COMMENTARY: Phishing email detection is breaking down, and the bad guys know it. The latest twist? Hackers are wrapping their malicious links through legitimate URL-scanning services. That means the link your employee sees in their inbox might pass all your filters, look safe, and still lead straight into a trap. If you're a small business relying on basic email security, you're not just vulnerable, you’re already behind.Let’s unpack what’s happening, why it matters more than ever for small businesses, and most importantly, what you can do (even on a budget) to protect your people and your business.These changes won’t break the bank. They will make a difference.
How phishing email detection got outsmarted
For years, email security tools have leaned heavily on scanning for suspicious links. But attackers have evolved. Now, instead of sending users directly to malicious sites, they pass those links through reputable services, like URL scanners or link shorteners, to disguise them. It’s like hiding a fake key in a box labeled “Security Checkpoint.”[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]These scanning services aren’t doing anything wrong; they’re built to preview or analyze links. But attackers abuse that functionality. When your spam filter sees a well-known domain, it lets the message through. Meanwhile, the real danger is hiding behind that legitimate-looking link.This isn't some theoretical, high-end attack. It’s happening right now, and the volume is growing. CSO Online recently reported how threat actors are actively exploiting these techniques to sneak past detection systems that small businesses depend on every day.Why small businesses are prime targets
Let’s be blunt: small businesses are easy marks. Not because they’re careless, but because they’re busy. They’re juggling a million things, sales, hiring, taxes, and often settle for the security tools that come “out of the box” with their email platform. Maybe it’s Microsoft 365 or Google Workspace. Perhaps it’s whatever the IT guy set up five years ago.These default protections aren’t designed to keep up with the kind of tactics being used now. And when phishing email detection relies on outdated blacklists or basic keyword checks, threats slip through like water through a sieve. The emails look clean. The links seem safe. Employees click, credentials get stolen, and suddenly your QuickBooks files or customer database are in someone else’s hands.Even worse? These phishing emails feel personal. They're better written, more targeted, and often reference authentic vendors, clients, or tools your company uses. That false sense of trust is exactly what attackers are counting on.Rethinking the human element (Hint: Training alone isn't enough)
Many people believe that phishing prevention is limited to running an annual security awareness session, distributing a “don’t click strange links” flyer, and calling it a day. That used to be fine. It isn’t anymore.Here’s the deal: employees aren’t the weakest link; they're just overwhelmed. If phishing email detection fails and the message looks completely legitimate, no amount of training will help. It’s not about being gullible; it’s about being human.That said, training still matters, but only when paired with more innovative tools and smarter strategies. Regular phishing simulations, for example, give teams a safe space to mess up and learn. When paired with feedback and short refreshers, it keeps people sharp without turning your workplace into a paranoid minefield.Phishing email detection that works for small teams
Let’s talk solutions, real ones that don’t require a six-figure IT budget.- Upgrade your spam filters: Most email platforms have advanced settings hidden under the hood. Adjust them to be more aggressive on link inspection, or explore low-cost third-party filters designed for small businesses.
- Use link rewriting tools: Some anti-phishing platforms replace every email link with a monitored redirect. If a site later turns malicious, access gets blocked before the user ever gets there.
- Deploy browser isolation: This tech runs unknown links in a virtual environment, so even if someone clicks, the threat never hits their actual computer.
- Enable multi-factor authentication (MFA): Always. If an attacker does steal credentials, MFA is your emergency brake.
- Conduct monthly simulations: Use tools like KnowBe4 or even open-source options to run fake phishing tests and see where people need more support.
- Stay alert to trends: Make sure someone on your team (or a consultant) is tracking changes in phishing email detection tactics. Cybersecurity isn’t static.
