Modern Email Phishing Scams
Over the past few months, we’ve seen a significant increase in phishing emails across businesses of all sizes. These are no longer the obvious scams with bad grammar and strange links — modern phishing attacks are more sophisticated, often generated by AI, and much harder to recognize. The goal of this guide is simple: help you quickly identify and avoid these emails before they become a problem.
The 3 Most Common Phishing Emails Right Now
1. “Microsoft Password Reset” or “Mailbox Expiring”: These emails look like they come directly from Microsoft and often say your password is expiring, your mailbox is full, or you need to “validate” your account. They usually include a button or link to “fix” the issue. These are almost always fake.
2. Fake Voicemail or Document Attachments: You may receive an email saying you have a new voicemail or asking you to review a document. These often include attachments like SVG, HTML, or PDF files, or links that take you to a login page. These are designed to trick you into clicking and entering your login information.
3. “Urgent Request” Emails (W-2, Payroll, Wire Transfers): These appear to come from your boss, a coworker, or even your own email address. They may ask for W-2s, employee information, PDFs, or urgent payments. If something feels even slightly off, stop and verify.
What’s Changed (Why You’re Seeing More of These)
Attackers now use AI to generate unique emails, making them harder for filters to detect. Emails can appear to come from inside your organization, phishing links are often hosted on trusted platforms like Microsoft or Google, and the overall volume of attacks has increased significantly. Even with advanced security, no system can block 100% of these emails.
What To Do (Simple Rules)
Don’t click first — think first. If an email is unexpected, urgent, or asking for sensitive information, pause before taking action. Always verify requests another way by calling or messaging the person directly. Be cautious of emails that look “too perfect” — modern phishing emails often have correct grammar and branding. Be careful with unexpected attachments, especially SVG, HTML, or unknown files. Most importantly, report phishing emails instead of just deleting them so your system can learn and block similar threats.
How to Reduce the Risk
User awareness is only part of the solution. Many of these attacks succeed because email systems are not fully configured to prevent spoofing or impersonation. Proper setup of SPF, DKIM, and DMARC, along with improved Microsoft 365 security settings, can significantly reduce the number of these emails that make it through in the first place. If you’d like a more detailed explanation of how this works and what should be configured, see our guide here: How to Secure Your Email Domain (SPF, DKIM, DMARC)
Final Thoughts
Phishing attacks are becoming more advanced and more common, but most can still be avoided with a few simple habits. When in doubt, don’t click, verify the request, and report the message. If you’re ever unsure about an email, it’s always better to ask than to take a risk. If your organization is seeing an increase in these types of emails or would like help improving your email security, feel free to reach out — we’re happy to help.