In the ‘good old days,’ it was laughably easy to spot a scam. Remember those Nigerian prince emails – and even faxes – from the 1990s? If not, (or you’re a bit too young) here’s a refresher:

The Nigerian prince fraud

CONFIDENTIAL AND URGENT:
Dear Friend, I am Prince Ibrahim Sule, the son of the late Minister of Finance in Nigeria.
I write to you with utmost respect and confidentiality. My father left behind a total sum of $18,500,000 USD in a foreign bank account, which I am unable to access due to government restrictions in my country. I need your assistance as a foreign partner to transfer these funds safely.
In return for your assistance, I am prepared to offer you 25% of the total sum for your cooperation.

To proceed, kindly provide the following information:
– Your full name
– Bank account details
– Telephone number

You will also be required to pay a small processing fee to facilitate the transfer of the funds. Please keep this transaction strictly confidential due to the sensitive nature of this situation. Time is of the essence.
I look forward to your urgent response.

Yours faithfully, Prince Ibrahim Sule

Did it work?

Sadly – yes. Today, most of us would instantly recognise this as a scam (at least we’d hope so!), but it’s believed that over the years, tens of millions of dollars have been lost by people who fell for what’s now called an ‘advance-fee’ fraud.

While the Nigerian prince scam had a relatively low success rate, the sheer number of emails sent meant that sucking in even a tiny percentage of recipients yielded a good payoff for someone. Greed and naivety went a long way back then. But before you laugh, this scam is still doing the rounds and still fooling people!

You may recognise it today in various updated forms, like inheritance scams, lottery winnings, investment opportunities, romance scams, and fake job offers.

Fast forward to 2026 – what does the more modern phishing scam look like?

Meet: The CEO fraud email

Subject: Quick turnaround needed – vendor payment

Hi [your name],
I’m in back-to-back meetings with Company X this morning and just realised we’re late on this month’s payment. They’ve escalated it, and it’s starting to impact the partnership.
We need to get this cleared before 2pm today.
I’ve attached the updated invoice – please use the new bank details on this one, as they’ve changed accounts since last quarter.
I’m unavailable to jump on a call right now, so just confirm once it’s done.
Thanks, [CFOs name]

And do people fall for this?

Again, yes – they do.

The CEO fraud is highly successful because it ticks all the boxes. It exploits your trust, your natural instinct to respond promptly to a 2 pm deadline (especially when it’s the boss asking), and normal business processes.

And it’s not obvious. There are no tell-tale links to click or unexpected files to open. It depends entirely on social engineering (which relies on deception and psychological manipulation), which makes it harder for you to resist and for cybersecurity solutions to detect.

The reality is that when you’re already under pressure and dealing with high volumes of emails, and it seems like a genuine request, it’s all too easy to make a mistake.

How easy?

This easy: The CFO fraud is a typical BEC (Business Email Compromise) attack that causes businesses billions in losses each year. In fact, one in five organisations lost money via BEC in the last year alone. Yikes!

The big phish

Phishing is just one of the many social engineering attacks coming at you most days of the week. Others to beware of are smishing (SMS), vishing (phone calls), BEC, spear phishing (targeted attacks), whaling (targeting executives), and pretexting (where you’re tricked into sharing credentials such as your login or password).

What these attacks all have in common is that they leverage trust, urgency, and normal business processes rather than technical vulnerabilities to get what they want.

And what are the attackers after? They use your credentials to get into your systems, steal data, insert ransomware, and even make transactions. They submit seemingly authentic invoices (with inauthentic bank details) for payment.

In the end, though, it’s all about money. Phishing is a (big) business. Really big.

In its Internet Crime Report 2025, the FBI reported phishing/spoofing losses (US only) of $215.8 million. And here in Australia? Phishing and BEC scams alone resulted in payment redirections that cost Australians $166.8 million in 2025.

What about AI?

Good question – we all know that AI makes everything go faster and requires less effort. It’s changing everything – including phishing.

AI has made phishing faster, more targeted, and much harder to detect. Gen AI can write hundreds of phishing emails in just minutes – and all those tell-tale signs of scams (the errors and bad grammar) just aren’t there. Emails can be written in the style of a specific person, so they’re harder to spot. And they can be easily personalised using data lifted from LinkedIn, for example. As they sound so ‘real’, AI-generated phishing is more likely to evade email filters and detection systems.

And of course, AI is being used for more than just emails, with deepfake vishing, videos, chatbots, and even QR codes.

Righto – how can you stop BEC in its tracks?

There’s no nice way to say this, but people are the big problem when it comes to phishing. According to SpamTitan, “The human element was involved in approximately 60% of data breaches in 2024.”  

That’s why we offer our customers SpamTitan for advanced email filtering. As most BEC attacks start with a phishing email to a real live person (like you), we like to cut the campaigns off at the knees.

Here’s what we think you’ll like about it:

  • SpamTitan has a high-accuracy rate when it comes to spotting phishing attempts – think 99%.
  • It filters phishing emails, spoofed messages (emails that pretend to come from someone you trust – but don’t!), and malicious links.
  • It uses multiple detection layers to spot those quirks and anomalies that identify an email as phishing.
  • It protects you against spoofing and impersonation (because let’s face it, there are times when you can’t tell when someone’s not the real deal).
  • It spots any malicious links (for example, a dummy website URL for a bank designed to hijack your login details).
  • And SpamTitan also works really well with Microsoft 365 to add an extra layer of protection.

Training, and more training

But before you start thinking that a tool like SpamTitan is going to save you from phishing, think again.

Yes, SpamTitan is a cracker solution and will significantly reduce scammers’ ability to reach you and your team, but you all also need to do your bit. And you can do that through engaging in regular training programmes (ask us how) – learning how to spot likely scams and scammers, and what to do about them.

You and your people can become your second-most-important line of defence against phishing. It’s all about teamwork.

What next?

If you’re not sure how well protected you are against phishing attacks, give us a call. We’re more than happy to run a free email security audit and then give you some down-to-earth advice on where to go from here.