Why Phishing Attacks Still Work (And What to Do About It)

What modern phishing actually looks like

The Nigerian prince email is not what attackers are sending in 2026. Modern phishing emails are targeted, well-written, and often impersonate people or organizations your staff already know. A message that looks like it came from Microsoft asking you to verify your account. An email that appears to be from your bank about a flagged transaction. A message that seems to be from your own CEO asking someone in accounting to process an urgent wire transfer.

Attackers research their targets. They look at LinkedIn, the company website, press releases. They know your firm's name, the names of partners and staff, who your vendors are. A phishing email that references a real project or a real person is much harder to spot than a generic scam.

Why people still click

• Urgency works. An email that says your account will be suspended in 24 hours triggers a response before rational thinking kicks in.
• Authority works. People are less likely to question a request that appears to come from a manager, a vendor, or a government agency.
• Familiarity works. An email that looks exactly like a Microsoft 365 login prompt is nearly indistinguishable from the real thing.
• Timing works. A phishing email that arrives when someone is busy, stressed, or distracted gets less scrutiny.
• Volume works. Attackers send millions of emails. Even a fraction of a percent clicking is enough.

The attacks that cause the most damage

Business email compromise is the costliest form of phishing for small businesses. An attacker either compromises a real email account or creates one that looks nearly identical — changing one letter, swapping a domain — and uses it to request payments, wire transfers, or credential resets.

Credential harvesting attacks redirect you to a fake login page that looks exactly like Microsoft, Google, or your bank. You enter your username and password, which the attacker captures, and are then redirected to the real site so you do not notice anything happened.

For CPA and accounting firms, both types are common. Financial data and access to client accounts make accounting firms a high-value target.

What actually reduces phishing risk

• Multi-factor authentication is the single most effective control. Even if an attacker gets your password from a phishing page, they cannot log in without the second factor.
• Email security tools that scan links and attachments before they reach the inbox filter out a large percentage of phishing attempts before anyone sees them.
• Simulated phishing tests help staff recognize the real thing. Seeing what a convincing phishing email looks like in a safe environment builds recognition faster than any training video.
• A clear process for verifying unusual requests, especially payment requests, that involves a phone call to a known number rather than replying to an email.
• Staff who feel safe reporting suspected phishing without fear of embarrassment. The faster a suspicious email gets reported, the faster it gets removed from other inboxes.

What to do if you think you clicked something

1. 1

   Do not wait and hope nothing happens. Report it to your IT provider immediately.

2. 2

   Change your password for the account you entered credentials on, and any other account using the same password.

3. 3

   Check your email account for any rules that were added, forwarding addresses that were set, or sent messages you do not recognize.

4. 4

   If the click happened on a work device, have your IT provider check for malware.

5. 5

   If financial accounts or client data may be involved, notify your IT provider and review your incident response plan.