Phishing in 2026: The 5 Emails That Fool Small Businesses
The scams that catch small offices aren't full of typos anymore. Here are the five that work, and the simple habit that stops all of them.
The classic phishing email—broken English, a foreign prince, an obvious junk address—is mostly gone. Today’s scams are clean, well-written, and often reference real details about your business. They work because they look exactly like the emails you get every day.
Small offices are a favourite target precisely because they rarely have a dedicated IT person watching. Here are the five that succeed most often, and what gives each one away.
1. The Fake Invoice
An email arrives with a PDF or a link: “Invoice #4471 – Payment Overdue.” It looks like a supplier you actually use. The goal is either to get you to pay a fraudulent account or to open an attachment that installs malware.
The tell: The bank details or “remit to” address changed from last time. Any supplier suddenly asking you to pay a new account deserves a phone call to a number you already have—never the one in the email.
2. The CEO / Owner Request
A message that appears to come from the business owner lands in an employee’s inbox: “Are you at your desk? I need you to grab some gift cards / send a wire—handle it quietly, I’m in a meeting.” It plays on authority and urgency.
The tell: Real urgency plus a request for secrecy plus an unusual payment method. No legitimate manager buys gift cards over email. When in doubt, walk over and ask, or call.
3. The Microsoft 365 “Password Expiring”
A polished email warns that your Microsoft password expires today and links to a login page that looks identical to the real one. Enter your password and the attacker now has your mailbox—and everything connected to it.
The tell: Hover over the link before clicking. The real Microsoft login lives on login.microsoftonline.com, never on some lookalike domain. Better still, never log in from an email link—open your browser and go directly.
4. The Shared Document
“John shared a document with you” via what looks like SharePoint, Google Drive, or DocuSign. The branding is perfect. The link leads to a fake login that harvests your credentials.
The tell: You weren’t expecting a document, or you don’t recognise the sender’s real address. Legitimate sharing shows up inside the actual app too—check there instead of clicking.
5. The MFA Fatigue Attack
This one is newer and nasty. An attacker who already has your password triggers a flood of multi-factor approval prompts to your phone, betting that you’ll tap “Approve” just to make them stop.
If you get an MFA prompt you didn’t ask for, that is not a glitch. It means someone already has your password and is standing at the door. Deny it, and change that password immediately.
The One Habit That Stops All Five
Every one of these attacks depends on you acting fast without checking. The single most effective defence isn’t a product—it’s a pause:
- Slow down on anything involving money, passwords, or urgency.
- Verify through a second channel—a phone call, a walk to someone’s desk—whenever a request feels off.
- Never log in from a link in an email. Type the address yourself.
Pair that habit with two technical safety nets—multi-factor authentication on every account, and a bit of staff awareness training—and the vast majority of phishing simply stops working.
If you’d like a straightforward review of how exposed your team’s email is, or a short training session your staff will actually remember, get in touch. We’ll keep it practical and jargon-free.