The finance director of a construction company in Surrey received an email from her CEO at 7:14am on a Wednesday. He was travelling, he said, and needed an urgent payment processed to a new supplier before 10am. The email came from his usual address. It referenced a real project. It matched his writing style — terse, no pleasantries, a request followed by a deadline.
She processed the payment: £142,000 to an account she had never seen before. By lunchtime, the CEO was back in the office. He had not sent the email. The money was gone.
This is not a story about a careless employee. It is a story about an attack vector that has evolved far beyond anything that "think before you click" training was designed to address.
The new phishing landscape
Phishing is no longer what most people picture: a poorly written email from a Nigerian prince, riddled with spelling errors and a suspicious link. That era — if it ever truly existed outside of public perception — is over.
Modern phishing is targeted, personalised, and frequently indistinguishable from legitimate communication. UK Finance reported that authorised push payment (APP) fraud — which includes business email compromise — reached £459.7 million in losses in 2023 in the UK alone. The total value of fraud losses across all payment types exceeded £1.2 billion.
The shift has been enabled by three converging factors: the industrialisation of social engineering, the availability of AI-powered content generation, and the fundamental weakness of email as a trust mechanism.
How modern phishing actually works
Spear phishing: the personalised attack. Generic phishing emails — "Dear Customer, please verify your account" — still exist but are increasingly caught by spam filters. Spear phishing targets specific individuals within specific organisations, using information scraped from LinkedIn profiles, company websites, social media, and data breaches.
A spear phishing email to a finance team member might reference the company's real bank, name the CFO correctly, refer to an actual recent transaction, and arrive at a time consistent with the sender's known working patterns. The attacker has done their homework. The email passes every informal authenticity test the recipient might apply.
Business email compromise (BEC): the impersonation. BEC attacks go a step further than spear phishing. The attacker either compromises a real email account (through credential theft) or creates a domain that is visually identical to the target company's domain — "certifyd.io" becomes "certifyd.i0" or "certlfyd.io". The difference is invisible at a glance, particularly on a mobile screen.
From this compromised or spoofed account, the attacker sends instructions that appear to come from a senior executive, a supplier, or a client. The instructions are typically financial: change the bank details for a regular payment, process an urgent invoice, transfer funds to a new account.
AI-generated content: the quality leap. Large language models have eliminated the linguistic tells that once helped recipients identify phishing emails. Grammar errors, awkward phrasing, and unnatural tone — the classic warning signs — no longer exist. AI can generate emails that match a specific person's writing style based on publicly available examples. It can produce contextually appropriate content that references real events, real people, and real business processes.
This means the traditional advice — "look for spelling mistakes and unusual language" — is obsolete. A phishing email generated by AI will have better grammar than many legitimate business emails.
Voice phishing (vishing): the phone call. Phishing has extended beyond email to voice calls. AI-powered voice cloning allows attackers to replicate a person's voice from short audio samples — conference recordings, YouTube videos, podcast appearances. A phone call from what sounds exactly like the CEO, asking for an urgent payment, is profoundly difficult to resist.
The Arup deepfake attack demonstrated the endpoint of this trajectory: a finance employee was tricked into transferring $25 million after participating in a video call where multiple colleagues appeared to be present. All of them were deepfakes.
Why email verification is fundamentally broken
The core problem is that email — the primary communication channel for business — was never designed as a trust mechanism. When you receive an email, you have no cryptographic guarantee that the sender is who the "From" field claims. Email authentication protocols (SPF, DKIM, DMARC) reduce domain spoofing but do not prevent compromised accounts, look-alike domains, or forwarded messages from being used in attacks.
Every verification process that relies on email — "please reply to confirm," "click this link to verify," "I'll send you the details by email" — inherits this fundamental weakness. If the communication channel itself can be compromised, any verification performed through that channel is unreliable.
This is why the most damaging fraud attacks work through email. The victim is not clicking a suspicious link to a fake website. They are responding to what appears to be a legitimate email from a person they know, authorising an action that falls within their normal responsibilities. The attack surface is the trust relationship, not a technical vulnerability.
The financial impact on UK businesses
The scale of email-based fraud in the UK is substantial and growing.
Action Fraud reports that BEC fraud is consistently among the highest-value fraud types reported by businesses. Individual losses regularly exceed £100,000, and cases involving £1 million or more are no longer unusual.
The National Cyber Security Centre (NCSC) has classified phishing as the number one cyber threat to UK organisations. Not ransomware. Not data breaches. Phishing — because it is the entry point for almost every other attack type.
For SMEs, the impact is disproportionate. A £150,000 fraud loss that a large corporation can absorb may be existential for a company with a £2 million turnover. And SMEs typically lack the dedicated security teams, email filtering infrastructure, and incident response capabilities that larger organisations rely on.
The shift to out-of-band verification
If the email channel is compromised, verification must move outside it. This principle — known as "out-of-band verification" — is well established in cybersecurity but poorly adopted in everyday business operations.
Out-of-band verification means confirming a request through a channel that is independent of the channel through which the request was received. If a payment instruction arrives by email, you verify it by phone. If a phone call requests a change, you verify it by a separate secure channel. The attacker must compromise two independent channels simultaneously — a significantly harder proposition.
In practice, however, out-of-band verification in most businesses consists of "call them back to confirm." This has three problems:
-
It relies on the recipient remembering to do it. Under time pressure, people skip verification steps. The CEO said it's urgent. The supplier said the deadline is today. The instinct to be responsive overrides the discipline to verify.
-
The callback number may be compromised. If the attacker has spoofed the email, they may have also spoofed the phone number, or the recipient may call the number provided in the fraudulent email rather than looking up the real one.
-
It does not scale. A finance team processing hundreds of transactions daily cannot call back to verify each one. The verification burden must be proportionate to the volume of transactions, or it will be abandoned.
What effective verification looks like
The solution is not more training, although training has its place. It is a structural change in how verification happens — moving from reactive, human-dependent checking to proactive, systematic identity confirmation.
Verified identity for high-value communications. Any communication that authorises a financial transaction, changes bank details, or grants system access should be accompanied by verified identity confirmation from the sender. Not an email signature. Not a phone call. A cryptographic confirmation that the person sending the instruction is who they claim to be.
Process-embedded verification. Verification should be built into the process, not bolted on as an optional step. A payment approval workflow that requires identity verification before processing eliminates the "I forgot to check" failure mode. The system does not proceed without verification. There is no override for urgency.
Time-independent verification. One of the most effective phishing tactics is urgency — "this must be done before 10am." A verification process that is instant removes the attacker's ability to use time pressure. If verification takes 30 seconds, the excuse of "there wasn't time to check" evaporates.
Separation of communication and verification channels. The channel through which a request is made and the channel through which identity is verified must be architecturally independent. If an attacker compromises email, the verification channel — which does not rely on email — remains intact.
The human layer remains critical
Technology alone does not solve the phishing problem. The social engineering dimension — exploiting authority, urgency, trust, and helpfulness — targets human psychology, not technical systems. Even with perfect verification infrastructure, an employee who overrides the process because "the CEO told me to skip it this time" creates a vulnerability.
The organisations that defend most effectively against phishing combine technical controls with a culture of verification. This means:
- Normalising verification requests. When someone asks "can you confirm your identity before I process this?", that should be treated as professionalism, not suspicion.
- Eliminating urgency as an override. No legitimate instruction is so urgent that it cannot accommodate a 30-second verification step. If someone says otherwise, that itself is a red flag.
- Creating psychological safety around delays. An employee who pauses to verify a £200,000 payment instruction and turns out to be right has saved the company. An employee who pauses to verify and turns out to be wrong has cost the company nothing except 30 seconds. The risk is entirely asymmetric.
Certifyd provides out-of-band identity verification for high-value business interactions — confirming that the person requesting a payment, authorising a change, or joining a meeting is who they claim to be, through a channel independent of email. It takes 30 seconds and creates an auditable verification record for every interaction. Learn more about Certifyd Sentinel.