The average employee clicks a phishing email within 21 seconds of receiving it. Not 21 minutes. Twenty-one seconds. That’s less time than it takes to pour a cup of coffee.
That number comes from Verizon’s 2025 Data Breach Investigations Report, and it matters because the entire assumption behind most phishing awareness training, that employees will slow down, look closer, and spot the warning signs, is wrong. Modern phishing emails don’t give you warning signs to spot.
The emails hitting inboxes right now were written by AI. Not the broken-English, obviously fake kind from ten years ago. These messages reference your actual vendors. They match the writing style of your CFO. They come from domains that look nearly identical to ones you trust. According to data compiled across multiple security research firms, more than 80% of phishing emails in circulation today contain AI-generated content, and AI-written phishing emails get clicked at four times the rate of traditionally written ones.
Business Email Compromise is where this gets expensive. An attacker impersonates a company executive or vendor, convinces someone in your accounting department to wire money or change a banking record, and disappears. The FBI’s Internet Crime Complaint Center reported that BEC scams moved more than $2.77 billion from U.S. victims in 2024 alone. The average loss per incident runs into six figures.
Small businesses are the preferred target. Attackers know that smaller companies have fewer controls, less monitoring, and nobody dedicated to catching this stuff. You’re not the hardest target in the room; you’re the easiest.
Three things every small business should have in place right now:
Multi-factor authentication on every email account. Not just for executives. Everyone. MFA won’t stop an advanced attack on its own, but it blocks the majority of credential-theft attempts before they escalate.
A second-channel verification policy for financial requests. Any wire transfer request, vendor banking change, or payment instruction received by email requires a phone call to a known number to confirm. This one habit stops most BEC attempts in their tracks.
Email filtering that goes beyond basic spam detection. Older tools look for known bad links and typos. AI-generated phishing is grammatically perfect and uses fresh domains. You need a layer that analyzes behavior, not just content.
Knowing whether your current setup would actually catch one of these is a different question from hoping it would.
Our Cyber Liability Scan gives you a clear picture of where your email environment stands, what’s exposed, what’s missing, and what needs to change. No pressure, no sales pitch. Just an honest look at your risk: https://www.rstechnology.net/contact-us/
