How to Protect Your Business From Phishing Attacks

A single click used to cost a password. In 2026, it can hand an attacker your entire Microsoft 365 tenant without ever asking for one. That is the new reality of phishing, and it is why protecting your business from phishing attacks now looks nothing like the advice you read three years ago.

Why phishing got more dangerous in 2026

The headline number is brutal. The FBI's Internet Crime Complaint Center logged nearly $20.9 billion in cybercrime losses for 2025, its first year past 1 million complaints. Phishing and spoofing were among the most-reported crimes.

Here is the part most owners miss. Phishing complaints barely moved, dropping from 193,407 to 191,561. But reported phishing losses tripled, from $70 million to $215.8 million. The volume stalled while the damage exploded.

That decoupling has one main driver: artificial intelligence. AI lets criminals scale the quality of each attack, not just the quantity. If you are auditing the platforms your team relies on, start at our software tools and reviews hub to see which apps enforce strong admin controls.

Business Email Compromise alone caused $3.04 billion in losses across 24,768 complaints in 2025, averaging roughly $123,000 per incident. It remains one of the costliest cybercrimes in the country.

The right posture in 2026 is not "if we get phished" but "when, and how fast can we contain it."

The new face of AI-generated phishing

For years we taught staff to spot typos, clumsy grammar and generic greetings. That advice is now actively harmful, because it teaches people to trust a clean, well-written email.

Roughly 82.6% of phishing emails now carry AI-generated content, per KnowBe4 research. These messages are fluent, personalized to your role, and often reference real projects scraped from LinkedIn or your own website.

The click rates show why this matters. AI-written lures reach click rates near 54%, against about 12% for human-written ones, roughly four times higher. The polish that used to signal safety now signals nothing at all.

Phishing is also multichannel now. The same campaign can arrive by email, by text (smishing), by phone (vishing), and increasingly through deepfake audio impersonating an executive. One well-built lure can move across all of them in minutes.

The FBI Kali365 security warning, explained

The clearest sign of where attacks are heading came on May 21, 2026. The FBI issued an IC3 public service announcement, widely called the FBI Kali365 security warning, about a phishing-as-a-service platform that breaks into Microsoft 365 accounts.

Kali365 abuses Microsoft's legitimate OAuth device-code flow. A victim receives a convincing email, visits a real Microsoft verification page, and pastes in a short code. That hands the attacker valid access and refresh tokens, no password and no MFA prompt required.

Why does MFA not save you here? Because you are not logging the attacker in. You are granting access through a workflow Microsoft treats as fully legitimate. The criminal never faces a separate MFA challenge, since the system thinks you already passed it.

The kit also ships a second mode called Cookie Link, an adversary-in-the-middle attack that proxies your browser to capture live session cookies after you log in. Promoted on Telegram and reportedly cheap to rent, it gives non-technical fraudsters AI-generated lures, campaign templates and live tracking dashboards.

The FBI recommends blocking device-code authentication via Conditional Access, auditing existing device-code usage, and adopting phishing-resistant MFA such as hardware keys. You can read the official advisory on the FBI's IC3 site.

The 7-step playbook to protect your business from phishing attacks

No single tool stops modern phishing. Defense in depth does. Here is the order I would build it in for a small or mid-sized team, cheapest and highest-impact first.

1. Turn on phishing-resistant MFA everywhere

MFA still blocks around 99.9% of automated account attacks, and an estimated 65% of small businesses have not enabled it. That is the single biggest, fastest win available. Prioritize email and admin accounts first.

For 2026, go beyond SMS codes. Use authenticator apps or, better, hardware security keys (FIDO2). These resist the token-theft and device-code tricks that defeat weaker MFA, which is exactly the gap Kali365 exploits.

2. Lock down email authentication: SPF, DKIM, DMARC

Around 68% of small businesses still have no DMARC policy. Without it, criminals can spoof your domain and email your own staff or customers as you. SPF and DKIM verify your sending servers; DMARC tells inboxes what to do with fakes.

Set DMARC to monitor (p=none) first, review the reports, then move to quarantine and finally reject. Google, Microsoft and Yahoo now require this for bulk senders, so it protects deliverability as well as your brand.

3. Block device-code and risky authentication flows

If you run Microsoft 365 or Google Workspace, apply Conditional Access policies to restrict device-code authentication, exactly as the FBI advised after Kali365. Leave an emergency break-glass account excluded so you never lock yourself out.

4. Replace annual training with monthly micro-learning

The human element appears in roughly 60% of breaches, so training is not optional. But the once-a-year video is dead. Swap it for 10 to 15 minute monthly modules plus quarterly phishing simulations.

Regular training improves phishing reporting rates around 4x, from a 5% base to 21%, according to Verizon's 2025 DBIR. Measure behavior change and reporting speed, not just course completion.

5. Train people to verify, not to trust their gut

Since the old red flags are gone, teach a process instead. For any money movement, credential request or urgent change, staff verify the sender, inspect links, and confirm financial requests through a second known channel before acting.

Build a blame-free reporting culture. The goal is fast reporting, not perfect employees. Someone who reports a click in five minutes is worth ten who hide it.

6. Keep offline backups and least-privilege access

Assume one account will eventually fall. Maintain offline or immutable backups, since around 40% of victims who pay a ransom never fully recover their data. Limit each account's access so one compromise does not unlock everything.

7. Build and test an incident-response plan

Write down who does what when an account is compromised: revoke active sessions immediately, reset credentials, and notify affected parties. Tested response plans recover faster at lower cost. Run a tabletop drill at least twice a year.

A quick comparison of your core defenses

The right financial tools also reduce your BEC fraud exposure. Pairing dual approval with strong card controls limits what a single compromised account can spend, so review the best business credit cards for accounts that support spend limits and instant alerts.

For solo operators and very small teams, the same logic applies on a smaller scale. Our guide to the best business credit card for small businesses covers cards with granular controls that contain fraud fast.

Tools and culture: where to invest next

Technology stops the obvious attacks; people stop the clever ones. Vet the platforms your team uses daily, since attackers love to impersonate familiar apps. Our breakdown of the best instant messaging tools for business covers which platforms enforce SSO and admin controls.

If you are formalizing security training and onboarding, the right people stack helps you enforce it consistently. The best HR software for the workplace can automate security onboarding and track who has completed training.

Related guides

Frequently asked questions

How do I recognize phishing in 2026 if the old warning signs are gone?

Stop relying on typos and clumsy urgency, because AI-generated phishing is grammatically perfect, hyper-personalized and multichannel across email, SMS smishing, voice vishing and deepfakes. Instead, verify the sender, inspect links, and confirm any financial or credential request through a second known channel before you act.

Why are phishing losses rising while the number of attacks stays flat?

Because AI and phishing-as-a-service scale the damage per attack, not the count. Complaints stayed nearly flat in 2025 while losses jumped 208%, so each successful click now costs far more. The correct posture is "when, not if," with layered controls and a tested response plan.

Is MFA enough to stop phishing?

MFA blocks about 99.9% of automated attacks and should be on everywhere, especially email, ideally paired with SPF, DKIM and DMARC against spoofing. But it is not a complete defense in 2026. The FBI's Kali365 warning shows token-theft attacks that bypass MFA, so add Conditional Access, device-code blocking and phishing-resistant hardware keys.

How often should employees do phishing training?

Replace annual training with short monthly modules of 10 to 15 minutes plus quarterly phishing simulations. Regular training improves phishing reporting roughly 4x, from a 5% base rate to 21%, according to the Verizon 2025 DBIR. Measure behavior change and reporting speed, not just course completion.

What is the FBI Kali365 security warning about?

On May 21, 2026, the FBI warned about Kali365, a phishing-as-a-service kit that steals Microsoft 365 OAuth tokens through the device-code flow and bypasses MFA without needing your password. The FBI recommends blocking device-code authentication with Conditional Access, auditing its usage, and adopting hardware-based, phishing-resistant MFA.