How to Spot Today's Cyber Scams: Token Hijacking, AI Voice Clones, WhatsApp Takeovers and More

Cyber scams used to be easy to spot - the dodgy spelling, the strange email address, the implausible story. Not any more. Criminals now use AI to write flawless emails, clone voices from a few seconds of audio, and bypass the security measures many businesses still rely on. In this guide we break down the five attacks we're seeing most often against UK small businesses right now, what to look out for with each one, and the simple habits that stop them.

1. Phishing - Still the Front Door for Almost Every Attack

Phishing remains the starting point for the vast majority of breaches. An email, text or message pretends to be from someone you trust - Microsoft, your bank, HMRC, a supplier, even a colleague - and pushes you to click a link, open an attachment or enter your password.

What to look out for

• Urgency and pressure - "your account will be suspended today", "invoice overdue, pay now", "unusual sign-in detected". Scammers want you to act before you think.
• The sender address, not the display name - "Microsoft Support" can be typed by anyone. Check the actual address: microsoft-billing@secure-notify365.com is not Microsoft.
• Links that don't go where they claim - hover over (or long-press on mobile) any link before clicking. If an email about your Microsoft account links to anything other than a microsoft.com address, stop.
• QR codes in emails - a growing trick ("quishing") because QR codes bypass email link scanners and move the attack to your less-protected phone.
• Unexpected attachments - especially HTML files, zipped files or documents that ask you to "enable content".

How to protect yourself

• Never log in from a link in an email. Go to the site directly - type portal.office.com or your bank's address yourself.
• Turn on multi-factor authentication (MFA) everywhere. It's not perfect (see the next section), but it stops the bulk of attacks.
• Report suspicious emails rather than deleting them - your IT provider can check whether anyone else received the same thing and block the sender for the whole company.

If in doubt, don't click - call us on 0207 112 4812 and we'll check it for you. It takes two minutes and costs nothing; cleaning up after a breach costs a lot more.

2. Microsoft 365 Token Hijacking - When MFA Isn't Enough

This is the attack that has caught out businesses who thought they were safe because they had MFA switched on. When you sign in to Microsoft 365, your browser is given a session token - a digital pass that proves you've already authenticated. Modern phishing kits don't steal your password; they steal that token.

It works like this: you click a convincing link and land on what looks exactly like the Microsoft login page. It is, in fact, a proxy sitting between you and the real Microsoft - you enter your password, you approve the MFA prompt on your phone, everything looks normal. But the attacker now holds your session token and is signed in as you, with MFA already satisfied. From there they read your email, set up forwarding rules, and send convincing invoice fraud to your contacts - often staying invisible for weeks.

What to look out for

• The address bar on any login page - the genuine Microsoft sign-in is always on login.microsoftonline.com. Anything else - however perfect the page looks - is a fake.
• MFA prompts you didn't trigger - if your phone asks you to approve a sign-in and you weren't signing in, deny it and change your password immediately.
• Messages asking you to enter a code at microsoft.com/devicelogin - this is "device code phishing". No legitimate process starts with someone else sending you a code to enter there.
• Apps requesting permissions - pop-ups asking an unfamiliar app to "read your mail" or "access your files" are consent phishing. Don't accept.
• Odd mailbox behaviour - replies to emails you never sent, contacts receiving invoices from you, emails vanishing (attackers hide their tracks with inbox rules).

How to protect yourself

• Move to phishing-resistant MFA - passkeys or Windows Hello - which are tied to the real website and simply won't work on a fake page.
• Have your IT provider set up conditional access so sign-ins from unfamiliar countries and unknown devices are blocked automatically.
• If you suspect anything, the fix is not just a password change - the stolen token must be revoked too ("sign out everywhere"), and inbox rules need checking. Speed matters enormously here.

If in doubt - or if anything about your Microsoft 365 account feels off - call us on 0207 112 4812 straight away. Token theft moves fast, and so do we.

3. AI-Powered Attacks - The End of the "Obvious" Scam

The single biggest change in the last two years: AI has removed the tells we all used to rely on. Broken English, generic greetings and clumsy formatting are gone. Today's scam emails are fluent, personalised and convincing - written by the same kind of AI tools businesses use legitimately.

What to look out for

• Personalisation that feels researched - attackers scrape LinkedIn, your website and social media. An email may reference your real colleagues, a genuine project or a recent event. Familiarity is no longer proof of legitimacy.
• Perfect writing with an off-key request - the grammar is flawless, but the ask is unusual: a changed bank account, an urgent gift card purchase, a confidential "acquisition" payment.
• Video calls that feel slightly wrong - deepfake video is now used in real fraud. If a "director" on a video call asks for an urgent transfer, the face on screen is no longer proof of who you're talking to.
• Pressure plus secrecy - "don't mention this to anyone yet" is the classic combination. Legitimate business rarely requires both urgency and silence.

How to protect yourself

• Verify through a second channel - if an email asks for a payment or a change of bank details, confirm by phone on a number you already have (never one given in the email itself).
• Make this a written rule in your business: no payment or bank-detail change is ever actioned on the strength of one message alone, no matter who it appears to come from.
• Brief your whole team. The strongest defence against AI-generated fraud is a human who pauses and checks.

If in doubt about any unusual request - even one that appears to come from inside your own company - call us on 0207 112 4812 before you act.

4. WhatsApp Hijacking - "I Accidentally Sent You My Code"

WhatsApp is now a core business tool, and criminals know it. The most common takeover is alarmingly simple: an attacker (often using a contact's already-hijacked account) messages you saying "Sorry, I sent a 6-digit code to your phone by mistake - can you forward it to me?" That code is the WhatsApp verification code for your account. Send it, and they take over your number - then message everyone you know asking for money or codes, posing as you.

What to look out for

• Anyone asking you to share a 6-digit code - there is no legitimate reason, ever. Not from a friend, not from "WhatsApp support", not from your "bank".
• A verification code arriving when you didn't request one - someone is actively trying to register your number. Ignore it and set up your PIN (below).
• "Hi Mum / Hi Dad" messages from unknown numbers - "I've lost my phone, this is my new number, I need help paying an urgent bill". Always call the old number to check.
• Contacts behaving oddly - a known contact suddenly asking for money, codes or "a quick favour" may already be hijacked themselves.
• Unfamiliar entries in Linked Devices - attackers with brief access to your phone can link their computer to your WhatsApp and read everything silently.

How to protect yourself

• Enable two-step verification in WhatsApp (Settings → Account → Two-step verification). This PIN stops your number being re-registered even if someone obtains a verification code.
• Check Settings → Linked Devices regularly and log out anything you don't recognise.
• Never share verification codes, and verify any request for money with a voice call to a number you already trust.

If your WhatsApp has been taken over - or a contact is acting strangely - call us on 0207 112 4812 and we'll help you recover the account and warn your contacts safely.

5. AI Voice Cloning Calls - When the Phone Lies to You

A few seconds of audio - from a voicemail greeting, a social media video or a recorded webinar - is now enough to clone a voice convincingly. Criminals combine this with caller-ID spoofing to make calls that sound and look genuine: the "managing director" calling the finance team for an urgent transfer, a "family member" in trouble needing money, or your "bank's fraud team" asking you to move funds to a safe account.

What to look out for

• Urgent requests to move money or share codes by phone - the entire script is designed to stop you hanging up and checking.
• Emotional pressure - distress, panic, a crisis that must be solved this minute. Cloned voices are most convincing when you're upset.
• "Don't hang up" - genuine banks and genuine colleagues will never object to you calling back on a known number. Fraudsters always will.
• Caller ID that matches a real number - spoofing makes the call appear to come from your bank or your office. Caller ID alone proves nothing.
• Slightly unnatural pauses or flat delivery - some clones still falter with interruptions and unexpected questions. Ask something only the real person would know.

How to protect yourself

• Hang up and call back on the number you already have for that person or organisation. This single habit defeats virtually every voice scam.
• Agree a safe word with your family and with your finance team - a word a voice clone can't know.
• Remember: your bank will never ask you to move money to a "safe account". That request is the scam, every single time.

If you receive a call like this - even if you're not sure - hang up and call us on 0207 112 4812. We'd far rather check ten false alarms than miss one real attack.

The Golden Rules

Across every scam in this guide, the same few habits do most of the work:

• Slow down. Urgency is the attacker's most important tool. Anything genuinely urgent will survive a five-minute check.
• Verify on a second channel. Email request? Confirm by phone. Phone request? Hang up and call back on a known number.
• Never share codes. MFA codes, WhatsApp codes, bank codes - no legitimate person or organisation will ever ask for them.
• Check the address bar. The page can be a perfect copy; the web address can't.
• Report everything. Early reports protect your colleagues - the second target of a scam is usually sitting at the next desk.

How IT-MSP Keeps Our Clients Ahead of This

For our managed clients we don't just write about these attacks - we actively defend against them: phishing-resistant MFA and conditional access on Microsoft 365, mail filtering that strips malicious links and attachments before they arrive, monitoring that flags suspicious sign-ins and inbox rules, and security awareness guidance for your team. If any of the above made you wonder whether your business is covered, that's worth a conversation.

If in doubt - about an email, a call, a text, a code, anything - call us on 0207 112 4812 or email info@it-msp.net. Checking is free. Guessing wrong isn't.