Phishing is the entry point for the majority of business cyber incidents. Not ransomware deployed directly onto a server. Not a sophisticated zero-day exploit. An email that tricks someone into handing over their login credentials or clicking a link that installs malware. It's mundane, it's effective, and it's why security awareness still matters even when every other control is in place.
The challenge in 2026 is that phishing emails have become significantly harder to spot. AI-generated text has removed most of the tell-tale grammar errors. Attacks are increasingly personalised — referencing your actual suppliers, your team members, your recent activity. And the most dangerous versions come not from external addresses but from legitimate accounts that have already been compromised.
What modern phishing actually looks like
Forget the obvious: misspelled words, dodgy formatting, generic greetings from people you've never heard of. Contemporary phishing includes:
- Spear phishing: Targeted at a specific person in your business. References their name, their role, their manager, a recent project. The attacker has done research — LinkedIn, your company website, Companies House filings — and uses it to make the email feel legitimate.
- Clone phishing: A near-perfect copy of a legitimate email your business has received before, with a malicious link or attachment swapped in. The sender address may look identical at a glance.
- Vendor impersonation: An email that appears to come from one of your suppliers or service providers — with a request to update payment details, click a link to verify account access, or download an updated document.
- Compromised account phishing: An email that comes from a real contact's actual email address, because that contact's account has already been breached. No spoofing required — the email passes all authentication checks.
"The most dangerous phishing email isn't obviously suspicious. It's one that looks exactly like an email you'd expect to receive — from a person you know, about something relevant to you, right now."
The warning signs that still give phishing away
Even well-crafted phishing attacks usually have at least one of these signals. Teaching your team to pause and check when they see any of them is worth more than any technical filter.
Urgency designed to stop you thinking
Phishing creates pressure to act immediately: "Your account will be suspended in 24 hours." "This invoice is overdue." "I need this done before end of business today." The urgency is the mechanism — it's designed to override the instinct to check. Any email that creates pressure to act without verification should be treated with extra suspicion, not less.
A link that doesn't match what it claims to be
Hover over any link before you click it. The actual URL it points to appears in the bottom of your browser or email client. If an email from your "Google account" links to a domain that isn't google.com, stop. If an invoice from a known supplier links to a domain you don't recognise, stop. The display text can say anything — the actual URL is what matters.
On desktop: hover over the link and check the URL in the status bar at the bottom of the screen. On mobile: long-press the link to preview the URL before opening it. If the domain doesn't match the organisation it claims to be from, don't click.
An unexpected request involving credentials or payment
Any email asking you to enter login credentials, confirm payment details, or approve a financial transaction should be verified through a separate channel — a phone call to a known number, or a direct message through a channel you trust. Not by replying to the email. Not by clicking a link in the email. Out of band verification, every time.
An attachment that asks you to enable something
Macro-enabled documents — Word files, Excel spreadsheets that ask you to "enable content" when you open them — are a common malware delivery mechanism. If you receive a document from someone you don't know well, or from anyone in an unexpected context, and it asks you to enable macros or editing, don't do it. Report it instead.
What to do if someone on your team clicks a phishing link
The response matters as much as the click itself. The window between "clicked" and "attacker has done something useful" can be very short — minutes in some cases, hours in others. Here's the immediate response:
1 Don't panic, don't minimise it
The person who clicked is going to feel embarrassed. Make sure they know the priority is responding quickly, not assigning blame. You want people to report suspected clicks immediately — a culture where people hide mistakes because they're afraid of consequences means incidents go undetected for longer.
2 Disconnect the device from the network
If the click may have resulted in a file download or malware installation, disconnecting the device (turn off Wi-Fi, unplug Ethernet) limits the attacker's ability to communicate with the infected machine or move laterally across the network.
3 Change passwords and revoke sessions immediately
If the person entered credentials anywhere as a result of the click, change those passwords now. In the Google Admin Console, an admin can reset a user's password and sign them out of all active sessions simultaneously. Do this before the attacker has a chance to establish persistence in the account.
Directory → Users → select the affected user → Reset password (tick "Require password change") → More → Sign out of all sessions. This invalidates all existing session tokens immediately.
4 Check for email forwarding rules
One of the first things attackers do after gaining access to an email account is set up a forwarding rule to send all incoming mail to an address they control. Check the affected account's Gmail settings for any forwarding rules that weren't there before. Remove them immediately.
Have a plan before an incident happens
Managed GetBulwark clients have a documented incident response process — and 24/7 endpoint monitoring that detects compromise before it becomes a full breach.
See what's included5 Check the Admin Console Alert Centre
Google's Alert Centre often flags suspicious account activity within minutes of a compromise. Check it as part of your immediate response. Look for alerts about the affected user's account, any suspicious login events, or anomalous data access. This gives you a timeline of what the attacker may have accessed.
The broader point: having MFA enforced means that even if credentials are captured in a phishing attack, the attacker needs the second factor too. This is why MFA is the single most impactful control — not because it makes phishing impossible, but because it limits the blast radius of a successful credential harvest to almost nothing.
