04 May
Reading time: 6 minutes · Last updated: 30 April 2026
The phishing email that brings down your business will not look like the phishing emails you’ve been training people to spot. The classic red flags — broken English, weird sender, generic greeting — are largely gone. AI-generated phishing is fluent, personal, and convincing, which is why phishing prevention training in 2026 looks very different from what it did even two years ago.
This post is a working guide for SMB owners: what’s changed, what your team needs to know, and how to build a training programme that actually shifts behaviour.
What’s changed about phishing
Three things, all driven by AI:
- The writing is perfect. Grammar mistakes used to be the fastest tell. Generative AI made that giveaway disappear overnight.
- The targeting is personal. Attackers scrape LinkedIn, your website, and recent press releases to write emails that reference real people, real projects, and real timelines. This is “spear phishing” at scale.
- The voices are real. Voice-cloning attacks are now common. A 30-second clip of your CEO from a podcast is enough for an attacker to leave a voicemail “from” them, asking finance to wire funds.
The new attacker doesn’t need to fool everyone — just one person, on a busy day.
The 4 phishing styles your team will see
1. The “urgent invoice” from a real-looking vendor
Often hits on Fridays or right before holidays. The attacker has done their homework — the vendor name is one you actually use. The PDF either drops malware or asks for a wire to a “new” account.
2. The CEO impersonation (“are you free?”)
Short message from “the boss” asking a quick favour. Once the employee replies, the attacker pivots to gift-card requests or wire transfers. Easy to spot in hindsight, almost impossible to spot when you’re flattered to be asked.
3. The Microsoft 365 / Google login page
A pixel-perfect copy of your real login page, served on a domain that looks almost right. Once a credential is captured, attackers have your email — and from there, your business.
4. The voice-cloned phone call
Increasingly common. The “owner” calls and instructs urgent action. The voice is real. The instructions aren’t.
What good training looks like in 2026
Old-school training — a once-a-year video and a quiz — does almost nothing for behaviour. The training that works has four properties:
- Frequent. Short modules every month, not a 90-minute marathon every year.
- Simulated. Real phishing emails sent to your real team, with a safe landing page that teaches when someone clicks.
- Measured. A “click rate” trend you actually watch. Industry baseline is 25–35% on the first simulation. With ongoing training, you can drive that under 5% in six months.
- Blame-free. If clicking is treated as a fireable offence, employees hide their mistakes and the attacker wins. Treat the click as data, not a crime.
The 4-step verification habit every team should learn
Hand this to every employee on day one and reinforce it monthly:
- Slow down. Urgency is the attacker’s friend. If a request feels rushed, that’s a flag.
- Check the channel. If a “CEO” emails finance about a wire, confirm by phone — using a number you already had, not the one in the email.
- Hover before you click. Hover over every link to see the real URL. On phones, long-press to preview.
- Confirm any payment change in two channels. A vendor changing bank details should be confirmed by phone before any payment is sent. Always.
What technology should be doing in the background
Training is necessary but not sufficient. Your stack should include:
- Multi-factor authentication on every account (so a stolen password isn’t enough).
- Email filtering with anti-impersonation rules (catches CEO-style attacks).
- DNS-level web filtering (so a clicked phishing link can’t reach the malicious site).
- Endpoint detection and response (catches what slips through).
If any of those is missing, your training is doing the work alone — and on a bad day, it won’t be enough.
How SohoWizz runs phishing programmes
Our standard approach: a baseline simulation in week 1 (you’ll see your real click rate), monthly simulations and 5-minute training modules, quarterly reporting to leadership, and an annual deep-dive on emerging attack styles. We bundle this into our managed cybersecurity package, or run it stand-alone for SMBs that want to build the human firewall first.
Read these next
- 5 Cybersecurity Red Flags Every Small Business Should Watch
- Anatomy of an SMB Cyberattack: A 7-Step Walkthrough
Free phishing simulation for your team
We’ll run a single, safe simulation against your real inboxes and send you a one-page report — no commitment.
