I need to tell you something that might make you uncomfortable: your employees aren’t stupid for clicking that phishing email. They’re human.
I’ve been doing this for 35 years, and I’ve watched the conversation around cybersecurity training evolve from “teach people to be more careful” to something far more honest. The problem isn’t your people. The problem is that the internet changed, and most business leaders don’t realize how much.
The Internet Used to Be Smaller
When I started in technology, the bad actors on the internet were relatively unsophisticated. You could spot a phishing email because it had terrible grammar, pixelated logos, and came from an email address like “[email protected].” Your team could learn to recognize red flags because they were obvious.
That world doesn’t exist anymore.
It’s Not Personal Anymore. It’s Like Radiation.
Cybersecurity threats used to be like someone specifically targeting you. Now, they’re more like radiation or pollution. You’re swimming in it constantly, and it’s affecting everyone simultaneously.
According to the FBI’s Internet Crime Report, Americans lost over $12.5 billion to cybercrime in 2023, a 22% increase from the previous year. What that number doesn’t capture: the sophistication of phishing attacks has increased even faster than the financial losses.
AI-powered phishing attacks now analyze your writing style from your social media posts. They know which vendors you work with because that information is publicly available. They can create emails that look exactly like internal communications because they’ve studied how your company writes.
Your employees are facing cybersecurity threats that would have fooled security professionals five years ago.
What Does This Mean for You?
If you’re a managing partner at a law firm or an accounting practice, you need to stop thinking about security awareness training as “teaching people not to click bad links.” That approach assumes the problem is user error. The actual problem is environmental.
Think about it this way: if someone gets sick from polluted water, you don’t just tell them to “be more careful about what they drink.” You acknowledge that the water supply has a problem, and you implement systems to address it.
The same logic applies to cybersecurity for professional services firms.
The Real Solution Isn’t Just Training
Don’t get me wrong. Employee cybersecurity training matters. Your team should know what modern phishing looks like. They should understand that requests for urgent wire transfers need verification. They should recognize that real IT support never asks for passwords via email.
But training alone won’t solve this, because phishing prevention challenges evolve faster than training programs can keep up.
According to Verizon’s Data Breach Investigations Report, 60% of breaches involved the human element, but that statistic is misleading. It makes it sound like humans are the weak link. The reality is that humans are the target because attackers know that sophisticated social engineering is more effective than trying to hack into security systems.
What Actually Works for Small Business Ransomware Protection
After three decades of watching this problem evolve, this is what I tell professional services firms:
Layer your defenses with multi-factor authentication. MFA isn’t fun. It’s annoying. Your team will complain about endpoint security solutions. Implement it anyway. Multi-factor authentication stops most attacks, even if someone clicks a phishing link, because the attacker still can’t get into your systems without that second factor.
Make reporting easy. The worst thing you can do is create an environment where people are afraid to admit they clicked something suspicious. I’ve seen security incidents that could have been contained in minutes turn into disasters because someone was too embarrassed to report what happened.
Accept that failures will happen. Technology fails. People make mistakes. If you expect perfection, you’re setting yourself up for catastrophe. Plan for the reality that someone will eventually click something they shouldn’t.
Use email filtering that actually works. Most professional services firms are using whatever spam filter came with their email service. That’s not enough anymore. Invest in advanced threat protection that can catch sophisticated phishing attempts before they reach your team’s inboxes.
The internet changed. Your security policy development needs to change with it. Not because your people aren’t smart enough, but because the phishing prevention challenges are designed by professionals whose full-time job is defeating security measures.
What does this mean for you? It means stop blaming your team and start building better endpoint security solutions. That’s how professional services firms actually stay secure in 2026.
Quick and Easy
AI-powered phishing attacks are too sophisticated for training alone to stop, so professional services firms need multi-factor authentication, advanced email filtering, and systems that assume someone will eventually click something suspicious. According to the FBI, cybercrime losses exceeded $12.5 billion in 2023, and your employees face threats from social engineers whose full-time job is to target them.
Remember when you could spot a phishing email because it had terrible grammar or came from a weird email address?
Those days are over.
Research from Hoxhunt showed that by March 2025, AI-generated phishing attacks had become more effective than those created by elite human security experts. The AI didn’t just catch up, but surpassed the best humans at social engineering.
Let that sink in. The people whose entire job is creating realistic phishing simulations to test your employees? AI is better at it than they are.
The Scale of the AI Phishing Problem
According to the World Economic Forum, phishing and social engineering attacks increased 42% in 2024. That was before AI really hit its stride.
The attacks aren’t just better written anymore. They’re contextual and arrive at the exact right time. They reference real projects, real people in your organization, and real deadlines.
Google’s 2026 forecast warns that attackers are using AI to create emails that are essentially indistinguishable from legitimate communication.
This is what that looks like in practice:
You receive an email from your CFO requesting an urgent invoice payment. It uses her exact writing style. It references the specific vendor you’ve been working with. It arrives right when you’d expect such a request. The email address looks right. The signature looks right. Everything looks right.
Except it’s not from your CFO. It’s from an AI that studied 50 of her previous emails and generated a perfect forgery.
Voice Cloning: The New Frontier
Email isn’t even the scariest part anymore.
A tech journalist recently demonstrated that she could clone her own voice using cheap AI tools and fool her bank’s phone system – both the automated system and a live agent – in a five-minute call.
Think about what that means for your business. Your CFO gets a call that sounds exactly like your CEO: voice, cadence, the way they clear their throat, everything. It’s asking for an urgent wire transfer for a time-sensitive deal.
How do you defend against that?
Why Traditional Phishing Training Fails Against AI
Your annual security training tells employees to look for:
- Spelling and grammar errors (AI doesn’t make these mistakes)
- Generic greetings (AI personalizes everything)
- Suspicious sender addresses (AI uses compromised legitimate accounts)
- Urgent requests (legitimate urgent requests also sound urgent)
- Links that don’t match the display text (AI uses legitimate-looking domains)
Every single indicator you’ve trained people to watch for? AI bypasses them.
What Actually Works Against AI Generated Phishing
The old training about “look for spelling errors” is dead. Your employees need to understand that verification matters more than urgency.
Use this to protect you and your team:
Slow down when things feel urgent. Urgency is the weapon. If someone’s asking for sensitive information or money transfers, that urgency should trigger caution, not immediate compliance.
Verify through a different channel. Email says it’s from your CEO? Call them on a known number. Text message from your bank? Call the number on your card, not the one in the message. Voice call asking for a transfer? Hang up and call back.
Trust your judgment about whether requests make sense. Does your CEO normally ask for wire transfers via text? Does your IT department usually request password resets through email? If the method doesn’t match the request, verify.
Create a culture where questioning is safe. Your employees need to know they won’t get fired for double-checking whether the CEO really sent that request. These attacks exploit hierarchy and time pressure.
The Reality for Professional Services Firms
The accounting firms, law offices, and property management companies we work with are particularly vulnerable to these attacks because:
- They handle sensitive financial information
- They regularly process wire transfers
- They work with clients who expect fast responses
- They have hierarchical structures that discourage questioning authority
One immigration law firm we work with almost lost $180,000 to an AI-generated email that perfectly mimicked its managing partner’s communication style, requesting an urgent retainer transfer. The only thing that saved them was an associate who thought the request was weird enough to verify in person.
That associate didn’t stop the attack because they spotted technical indicators. They stopped it because something felt off, and they were empowered to question it.
What This Means for Your Business
You need to update your security training immediately. Not next quarter. Not when the budget allows. Now.
The training needs to focus on:
- Verification procedures that work regardless of how legitimate something appears
- Creating psychological safety for employees to question urgent requests
- Understanding that AI can fake anything visual or auditory
- Practicing what to do when something seems both urgent and suspicious
You need to practice these procedures regularly. Not once a year during security awareness month. Monthly at minimum.
Because the attacks are getting better every single day. Criminals using them no longer need your employees to click a suspicious link. They need your employees to trust their eyes and ears when they shouldn’t.
The Quick and Easy: AI-generated phishing attacks now outperform human security experts, with attacks increasing 42% in 2024. AI generates emails and phone calls that are indistinguishable from legitimate communication, bypassing traditional phishing indicators such as spelling errors, generic greetings, and suspicious links. Voice cloning technology can fool both automated systems and live humans. Traditional training focusing on spotting errors no longer works. Instead, businesses need verification procedures that work regardless of appearance, cultures where questioning authority is safe, and regular practice with realistic scenarios. Professional services firms are particularly vulnerable due to their hierarchical structures and regular financial transactions. The key defense is slowing down when things feel urgent and verifying through different channels.
I’ll dispense with the editorializing about Facebook and other internet giants playing fast and loose with our information and get down to the nitty-gritty of what you should know about the latest Facebook breach, which I initially wrote about (only) two weeks ago:
- Go to this Facebook link (while you are logged in to Facebook) to determine if you were one of the 30M that was affected by the breach: https://www.facebook.com/help/securitynotice
- Initial estimate of compromised accounts revised down from 50-90M to “just” 30M (OK, you got me, I can’t help myself).
- Approximately half (15M) of the compromised accounts had an extensive amount of information leaked, including data that most people would consider private, such as religion, relationship status, recent searches and geographical location.
- The other half (14M less the small percentage in the next line) had access to names and email addresses or phone numbers, or both.
- Three percent (about 1M) did not have any information exposed though their access tokens were stolen.
- Nobody’s Facebook passwords was stolen as part of this breach.
- Facebook cannot divulge motive or identities as it is working with the FBI, but based upon analysis of the attack, the hackers were organized and well-equipped to pull off the data heist. Translation: likely nation-state or organized crime-backed.
What this means for you
If you happened to fall into the bucket where a large amount of private information was exposed by Facebook, be extremely wary of targeted phishing attempts, usually sent by email. Because your information is now readily available to be cross-indexed with any numerous other items exposed in previous breaches, it’s trivial for cybercriminals to create very realistic emails that appear legitimate based upon the use of this stolen data, whether it be fake password reset notifications from widely used services like Office 365, Facebook, Gmail, SnapChat, or strangely familiar emails using that private data to trick you into revealing additional info or access to strangers pretending to be co-workers, friends or even family. Just to add insult to injury, if some of the leaked data is info you might use as an answer to the “Forgot your password?” questions many services use, hackers can now use that info to try and guess your answers to reset your password for their own nefarious purposes.
Just because your password wasn’t stolen in this breach doesn’t mean that it wasn’t exposed in any of the myriad breaches over the past several years. Visit this site – https://www.haveibeenpwned.com/password – to determine if it might be exposed, and if so, continued use of it will likely result in any account secured by the exposed password being compromised very soon.
In a disturbing trend that bodes ill for everyone, multiple US healthcare institutions have been victimized this past month by highly effective ransomware attacks. In each instance, the malware infection has significantly disrupted operations and, in some cases, forced administrators to actually pay out thousands of dollars in ransoms to regain control of their data and IT systems. In the case of the Hollywood Presbyterian attack, the hackers initially demanded $3.6 million in bitcoin to release the data and systems their malware had encrypted, but settled for $17k. More hospitals in California, Kentucky and Maryland have also been hit and crippled by ransomware attacks, in some cases paying the ransom to regain control of their IT systems, and in other cases recovering systems and data through established data backup platforms and security protocols. And just to keep things interesting, toy-maker Mattel was also defrauded out of $3 million after falling victim to a carefully-planned an well-executed email scheme.
What this means for you:
Though some of the hospital attacks mentioned above are thought to have come from a documented server exploit known to exist in healthcare software platforms, analysts are reporting a surge in emails carrying viral payloads including new, highly-effective variants of ransomware, probably because of the highly-publicized ransom payment made by Hollywood Presbyterian. The harsh reality of this worrying trend is this: it costs criminals virtually nothing to start malware campaigns that are resulting in hundreds of millions in damages to organizations around the world, and it’s netting those same criminals an equivalent amount of money paid by desparate victims. Despite spending millions on security, businesses and individuals around the world still fall victim to this ploy because of the humble email. Previously I had written about ways to spot fake emails (and you can still spot them if you look hard enough), but given how many emails we receive, and how clever attackers are becoming, it’s only a matter of time before any of us get duped and it’s already too late after that second mouse-click. Or is it? Though the ransomware attacks managed to disrupt operations at the hospitals mentioned above, several of them were able to get back to work once the infections were cleaned out and data restored from backups. The temporary disruptions caused by the compromised systems were kept to a minimum, as was the damage to the wallet, by a tested (and now proven) disaster response and recovery/backup plan. How long could your business afford to be disrupted by a ransomware attack? Could your business survive the loss of critical data? What about the reputation damage resulting from disclosing the attack to customers? If you thought a backup platform was expensive, consider the alternative. In the case of Hollywood Presbyterian, $17k was just the down payment on a huge hit to the wallet.
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net
Coming hard on the heels of the international sting two weeks ago that resulted in the arrest of nearly 100 “RATters”, law enforcement agencies in several countries again acted together to take down two very large botnets that together number well over 1.2 million compromised Windows computers, arresting a Russian hacker who allegedly managed the powerful zombie networks. Botnets are essentially large collections of “zombified” computers that can be controlled remotely and are a favored tool of cybercriminals and hackers that can execute a variety of activities including widespread phishing campaigns to steal sensitive personal data and focused DOS attacks used to cripple websites and servers.
What this means for you:
The UK Crime Agency believes that though they have control over the botnets for the moment, that control won’t last long – maybe 2 weeks – before the zombified computers are drafted into another botnet. In those 2 weeks, the various involved law enforcement agencies are hoping to take advantage of the temporary reprieve to notified the owners of the infected machines that they need to clean up their computers ASAP. If you receive a conspicuously official looking notice from some form of local law enforcement, it might be legitimate and not just another scareware scam. Some obvious signs that your computer might be infected (and possibly part of the one of the 2 busted botnets) include:
- Websites loading in your browser that are clearly not where you intended to go, or what the search results said they would be
- Computer performing unusually slowly or erraticly, unexpected crashing or other unusual behavior
- Files suddenly becoming corrupt or unusable
The last one is of special concern – it could mean your computer is infected with Cryptolocker, a nasty bit of malware that locks your files up and holds them for ransom. This might also mean that even if you were inclined to pay the ransom to get your data back, you may not be able to, as the take down of the botnet may also result in no one, criminal or lawful, being able to unlock your files. Sadly, if you hit this point and don’t have a recent backup of your data, it is gone forever.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
It’s getting so that it might be easier to publish a list of companies that haven’t been hacked. Sadly, this week it’s dot-com darling Kickstarter and Wall Street stalwart Forbes.com, both of whom were hacked and user data exposed. Where Forbes almost immediately acknowledged that it had been hacked (unavoidable as the infamous Syrian Electronic Army announced that it was behind the attack), Kickstarter got on the wrong side of some folks for delaying it’s own announcement that it had been breached earlier in the week. Waiting almost 5 days before sending out an email to its users was viewed by many pundits as everything from lacksadaisical to outright criminal. In both cases, user names, email addresses and passwords were stolen, though both companies state that the passwords were encrypted which would make it difficult, but not impossible for hackers to crack weaker passwords in the stolen data.
What this means for you:
If you had accounts on either of these websites using passwords that you use elsewhere, you need to go out and change that password everywhere else it was used – preferably with a unique one for each website. I had accounts on both of these websites, but I’m less worried as both were unique to the websites and will never be used again. Until the technology industry can come up with a better way than passwords to secure our safety, your next best bet is to generate unique passwords everytime one is needed. Utilities like LastPass, Passpack and 1Password are invaluable for this sort of practice and are worth their weight in gold.
It’s also worth noting that in the case of the Forbes hack, their security was compromised by a targeted phishing attack. By responding to fake emails, duped employees revealed passwords that gave the attackers access to the WordPress engine that powers the Forbes.com website. Kickstarter has yet to reveal the nature of their security breach, but I wouldn’t be surprised if a similar phishing attack cracked their security. Phishing emails are becoming increasingly harder to spot as cybercriminals pour more effort and money into crafting effective attacks. The only protection is to be suspicious of everything, and to never click links in emails before independently verifying where they actually lead.
In case you are feeling like the only one under constant cyber attack, Microsoft has recently admitted that the Syrian Electronic Army has successfully hacked some of its employee email accounts, apparently in pursuit of documents pertaining to ongoing law enforcement surveillance requests. As is typical with these types of breaches, Microsoft has yet to determine if any customer data was exposed, and so far is saying very little in that regard. This comes on the heels of it’s the Microsoft Office blog being defaced only days prior, as well as successful attacks on high-profile Twitter accounts and blogs used by other Microsoft divisions.
What this means for you:
The Microsoft employees who were hacked were compromised through nothing more sophisticated than the ole “phishing” tactic. In case you still don’t know what that is, I’ll describe it in brief:
- You receive a legitimate-looking email, warning that your account at a popular service has been compromised, or your password has been reset, or that some other urgent action is required. Other popular phishing tactics include packages (or money) awaiting delivery, important faxes being held, etc.
- The email directs the recipient to a website that may be designed to look legitimate, but is not. The hacker owns that website, and any data typed into it.
- In all cases, the hacker is trying to get the recipient to volunteer specific information about themselves, usually things like user IDs, passwords, Social Security numbers, addresses, anything that could be used to compromise and possibly steal your ID.
- On top of tricking you into entering your important data, the website will often attempt to install other malware on your computer, resulting in severe infections and further data theft if it’s not caught quickly. This can even happen if don’t enter any information on the website. Visiting that first page is often all it takes to get a bad malware infection.
If you haven’t figured out why it’s called “phishing”, the hackers are the fishermen, the email is the bait (and hook), and you are the fish. “Spear phishing” is when specific groups of recipients are targeted (as was probaby the case with the Microsoft incident above), and “whaling” is when high-profile executives or critical employees are specifically targeted with carefully crafted emails tailored for the individual coupled with other social engineering tactics to lend legitimacy to the attack. And don’t think that you are immune to whaling attacks just because you aren’t a high-powered executive. Analysts are even now investigating possible AI-generated whaling attacks that being generated based upon information gathered on the internet from sites like Facebook and Linkedin, making it harder and harder to spot the fakes in your email.
Knowing full well that American Express is the credit card of choice for many professionals, cyber criminals are targeting AMEX customers in a wave of convincing phishing emails. The emails appear to be from AMEX stating that fraudulent activity has been detected on the recipient’s card, and provides a link for the user to update their information. The link actually leads through a series of redirection scripts on compromised websites and eventually lands the user on a website that has the outward appearance of a legitimate AMEX website. This site’s sole purpose is to collect critical personal data such as your Account ID, Social Security Number, Mother’s Maiden Name which will shortly be used to perpetrate some actual account and identity theft.
What this means for you:
By now you should naturally be suspicious of any emails that show up in your inbox asking you to reset your credentials, especially if you did not explicitly perform a password or credential reset. Rolling over the links in the emails will show you the destination URL, and if the link isn’t one you recognize, stop right there and trash the email. Even if the URL looks legitimate, don’t use the link in the email. Go to your credit card website by manually typing in a URL that you know is good. Not sure what the URL is? Look for one printed on the back of your credit card, or failing that, just call the customer service number via phone. As a rule, credit card companies and banks will notify you via phone of suspected fraudulent activity, so emails like this should always be viewed with a healthy amount of skepticism.
Malicious agents continue to use increasingly sophisticated email templates to fool victims into installing malware on their computers. Most recently, people have been falling prey to an email that appears to be from Dropbox.com, a very widely used cloud storage website. The email uses Dropbox artwork and is kept short and to the point: it warns the user that they need to change their password and provides a link (which, of course, leads to a hijacked website). Adding to this email’s apparent credibility is the fact that Dropbox has engaged in this very same practice to legitimately warn users about password changes. Couple this with the fact that it’s highly likely you have a Dropbox account, and the hook is set before you know it.
What this means for you:
Whenever you receive a warning like this, the safest method to take action is to manually type the URL of the service in question in your browser and never click links in the email, unless you are confident they don’t lead to a hijacked website. Most email clients, including web-based ones like Gmail and Yahoo Mail, allow you to roll over the links in any email and see the actual linked destination (it may take a second or two, be patient while hovering), as it’s trivial to fake the visible destination while sending you down a dark road to infection. For more tips on spotting fake emails like this one, read my previous post, “Fake Emails are Getting Harder to Spot“.
Just this past week I received 2 emails that looked very legitimate, but were in actuality very cleverly designed phishing emails meant to trick unwary individuals into making some bad decisions. And when I say “cleverly designed” I mean that even to my experienced eye, the emails looked very real, with properly implemented graphics, clever use of recognizable branding and even using text from actual legitimate emails to camoflauge the hook.
How did I know they were not the real deal? Well, first off, Gmail’s spam filters flagged them right away (score one for Google!) but there were a couple of other things that immediately marked them as fishy, and a little more investigation revealed the true colors of these sophisticated phishing attempts. These types of emails will happen more frequently once the cybercriminals realize how much more effective they are, so I think it’s time I showed you some techniques for spotting counterfeits before they trick you.
Apply Common Sense
Are you a customer of the company, service or brand that sent you an email asking you to do something? Is what they are asking you to do something that makes sense for that particular company/service/brand? In the example here, I received an email that looks like it was from ATT notifying me that my monthly account was ready for review. OK, this would have passed the “smell test” for me a couple years ago, but I’m not an ATT customer anymore. However, ATT is the largest cellular provider in the US, so it’s not inconceivable that many, many people thought this was a legitimate email.
Who’s the email from? And who is the actual recipient?
In the fake ATT email, you can see clearly that the sender on this email is totally bogus (outlined in RED at the top). Why would ATT be sending an email from the IRS? Always look closely at who the sender was on the email, especially if it looks like it’s something you might expect to see in your email box. Is that email address actually correct. Call up the sender to ask if they actually sent the email.
In my second example, the sender actually looks like it might be legitimate at a passing glance. They got the domain right, so now you have put your security glasses on and take a harder look. This particular email was sent to a recipient address that is an alias for a webmaster inbox for one of my clients. I know for a fact she uses Quickbooks, but I also know she would never have used this particular email address to register the product or create an account because it goes to my email box, not hers. On top of this, there are several other addresses in the CC field (including 2 that weren’t actually email addresses), something you should never see when receiving a legitimate, automated email from a company like Intuit.
But once again, the content looks legitimate, and it’s not unlikely that the phisher landed a few hooks, considering how widely used Quickbooks is in the business world. So, let’s dig a little deeper!
Are the embedded links legitimate?
Outlook provides a handy feature that allows you to roll over a link in an email and see the actual URL of the link, even if it isn’t typed out in the email (which it never will be in a phishing attempt). Webmail users may not have this function handy, depending on the browser and the service you are using. Regardless of what program you are using, NEVER CLICK LINKS THAT YOU CAN’T ACTUALLY VERIFY, AND IF YOU HAVE THE SLIGHTEST HINT OF DOUBT, STOP CLICKING AND START DIALING FOR A HUMAN! (If ever there was a justified need for all caps and bold, that was it.)
In my two examples, you can clearly see that neither of the “call to action” links actually go to sites that have even the remotest connection to either of the services they purport to represent. Why would my American ATT account need me to click a domain in Australia? Why would I ever download US Withholding Data from a domain with “latina dot com” in the name?
What this means for you:
These types of emails will continue to become harder to spot, and I will guarantee you that the cybercriminals will continue to improve their counterfeiting techniques once they see how effective they are as compared to the past easy-to-spot and detect trash that normally fills our Junk folders. Unless the good guys come up with better ways to protect us (and they haven’t yet!), the best defense is (as my good friend Prof. Moody likes to shout) “Constant vigilance!” Take the time to read all emails carefully, and think twice before clicking once.
- 1
- 2