those winging it with basic free email is enormous. It's the difference between having a security system and leaving your front door open with a "please don't rob me" sign.
The attacks will keep evolving. The question is whether your email setup evolves with them.
