When most people think of phishing, they imagine a poorly written email from a Nigerian prince. Those still exist — but they're not what's costing businesses money. Today's phishing attacks are targeted, researched, and convincing enough to fool experienced professionals.
Understanding exactly how these attacks work is the first step to building a team that can spot them. Here are the three techniques you need to train your staff on right now.
Spear Phishing
Most CommonUnlike mass phishing emails that are sent to millions of random addresses, spear phishing is targeted. Attackers research your business — your website, LinkedIn, social media, job listings — to craft an email that feels completely legitimate to the specific person receiving it.
Real-world example
Your accounts payable team receives an email appearing to come from your CEO. It references a real supplier by name, mentions an ongoing project, and asks for an urgent payment to a new account before end of day. Every detail checks out — except the email address is slightly different and the bank account is the attacker's.
Warning signs
- References real people, projects, or suppliers from your business
- Creates urgency and asks you not to use normal channels
- Email address is very slightly different from the real sender
- Requests a financial transaction or sensitive information
CEO / Executive Fraud
Highest Financial ImpactA specific form of spear phishing where the attacker impersonates a senior executive — usually the CEO, CFO, or business owner. The goal is to exploit the authority of that person to pressure employees into taking action without following normal procedures.
Real-world example
An employee in finance receives an email that appears to come from the CEO while he's 'travelling'. The email says he's finalising a confidential acquisition and needs $15,000 transferred immediately to a holding account. He can't be reached by phone. The employee, not wanting to bother the CEO or appear unhelpful, processes the transfer.
Warning signs
- Comes from the CEO or another senior leader, often while they're 'travelling'
- Asks for secrecy — 'don't mention this to anyone yet'
- Bypasses normal approval processes with urgency
- Sent outside of business hours or to a personal device
QR Code Phishing (Quishing)
Fastest GrowingQR codes have created a new attack surface that most employees aren't trained to be suspicious of. Attackers embed malicious URLs inside QR codes — in emails, printed documents, fake parking notices, even posted over legitimate QR codes in public places. Because the destination URL isn't visible, standard email security filters often miss them entirely.
Real-world example
An employee receives an email purportedly from Microsoft asking them to scan a QR code to verify their account. They scan it on their personal phone (which has no email security), are taken to a convincing Microsoft login page, and enter their credentials — which are immediately captured by the attacker.
Warning signs
- QR code in an email asking you to 'verify' or 'confirm' something
- Creates urgency — 'your account will be suspended'
- Takes you to a login page after scanning
- Sender address looks official but doesn't match the real domain exactly
How to Defend Your Team
Knowledge alone isn't enough — your staff need to experience simulated attacks in a safe environment so they know what it actually feels like to be targeted. That's what security awareness training achieves. Pair it with the right technical controls and you dramatically reduce your exposure.
Equally important: make sure employees know exactly what to do when they spot — or fall for — a suspicious email. Our incident response guide walks through the first steps every team should take. And if you want to understand how phishing leads to bigger attacks, see why SMBs are the #1 target for ransomware.
5 Steps to Phishing-Resistant Employees
- Run regular simulated phishing tests so employees experience what an attack feels like before a real one arrives
- Train staff to verify any unexpected request via a separate channel — call the person directly using a number you already have
- Teach employees that QR codes in emails should be treated with the same suspicion as links
- Implement email authentication controls (DMARC, DKIM, SPF) to prevent domain spoofing
- Deploy email security that scans for behavioural signals, not just known-bad links
Train Your Team Before Attackers Do
Our Employee Security Training service includes simulated phishing campaigns and monthly training modules. Book a free assessment to get started.
Get Free Assessment