The advice to "look for spelling mistakes" in phishing emails is outdated. AI-generated phishing messages are now grammatically flawless, contextually personalised, and in many cases indistinguishable from legitimate communication. Small businesses — which lack enterprise security budgets but often hold valuable client data and financial access — are the primary target.
This article describes the most effective phishing techniques being used against small businesses in 2026 and what you can do to defend against them.
Large enterprises have security operations centres, phishing simulation training, and email gateways that catch most attacks before they reach employees. Small businesses typically have none of these. They often use personal email accounts mixed with business ones, have no enforced password policies, and lack multi-factor authentication on critical systems.
At the same time, small businesses often have access to the things attackers want: business bank accounts, client payment details, supplier relationships that can be exploited for invoice fraud, and credentials to cloud services like accounting software and payroll systems.
Generic phishing — the "Dear Customer, your account has been compromised" email — is largely filtered out by modern spam detection. Attackers have moved to spear phishing: targeted messages crafted specifically for you, using information scraped from your LinkedIn profile, your company website, your publicly listed team members, and your recent social media posts.
In 2025 and 2026, AI tools have made this scalable. An attacker can feed your company's public information into a language model and generate hundreds of personalised emails at scale. The email might reference a real client by name, mention a specific project you recently completed, or arrive from an email address that closely resembles one of your suppliers.
Real example: A small accounting firm received an email appearing to come from one of their regular clients, referencing an invoice number that matched their actual billing system. The email asked them to update the bank account details for future payments. The email address differed from the real client's by one letter. The firm changed the details and lost $34,000 before discovering the fraud.
Traditional phishing creates a fake login page that harvests your credentials. Adversary-in-the-middle (AiTM) attacks go further — they proxy your real login to the actual website in real time, capturing not just your password but your authenticated session token after you successfully log in.
This means these attacks bypass multi-factor authentication. You receive a real MFA code on your phone, enter it on what appears to be the real login page, and the attacker simultaneously uses that code to authenticate as you on the real site. They now have your session token — a valid login — that they can use from their own device.
Microsoft 365 and Google Workspace accounts are the primary targets, because access to these accounts unlocks email, file storage, and often billing and HR systems.
Email security scanners check URLs in email bodies. They cannot easily check the content of QR codes. Attackers have exploited this by embedding phishing URLs inside QR codes in emails, bypassing URL scanning entirely.
The email typically claims to be a security alert, a document share notification, or a package delivery confirmation — something that makes it plausible to scan a QR code. The code directs to a phishing page optimised for mobile, where people are more likely to miss visual security cues.
Business Email Compromise is not phishing in the traditional sense — no malicious link is involved. Instead, the attacker gains access to a legitimate email account (through credential stuffing, password reuse, or earlier phishing) and monitors the inbox silently for weeks or months.
When they see an email thread involving a payment, a property settlement, or a large invoice, they insert themselves into the conversation from the compromised account and redirect the payment. The victim is emailing what appears to be their real contact. The contact's email is real. The bank details are not.
Australian small businesses lose tens of millions of dollars annually to BEC fraud. The Australian Competition and Consumer Commission (ACCC) reported over $80 million in BEC losses in 2024 alone, with the real figure likely higher due to underreporting.
Callback phishing emails do not contain links or attachments — just a phone number. The email claims to be a renewal notice, a subscription charge, or a support alert. It tells you to call a phone number if you want to cancel or dispute the charge.
When you call, you reach a fake "support agent" who guides you through installing remote access software, "verifying your identity" by sharing your screen, or providing banking credentials to "process the refund." Because no malicious link was in the original email, it passes most spam filters perfectly.
Traditional advice — hover over links, check the sender address, look for spelling mistakes — is insufficient against modern phishing. Here is what actually provides protection:
Speed matters. If you suspect your email account has been accessed or a fraudulent payment has been made:
Tobava Mail includes built-in phishing detection, link scanning, and encrypted storage. Learn about Tobava Mail →