Why ENC Businesses Keep Getting Phishing Emails — And What They Actually Look Like Now

The question we get asked most often after cleaning up a compromised email account is: “How did they get in?” The answer, in the overwhelming majority of cases, is: someone clicked a link in a phishing email. Not because they were careless. Not because they were unintelligent. Because the email was good enough to fool someone who was busy, moving fast, and trusted what appeared to be a legitimate message.

Phishing emails have changed. The typo-riddled scams from a supposed Nigerian prince are still out there, but they’re not what’s hitting ENC businesses. What’s hitting ENC businesses — from New Bern and Jacksonville to Havelock and smaller communities like Hubert — are polished, targeted emails that impersonate vendors the business actually uses, reference real transactions, and create just enough urgency that the recipient acts before thinking.

This post shows you what these emails actually look like right now, how to identify them, and how to train your staff without a formal security program. For the broader threat context, our 2026 ENC cyberattack roundup covers what else is active in the region this year.

Pattern 1: Vendor Impersonation — “Your Subscription Is Expiring”

This is the most common phishing pattern we see targeting ENC small businesses. The email appears to come from a software provider the business uses — an accounting platform, a payroll service, a cloud storage provider — and informs the recipient that their subscription is about to expire, their payment failed, or their account needs “verification.”

What the email looks like: Professional formatting, correct logo, correct color scheme. The sender address looks close to the real vendor’s domain but isn’t exact — maybe “support@quickb00ks-billing.com” instead of a legitimate domain. The subject line creates urgency: “Action Required: Payment Failed — Account Suspension in 24 Hours.” The body includes a link to “update your payment information” or “verify your account.”

What happens when someone clicks: The link goes to a page that looks exactly like the vendor’s login page. The recipient enters their username and password. Those credentials are now in the attacker’s hands. If the same password is used on other accounts — email, banking, other software — those accounts are now compromised too.

How to spot it: Check the sender’s actual email address, not just the display name. Hover over the link without clicking — does the URL go to the vendor’s real domain? Did the vendor actually send this, or is your account in good standing? When in doubt, don’t click the link — go directly to the vendor’s website by typing the address yourself.

Pattern 2: Fake ACH / Wire Transfer Requests

This pattern targets the person in the business who handles payments — the owner, the office manager, the bookkeeper. The email appears to come from a vendor or client the business has a financial relationship with and requests a change to payment routing.

What the email looks like: An email from a “vendor” informing the business that their banking information has changed and providing new ACH routing and account numbers for future payments. The email references a real invoice number or a real project. The sender address is spoofed or comes from a compromised email account at the vendor’s actual domain — which makes it nearly impossible to detect by address alone.

What happens when someone acts on it: The bookkeeper updates the vendor’s payment information in the accounting system. The next payment goes to the attacker’s account. The real vendor doesn’t get paid and eventually calls asking about the overdue invoice. By the time the mistake is discovered, the money is gone.

How to spot it: Any request to change payment routing information should be verified by phone — not by replying to the email, but by calling the vendor at a phone number you already have on file. This is the single most important rule for preventing wire fraud: verify payment changes by voice, every time, no exceptions.

Pattern 3: Fake Login Pages — Microsoft and Google

Credential phishing through fake login pages is the third major pattern. The email claims there’s a problem with the recipient’s Microsoft 365 or Google Workspace account — “unusual sign-in activity detected,” “your password will expire in 24 hours,” “your mailbox is full.” The email includes a link to “sign in and resolve the issue.”

What the email looks like: Microsoft and Google branding, complete with logos, correct fonts, and formatting that matches the real thing. The urgency is calibrated — not threatening, just pressing enough to prompt action. “Sign in within 24 hours to avoid account suspension.”

What happens when someone clicks: The link goes to a page that looks identical to the Microsoft or Google login screen. The recipient enters their email and password. The attacker now has their email credentials. With access to the email account, the attacker can read confidential communications, send emails as the victim, reset passwords on other accounts, and set up email forwarding rules to continue receiving copies of incoming email even after the password is changed.

How to spot it: Microsoft and Google will never email you a link to sign in. If you receive an email about account activity, go to the provider’s website directly — type “portal.office.com” or “accounts.google.com” in the browser yourself. Never click a login link in an email.

The Three Things to Look For — Every Time

Train your staff on three checkpoints for every email that asks them to click a link or take an action:

1. Is this urgent? Phishing emails almost always create artificial urgency — “within 24 hours,” “immediately,” “before your account is suspended.” Real vendors rarely require same-day action by email. If an email creates urgency, slow down.

2. Does this email ask me to click a link or enter credentials? If yes, don’t click the link. Go directly to the website by typing the address. If the email says there’s a problem with your account, verify it through normal channels — not through the email.

3. Does this email ask me to do something involving money or credentials? If yes, verify by phone before acting. Call the sender at a number you already have — not a number provided in the email. Confirm the request is real before taking any action.

Staff Training Without a Security Program

You don’t need a formal security awareness program to train your staff. You need one meeting and three rules.

The meeting: Fifteen minutes, all staff. Show them examples of phishing emails (you can use screenshots from this post or from real phishing emails that have come into the business — most businesses receive several per week). Walk through the three checkpoints above. Answer questions.

The three rules, posted where people can see them:

1. If an email creates urgency about money or login credentials, stop and verify by phone before acting.
2. Never enter your password on a page you reached by clicking an email link. Go to the website directly.
3. If something feels wrong about an email, ask before acting. It’s always better to check than to click.

The ongoing practice: When a phishing email arrives (and they will), forward it to whoever handles IT or security, then delete it. If someone clicks and enters credentials, report it immediately — the response window for a compromised account is hours, not days. Change the password, enable two-factor authentication, and check for unauthorized forwarding rules.

No blame. The goal is reporting, not punishment. An employee who clicked a phishing link and reports it immediately gives the business a chance to respond before the damage spreads. An employee who clicked and stays silent because they’re afraid of consequences gives the attacker time. If credentials have been compromised and systems are affected, our malware removal guide covers what a professional investigation and cleanup looks like.

If you want help setting up two-factor authentication on your business email, reviewing your team’s exposure to phishing, or responding to a suspected compromise, we’re at 252-777-2488. The conversation is quick, the setup is straightforward, and the protection is immediate. More at /services.