A bookkeeper at a Utah accounting firm gets an email from what appears to be their managing partner. It’s well written, references a real client by name, and asks them to update payment details for an upcoming invoice. The email address looks right. The signature matches. They click the link, enter their Microsoft 365 credentials, and just like that — an attacker has the keys to the firm’s email, client files, and financial data.

This isn’t a hypothetical. It’s the kind of attack happening to businesses along the Wasatch Front every week, and AI is making these scams dramatically harder to catch.

Phishing Has Changed — Your Defenses Need to Change Too

The phishing emails of five years ago were almost comically bad. Broken English, Nigerian prince storylines, suspicious attachments from unknown senders. Most employees could spot them without thinking twice.

That era is over. Attackers now use generative AI tools to craft messages that are grammatically flawless, contextually relevant, and personalized to the recipient. A recent Zscaler study found a 60% year-over-year increase in AI-driven phishing attacks, and employees are clicking on malicious links at three times the rate they were just 12 months ago.

The reason is simple: AI lets attackers do research at scale. They scrape LinkedIn profiles, company websites, and social media to build targeted messages that reference real coworkers, real projects, and real business relationships. When an email mentions your actual vendor by name and references an invoice that’s roughly the right amount, your instinct to trust it is hard to override.

Why Utah Businesses Are Attractive Targets

Utah’s business landscape creates specific vulnerabilities that attackers exploit. The Silicon Slopes tech corridor hosts hundreds of SaaS companies with valuable intellectual property. Healthcare organizations across the valley handle protected patient data that commands premium prices on the dark web. And the state’s dense concentration of accounting firms, wealth management companies, and professional services operations means there’s no shortage of targets handling sensitive financial information.

Many of these are small and mid-sized businesses — exactly the kind of organizations that often lack dedicated security teams or enterprise-grade email filtering. Attackers know this. They specifically target companies in the 20-200 employee range because the payoff-to-effort ratio is highest.

The Anatomy of a Modern Phishing Attack

Understanding how today’s attacks work helps your team recognize them. Here’s what we’re seeing hit Utah businesses most frequently:

Business email compromise (BEC). An attacker impersonates an executive or vendor and requests a wire transfer, W-2 data, or credential update. These emails don’t contain malware or suspicious links — they just ask someone to do something that sounds reasonable, coming from someone who sounds legitimate.

Credential harvesting via fake login pages. You click a link that takes you to what looks exactly like a Microsoft 365, Google Workspace, or banking login page. The URL is slightly off — maybe micros0ft-login.com instead of microsoft.com — but the page itself is pixel-perfect. Once you enter your credentials, the attacker has them.

Malvertising and search engine poisoning. This one catches people off guard because it doesn’t come through email at all. Attackers buy Google ads that appear above legitimate search results. Click on what you think is your bank’s website or a software download page, and you’re on a convincing fake.

Multi-channel attacks. The most sophisticated campaigns combine email, text messages, and even voice calls. You might receive an email about a “security alert,” followed by a text message with a verification code, followed by a phone call from someone claiming to be your IT department. Each step builds trust for the next one.

What Actually Works: A Layered Defense

No single tool stops phishing. The businesses we work with that have the fewest incidents take a layered approach:

Email filtering and threat detection. Microsoft Defender for Office 365 or a dedicated secure email gateway catches the majority of phishing emails before they reach inboxes. This is your first line of defense, and it should be configured aggressively — it’s better to quarantine a few legitimate emails than to let malicious ones through.

Multi-factor authentication (MFA) everywhere. Even if an employee’s password gets stolen, MFA prevents the attacker from logging in. This single control stops the vast majority of credential theft attacks. If you haven’t rolled out MFA across your organization yet, that should be this week’s priority.

Ongoing employee training — not just an annual video. The companies with the best phishing resistance run simulated phishing tests monthly and provide brief, practical training when someone clicks. The goal isn’t to shame people — it’s to build the habit of pausing before clicking. Regular exposure to realistic simulations keeps awareness high in a way that a once-a-year compliance video never will.

DNS filtering. Even if someone clicks a malicious link, DNS-level filtering can block the connection to the attacker’s server before any damage is done. Think of it as a safety net under the tightrope.

Incident response planning. When — not if — someone clicks something they shouldn’t, your team needs to know exactly what to do. Who do they report it to? How quickly can credentials be reset? Is there a process for isolating a compromised account? Having this documented and practiced turns a potential disaster into a manageable incident.

The Training Piece Matters More Than You Think

We see a pattern with our clients: the businesses that invest in regular security awareness training see phishing click rates drop by 60-80% within six months. The ones that rely solely on technology eventually have an incident, because no filter catches everything.

The key is making training practical, not theoretical. Show your team actual phishing emails that targeted businesses in your industry. Walk through the red flags that were present but easy to miss. Make it a five-minute conversation at your next team meeting, not a 45-minute webinar everyone tunes out.

Take the First Step This Week

If your business hasn’t reviewed its phishing defenses recently, start with three things: confirm MFA is enabled on every account, check that your email filtering is actually configured (not just licensed), and run a baseline phishing simulation to see where your team stands.

At Brivy IT, we help Utah businesses build exactly this kind of layered defense — from email security configuration to ongoing phishing simulations and employee training. If you’re not sure where your gaps are, reach out for a free security assessment. We’ll show you what attackers see when they look at your organization.