These days, phishing isn’t always loud and obvious, it’s often quiet, targeted, and designed to slip right through the cracks. And they’re no longer just about stealing passwords; they’re designed to compromise inboxes, hijack conversations, and redirect money through highly convincing social engineering.
These are the emails that lead to Business Email Compromise (BEC), and they’re getting smarter every month.
What’s Changed?
AI-crafted phishing emails are making detection much harder. They sound natural, reference real people, and can mimic your tone of voice.
Attackers lurk before acting. Once inbox access is gained, they monitor real threads before stepping in, often posing as senior staff or suppliers.
These emails rarely contain links. Instead, they rely on trust and urgency, making them harder for traditional filters to catch.
🇬🇧 UK-Based Example: “Just a Quick Update”
A Manchester-based legal firm’s finance assistant received a reply to a real email thread with a supplier. The sender (actually a criminal using a lookalike domain) asked to “update payment details.” The language was polite, natural, and not rushed.
The email:
Referenced recent work completed
Used an exact signature, with the right contact photo
Contained no links — just a new invoice PDF and a request for payment
The £42,000 payment went through before anyone spotted the fraud.
What Can You Do?
- Slow down: Most phishing succeeds because someone felt rushed. If an email feels urgent, take a second look.
- Verify outside of email: Use a known phone number or Teams chat to confirm any sensitive request.
- Inspect the sender: Look closely at the domain name — e.g. @firm.co.uk vs @flrm.co.uk. One letter can mean the difference.
- Flag and forward: Don’t delete suspicious emails — flag them and forward to IT or Everything Tech. That helps protect others.
What We’re Doing at Everything Tech
- Rolling out AI-aware email threat detection tools to catch subtle phishing attempts.
- Offering phishing simulation campaigns tailored to all industries
- Helping businesses set up stronger inbox protections (DMARC, SPF, DKIM).
- Advising on policy and process to reduce risk (like verifying payment changes).
If you’d like us to run a phishing simulation for your team, or review a suspicious message you’ve received — just let us know.
👉 Email [email protected] or reach out to your account manager.
