The small business guide to phishing in 2026: five things that have changed

Phishing hasn't gone away. It's gotten better. If your playbook was written before 2024, the ground has shifted under you in five specific ways. Here's what any IT team with fewer than 500 seats actually needs to know.

1. Generative AI erased the 'bad spelling' tell

The single most common advice given to end users, 'watch for typos and grammar mistakes', stopped working around 18 months ago. Current phishing messages are indistinguishable from legitimate corporate communications. In some cases they are better written. Your staff cannot spot these by reading them carefully.

2. Lookalike domains are now generated at scale

Three years ago, an attacker had to research your brand and buy a plausible domain. Today they script the lookalike generation and buy fifty of them via an automated registrar API, rotating through them faster than your DNS blocklists update. Whichever one happens to be serving at the moment your staff member clicks is the one that catches them.

The attackers know which ones your providers have already blocked. They throw away the burned ones and launch new ones before lunch.

3. Real-time phishing runs with a human in the loop

Adversary-in-the-middle phishing ('AiTM') kits used to be esoteric. They are now commodity tools. What this means practically: when your staff member enters their Microsoft 365 password on a fake page, the attacker relays it to the real Microsoft in real time, collects the MFA prompt, and signs in. Your existing MFA does not save you from this.

This is the hardest one to explain to leadership, because the answer to 'why didn't MFA stop it?' is uncomfortable.

4. The attacker's target list has shifted down-market

Bigger organisations have invested heavily in anti-phishing. The economics have pushed attackers toward mid-market and SMB targets, where the defences are thinner and the incident impact is often larger relative to the organisation's size. If you are between 50 and 500 seats, you are now a first-tier target, not an afterthought.

5. The response window has collapsed to hours

Once credentials are compromised, modern attackers pivot within hours. The 'we'll figure it out Monday morning' playbook doesn't work anymore. By Monday morning, they've already changed your mailbox rules and sent invoices to your customers.

You don't need enterprise-tier incident response to handle this. But you do need prevention that works at the browser layer, because that is where the click happens and the credentials get entered.

What still works, what doesn't

Works:

• Phishing-resistant MFA (FIDO2, hardware keys)
• Browser-level URL reputation and typosquat detection
• Credential-reuse warnings (the 'that password is used on a known good site' nudge)
• Fast DNS blocklist updates

Doesn't work:

• End-user training as the primary defence
• SMS MFA
• Static allowlists
• Hoping your email gateway catches it all

Most SMBs don't need enterprise SSE to handle this. They need the browser-layer basics deployed correctly. That's genuinely a ten-minute problem with the right tool, not a six-month procurement.