Phishing Is Getting Harder to Spot. Here’s What’s Changed.

Phishing used to be fairly easy to dismiss. Odd grammar, a blurry logo, an urgent request to “click here immediately.” Most people have learned to spot that. The problem is, attackers have learned too.

Microsoft’s threat intelligence team flagged 8.3 billion phishing emails in the first three months of 2026 alone. That’s a lot. But the more important shift is in how these attacks work, not just how many there are.

Three tactics your email filter probably won’t catch

QR codes embedded in emails. Instead of a clickable link (which your email security can scan and flag), attackers are dropping QR codes into PDFs or directly into the email body. Your staff scan it on their phone, outside your office network, and land on a convincing fake login page. Microsoft saw a 146% increase in this approach over the quarter.

Fake CAPTCHA checks. You know the “I’m not a robot” puzzle? Attackers now use them as a decoy. The person sees what looks like a legitimate security step, solves the puzzle, and is then shown a pixel-perfect fake login page. The clever bit: automated security tools get stuck at the CAPTCHA and never reach the malicious page. So your defences don’t flag it.

Phishing kits for hire. Criminals can now rent ready-made phishing platforms, the same way you’d subscribe to business software. These kits come with fake login pages, email templates, hosting, and technical support. You no longer need to be a skilled attacker to pull off a convincing credential-theft campaign. This has lowered the bar dramatically.

On top of all that, generative AI now writes the copy. The emails read naturally, arrive looking like someone your staff recognise, and the request feels plausible.

What this looks like for a small business in North Wales

For a law firm in Bangor, a clinic in Wrexham, or a construction company in Conwy, this usually plays out one of two ways. Either someone’s Microsoft 365 account gets taken over and the attacker impersonates them to clients or colleagues. Or credentials are stolen and used to quietly access shared files, emails, and Teams data.

Worth knowing: sophisticated phishing kits can capture not just your password but also the session token (the digital key that proves you’re logged in), which means even having multi-factor authentication switched on doesn’t always save you.

What you can actually do

• Treat QR codes in email as suspicious. Legitimate businesses rarely use a QR code when a normal link would do. If a vendor or partner sends one, a quick phone call to verify costs 30 seconds.
• Tell your team about fake CAPTCHA pages. Real Microsoft, Google, or banking sites don’t ask you to solve a CAPTCHA before you log in. If someone sees that before a login screen, something’s wrong.
• Check who has access to what. If an account is compromised, the damage is much smaller if that person only had access to what they actually needed. Broad access to shared drives and payment systems turns a bad day into a very expensive one.
• Consider hardware security keys or Microsoft Authenticator. SMS codes and time-based MFA codes can be intercepted by the more sophisticated phishing kits. A hardware key or phone-based authenticator is significantly harder to beat.
• Run a phishing simulation. Send fake phishing emails to your own staff and see who clicks. Then train the ones who do, without making it a big deal. Most people learn quickly once they’ve nearly been caught out. This is worth raising with whoever looks after your IT, especially if your team handles sensitive client data or has broad access to shared systems. You might also find our article on why external emails sometimes appear to come from your own staff useful reading alongside this one.

Phishing remains the most common way into a small business. Awareness and sensible access controls will stop most of it.