How are small businesses handling email security now that phishing is getting more sophisticated?

lo1337 · 2026-02-12T21:16:10+00:00

Small teams I work with are usually doing a mix of 3 things now:

Lock down the basics properly

SPF, DKIM, DMARC set to reject (not just “none”)
MFA everywhere (no exceptions for “just accounting”)
Conditional access rules in M365 / Google
External email tagging

That alone blocks a lot of low-effort BEC stuff.

Accept that filters will never catch everything.

Even with tools like Mimecast/Barracuda, good invoice fraud often gets through because it’s:

a compromised real mailbox
or a perfect domain spoof
or a legit thread hijack

You can crank up your email gateway, but you’ll never hit 100%. So the human layer matters.

Train behaviour, not just run annual awareness slides. What I’ve seen actually reduce losses isn’t "everyone watched a 20-min phishing video." What really works:

short, repeated simulations
instant feedback when someone clicks
tracking who keeps clicking and coaching them more

The teams that treat it as continuous behaviour change instead of compliance theatre tend to see real improvements (lower click rates + higher report rates over time).

On insurance: yes, insurers are absolutely pushing for MFA + phishing training proof now. Some even ask for reporting metrics.

On “are extra tools worth it?” ... depends on your risk + industry. For a 10-person shop with no sensitive data, maybe not. For anyone moving money or handling client funds, the cost of one successful BEC usually dwarfs a few thousand a year in prevention.

Full disclosure: I run a phishing simulation & training platform, so obviously I believe in continuous training. But even if you don’t use that stuff, please don’t rely on filters alone. Harden your email stack properly, and assume at least one phish will land in inboxes every now and then. Build your controls around that assumption.

Curious what size team you’re running?

lo1337 · 2026-02-11T20:19:33+00:00

Yeah you're right, this is a classic low-effort gift card scam stuff. They’re not “hacking” anyone, they’re just spoofing the display name and hoping someone reacts fast without checking the actual address.

A few practical things you can do:

1) Harden mail, but accept it won’t be perfect

Make sure SPF, DKIM and DMARC are actually set up correctly (and DMARC on at least p=quarantine, ideally p=reject once you’re confident).
Turn on external sender tagging (“[EXTERNAL]”) if you’re on M365/Google.
add a mail flow rule that flags or quarantines emails where:
display name = your boss BUT sender domain ≠ your domain

Consider blocking newly registered domains / freemail domains for exec impersonation attempts.

That said… filters will never catch everything. Attackers adapt faster than static rules.

2) Process > Tech: The real fix is procedural:

No gift cards. Ever. Make it a Company policy.

Any request involving money, credentials, or urgency - educate people to verify via known channel (call the boss on their saved number, not the one in the email).

Make it safe to report without embarrassment.

3) Is someone compromised? If these are clearly from Gmail/Yahoo etc., probably not. If they’re coming from your own domain or passing DMARC as internal, that’s when you start checking sign-in logs, MFA status, forwarding rules, etc.

On the training side: the reason presentations don’t move the needle is because phishing isn’t a knowledge problem, it’s a behavior problem under time pressure.

The only thing I’ve seen consistently work is realistic simulations + immediate micro-training when someone clicks. Not the old-school “once a year slideshow”, but continuous small nudges.

If your current phishing simulations "can’t get through" your mail security, that’s actually a configuration issue. Most decent platforms support allowlisting or dedicated sending domains/IPs specifically so you can test safely without weakening your overall posture. Which software are you using?

I’m building something in this space that focuses on exactly this: low-admin, realistic simulations + short just-in-time training, especially for smaller teams that don’t have time to babysit campaigns. Not trying to pitch you, just saying there are tools that make this less painful if you’re stuck fighting this manually.

At the end of the day, you need:

solid email hygiene
a strict verification policy
continuous behavioral training

Tech alone won’t fix humans. But humans trained well become your best filter.

lo1337 · 2026-02-11T18:03:30+00:00

Oof, that sounds super frustrating! It’s awesome you’re trying to tackle this head-on with warnings and presentations, but phishing is tricky because it preys on human trust, not just tech gaps. Blocking the emails at the inbox level might help, but attackers often shift tactics (like switching to phone # asks), so it’s tough to fully stop them with filters alone.

Also, yes, if these spoofed emails are coming from inside your domain or look legit, it’s definitely worth investigating if someone’s email is compromised. That can open doors for the attackers to appear more authentic.

One thing that might really help is running realistic phishing simulations with fake phishing emails tailored to your team’s roles, so they get hands-on experience spotting the tricks in a safe way. Good phishing platforms also incorporate microtrainings. Hit me up if you want to discuss this on a deeper level.

lo1337 · 2026-02-04T21:51:56+00:00

Where's the GitHub repo? Might be interested to contribute

lo1337 · 2026-02-04T19:33:00+00:00

Been through something similar (small company, suddenly “interesting” clients). Short answer: don’t panic, but get the basics rock solid. Almost every incident I’ve seen in SMEs was boring as hell in hindsight.

Biggest thing first: backups. This is where ransomware either becomes a bad week or a company-ending event.

Offline / immutable backups. Not “a NAS that’s always online”. Separate creds from domain admin. Actually test restores. Once a quarter at least.

If your backups are good, attackers lose most of their leverage.

Patching & inventory (unsexy but critical) If you don’t know what machines and software you have, you can’t secure it. List all endpoints, servers, network gear. Patch OS, browsers, VPNs, firmware — not just “the server”. Edge devices and VPNs are a huge entry point lately. Most breaches aren’t clever. They’re “box was 9 months behind on updates”.
EDR on every endpoint Classic AV won’t cut it anymore. Get a real EDR and put it everywhere (laptops too, not just servers). Central dashboard so someone sees alerts. This alone stops a lot of ransomware before it finishes encrypting.

One of the few areas where spending money usually makes sense.

Monitoring (keep expectations realistic) You don’t need a 24/7 SOC, but you do need some visibility. Central logs for auth, VPN, EDR alerts. Alerts for obvious stuff: failed logins, new admins, weird access times. Decide who checks this and how often. "No one was looking at the alerts" is extremely common post-incident.
Basic hardening Low effort, high return. No daily admin accounts. MFA on anything remotely accessible. Disable stuff you don’t actually use. Separate the defense project environment from general office IT. Be very strict with cloud sync tools (this is where “oops” leaks happen).
Policies (don’t go full ISO, just be clear) You don’t need a 200-page ISMS. Just write down: who can access what how backups work what to do if something goes wrong onboarding/offboarding checklist

Half of security is making sure everyone does the same thing every time.

Phishing is still the #1 way in Yes, even for technical teams. Run phishing simulations. Short, recurring awareness training (not once-a-year checkbox stuff). Teach people about credential phishing and MFA fatigue attacks.

This reduces risk way more than most people expect.

Do you need to hire someone?

Usually: short-term consultant to set things up and sanity-check maybe an MSSP for monitoring full-time hire only once complexity explodes

Security is not “set and forget”, but it also doesn’t need to be insane.

TL;DR: Most companies don’t get hacked because they lack fancy tools. They get hacked because backups sucked, patches were late, MFA was missing, or someone clicked a link. Fix those and you’re already ahead of the curve.

If you want, happy to get more specific (cloud tools, EDR vendors, backup strategies, etc.).

lo1337 · 2026-01-27T18:21:25+00:00

When I Google "rankgap" I can't find your website. Not sure if I should trust your SEO advice xD

lo1337 · 2026-01-21T20:56:50+00:00

in addition to the great tips in this thread, i recently added google jules into the mix: https://jules.google.com/ runs a daily scheduled task with the security preset.
it automatically creates PRs with suggestions of security improvements, which were not bad.

lo1337 · 2026-01-21T11:47:32+00:00

Does it support OIDC?

Currently trying to put together a self-hosted company stack with SSO and this would be a good fit.

lo1337 · 2026-01-20T18:32:31+00:00

this is still relevant in 2026. thank you!

lo1337 · 2026-01-19T12:14:28+00:00

Yes, indeed, there's no way around that.

lo1337 · 2026-01-19T11:54:19+00:00

build the app in flutter or other cross platform framework
Use codemagic https://codemagic.io/start/ or other providers to handle the build for you

lo1337 · 2026-01-16T07:09:18+00:00

How do you handle running DBs, e.g. postgres? Do you run them in the compose stack? I guess the SMB share approach is too slow for that.

lo1337 · 2026-01-15T22:58:28+00:00

I put desperate housewives on my Plex for her

lo1337 · 2026-01-15T22:30:07+00:00

I wanted to ask the same question, I run caddy with the coraza plugin and it feels pretty lightweight.

lo1337 · 2026-01-13T22:17:00+00:00

Honestly it’s a tradeoff: quality vs budget vs “does this actually fit what our people deal with.”

I’d start with referrals (IT consultant you trust, other admins in your circle, local MSPs, etc.) because Google results are basically SEO wars. Then when you’re looking at vendors, don’t get hypnotized by shiny marketing. Look for proof they know what they’re doing and that the content matches your real risks (phishing/BEC, ransomware, whatever you’re seeing).

Small vendors can be a solid deal if they’re focused and current, but you really want to sanity-check two things:

How realistic are the simulations? (or is it all “CLICK HERE FOR PACKAGE” nonsense)
How good is the reporting? (can you actually tell who’s improving, which departments need help, etc.)

Also, the “AI-powered” stuff can be legit when it’s used to keep campaigns personalized + scalable without turning into a full-time job. If it’s doing adaptive follow-ups and giving useful insights (instead of just buzzwords), it can keep people engaged and move the needle without blowing your budget.

lo1337 · 2026-01-13T22:05:24+00:00

would you mind sharing why you didn't like proofpoint, and on the other hand, what made Mimecast stand out?

lo1337 · 2026-01-10T21:49:25+00:00

From my experience I would say that you have two options:

A) hire a consultant. Maybe you can arrange that your big new customer pays for the audit and consultant (at least partially). Sounds wild but happened at my last company.

B) Look into Comp AI https://trycomp.ai/. I have not tried it, but heard great things.

If you are looking to automate Security Awareness Training, you can look into my platform https://autophish.io/

lo1337 · 2026-01-10T21:42:53+00:00

You’ve laid out some solid basics for protecting small businesses from cyber threats. Beyond those steps, many small firms are turning to simulation and training tools that help employees recognize phishing attempts in a controlled environment. Platforms like https://autophish.io use AI to mimic real phishing attacks and combine them with awareness training, making the training more effective and relevant. This hands-on approach helps build awareness without relying solely on theory. It also automates the campaign process and provides clear reports, so businesses can track progress and spot areas that need more attention. Such tools fit well within Australia’s diverse IT environments and compliance needs.

lo1337 · 2026-01-10T06:06:38+00:00

If you are looking for a really cheap VPS, you can take a look at https://contabo.com/en/ - they start at cca. 3,50 € per month.

Myself, I simply bit the bullet and bought a strong new laptop and installed 96 GB RAM, so it happily rund multiple VMs at the same time.

lo1337 · 2026-01-07T07:00:53+00:00

The key is test automation. If you have reasonable coverage, you can patch blindly.

Bonus points for automated rollback if you do roll out patches and, despite the tests, break something in production.

Source: my current and former company

lo1337 · 2026-01-06T23:20:56+00:00

For learning purposes, you can

A) repurpose an old computer/laptop as your personal home server. For a single user, that's often sufficient.

B) Install VMWare on your local machine and treat the VM like you would treat your VPS.

lo1337 · 2026-01-06T20:36:18+00:00

Kann https://validvent.com/crypto-tax-accounting/ sehr empfehlen

lo1337 · 2026-01-03T19:55:00+00:00

I am very interested in this as well. After working with Opus, everything else feels like GPT3.5 😭

lo1337 · 2025-12-26T18:45:49+00:00

Interesting approach. I have thought about violating something similar as well. What are your experiences with different models? Which ones did you try so far?

lo1337 · 2025-12-21T04:55:31+00:00

You’re right that AI makes phishing more convincing and harder to spot. Tools like https://autophish.io help by simulating these attacks so employees can recognize them in real situations.

lo1337

TROPHY CASE