The 7 Phishing Patterns Every Knowledge Worker Should Recognize

Modern phishing volume is dominated by a small number of repeating patterns. The attackers iterate on details, but the structures are stable. Recognizing these shapes is the first half of defense. The second half is the structural and verification layers that catch what recognition misses.

This post is for the knowledge worker who reads email all day, processes some financial actions, and has no IT team standing behind them. Seven patterns, the tell for each, and the realistic defense.

Pattern 1: Vendor Wire-Update Request

The attacker impersonates an existing vendor (often by compromising the vendor’s actual email account, sometimes by sending from a near-match domain). The message asks the recipient’s accounts payable team to update banking details for the next invoice payment. The new account is the attacker’s.

The tell: any request to change banking details, by email, without prior phone confirmation. Real vendors do not change account details in passing. They certainly do not announce it casually in the middle of a thread.

The defense: a hard rule that wire instruction changes are confirmed by phone, using a number you already had on file (not the number in the email). For finance teams, this rule needs to be written down and trained. For solo operators, it needs to be a reflex.

This is the pattern that produced most of the $2.9 billion in business email compromise losses the FBI’s IC3 reported for 2023. It is also the pattern that no content-based filter can reliably catch, because a wire update from a real domain looks like a wire update from a real domain.

Pattern 2: CEO Impersonation With Urgency

“I am about to step into a meeting. Need you to handle a wire transfer for a vendor we discussed. Sending the routing details in the next thirty minutes. Please confirm receipt.” The message arrives from what appears to be the CEO’s email. The urgency is real-feeling. The recipient is an assistant, a finance manager, or the founder’s right hand.

The tell: financial urgency from leadership without prior context. Real CEOs do not handle wire transfers by surprise email at 3 PM on a Friday.

The defense: a written rule that any wire transfer initiated by leadership requires verbal confirmation through a known channel before action. The CEO has to be inconvenienced, which is the point. The inconvenience is the cost of running the verification step that catches the attack.

For founders without finance teams, the same rule applies: any urgent ask from another person related to money is verified out of band before action. The five minutes to call back saves the $50,000 to $200,000 the attack typically extracts.

Pattern 3: Fake Security Notice From a Major Provider

“Your Microsoft 365 account has been locked due to unusual activity. Click here to verify your identity.” The email is well-designed. The sender domain is a near-match for the real provider. The landing page is a near-perfect clone of the real login page. The user enters credentials. The credentials are forwarded in real time to the real provider, capturing the resulting session token.

The tell: any email asking you to log in by clicking a link. Microsoft, Google, Apple, your bank, your payroll provider: none of them resolve account issues by emailing you a login link. They tell you to go to the service directly.

The defense: behavioral. Never click login links in email. If you need to check the account, open a new browser tab and navigate to the service directly. If the account really has an issue, you will see it there. If there is no issue, the email was phishing.

This pattern is what most consumer phishing volume looks like, and Gmail’s spam filter does catch the bulk of mass-mechanical versions. The targeted versions reaching enterprise inboxes look much cleaner.

Pattern 4: Calendar Invite Phishing

A calendar invite arrives. Most calendar clients render the meeting URL as a clickable link. The URL points to a phishing landing page that mimics a Microsoft Teams or Zoom prompt. The user clicks “Join meeting,” enters credentials, and the credentials are captured.

The tell: a meeting invite from someone you do not recognize, or a meeting invite where the URL does not point to the platform you expect. Real Zoom URLs go to zoom.us. Real Teams URLs go to teams.microsoft.com. Anything else is suspect.

The defense: hover over the meeting URL before clicking. Hover-preview reveals the real destination on most clients. If the destination does not match the platform name, do not click.

Calendar invite phishing is a relatively recent escalation. Many spam filters were not designed for this attack surface. As reported by industry researchers, calendar-vector phishing has grown rapidly because the inbox treats invites differently from regular email.

Pattern 5: Lookalike Domain Attack

The sender domain looks correct at a glance. paypa1.com instead of paypal.com. microsft.com instead of microsoft.com. support@your-company-name.co instead of .com. The visual difference is subtle enough that the recipient does not notice on a quick read.

The tell: any unexpected message asking for action, where you do not look at the sender domain character by character. The attack relies on the recipient’s eye sliding past the domain.

The defense: when an email asks you to do something (click a link, send money, change credentials, share a file), check the sender domain character by character before acting. On mobile clients where the domain is truncated, expand the header before deciding.

Some companies pre-register common lookalike variants of their own domain to prevent this attack. Most do not. If you are reading email at a smaller company, you are mostly on your own with this one.

Pattern 6: Account Recovery Abuse

The attacker has gathered enough personal information about the target (date of birth, mother’s maiden name, prior addresses, partial credit card number) from public records and breach data to pass the email provider’s account recovery flow. They reset the password and lock the legitimate user out. The compromised account then becomes a launching point for further attacks (for example, sending phishing to the user’s contacts, who all trust the sender).

The tell: any unexpected email about recent recovery activity on your account. “We received a request to reset your password. If this was not you…”

The defense: enable hardware-key MFA on important accounts. Account recovery flows on most providers are easier to bypass than the front-door login if MFA is configured weakly. A YubiKey or equivalent on the email provider account is the highest-impact single defense available to an individual.

Pattern 7: Multi-Step Social Engineering

The attacker sends a phishing email and follows up with an SMS or a voicemail referencing the email. The corroboration across channels increases trust. “Hi, this is Sarah from accounting, I sent you an email about the invoice approval. Quick question on the routing.” The email and the SMS, in isolation, would have raised flags. Together, they feel legitimate.

The tell: any cross-channel coordination from a sender you have not verified. Real colleagues do not introduce themselves through a phishing-style email and a follow-up text.

The defense: treat each channel as independently un-trusted until you have verified the source through a channel you control. The phone number that texted you is not the phone number you should call back. Look up the colleague’s number in a directory you trust.

What Recognition Misses

Even well-trained employees miss roughly half of well-crafted phishing in industry simulations. The recognition rate falls further when the recipient is busy, distracted, or under time pressure. The recognition rate falls further still when the attack is paired with social pressure (an angry tone from “the CEO,” a deadline, a threat of an account suspension).

This is why training alone is not sufficient defense. Training raises the floor. The remaining successful attacks are the ones that exploit moments where the floor was not high enough. Recognition is a layer, not a wall.

The Layers That Reduce Recognition Risk

The realistic 2026 stack: native spam filters as the first pass, MFA universally, training where teams justify the cost, written verification protocols on financial actions, and a structural cover charge on unknown senders to collapse mass-volume economics.

The structural layer is the newest. An email paywall puts a small cost on reaching the inbox. Mass-volume phishing depends on cost-free reach. Once any per-recipient cost exists, the mass version of every pattern above becomes uneconomic, and the targeted versions arrive marked PAID. The PAID label is itself useful signal: anyone the recipient already knows would be on their guest list and would not pay a cover charge, so a paid email claiming to be from a familiar sender is a visible red flag. The paywall does not catch the determined targeted attacker, but it eliminates the cheap, at-scale version that produces most of the volume.

For the deeper version of this stack, see how to defend your inbox from phishing in 2026. For why structural filters work where content-based filters do not, see why we don’t use AI to fight AI phishing. Rythm implements the structural layer for $1.65 per month on top of Gmail or Outlook.

The seven patterns above are stable. The details rotate every quarter. Recognize the shapes, run the verification protocols, add the structural layer, and the recognition risk drops to a manageable level. Skip any of those, and the recognition burden falls back on the human reader, where it will eventually fail.