6 Signs Your Team Has Been Phished and What to Do | McDade
Six signs your team has already been phished.
- By Dallas Downey, CLCS
Published July 2, 2026 - Business Insurance
Modern phishing does not look like a breach. It looks like a busy Tuesday, an invoice email, a helpful call from IT, a routine software install. These are the six tells we walk business owners through, each with the move to make the moment you spot it.

The answer
The modern phishing attack rarely announces itself. The tells are small, an invoice email with nothing attached, an IT call nobody scheduled, a remote tool nobody installed, a login prompt nobody requested. Any one of them is worth a report the same hour, because reporting speed beats every other defense.
An invoice email with no link and no attachment
It reads like a mistake. A short message from an ordinary email address, hello, here is the invoice we discussed, with nothing attached. Google's threat investigators documented these exact messages as the opening move of the current campaign against professional firms. The email is not the attack. It is the setup for a phone call.
The absence is the tell. A real invoice comes with an invoice.
Report it to whoever manages your systems and warn the recipient to expect a follow-up call. Never call a number supplied in an unexpected invoice message.
An urgent call from IT that nobody scheduled
The caller knows names and titles, the caller ID looks internal, and the request is urgent, secure your account, join a quick session, install a support tool. The FBI's advisory to law firms describes this script in detail, including falsified caller ID and calls to personal cellphones.
Legitimate IT survives a callback every single time. Impersonators do not.
Hang up and call back on the internal number your firm already has. Never grant access from an inbound call, no matter how right it sounds.
A remote access tool nobody remembers installing
Programs like AnyDesk, Zoho Assist, Bomgar, or similar remote support software appearing on a machine without a ticket behind them is one of the strongest signals in this entire list. Attackers favor these tools precisely because they are legitimate, which means antivirus has no reason to complain.
The software is not the crime. The uninvited install is.
Disconnect that machine from the network and treat it as a suspected incident. Then run the first hours playbook, starting with the carrier hotline.
Login prompts and approvals nobody requested
A multifactor authentication prompt you did not trigger means someone, somewhere, has the password and is standing at the door. Employees under prompt fatigue sometimes approve just to make the notifications stop, which is exactly what the attacker is counting on.
Unrequested password reset emails belong in the same bucket.
Deny the prompt, change that password immediately, revoke active sessions, and report it the same hour. An unexplained prompt is never nothing.
Mailbox rules you did not create, or replies that never arrive
Attackers who reach an inbox plant forwarding rules and filters to watch conversations and hide their tracks. Vendors mention emails you never received. Clients reference replies you never sent. Messages skip the inbox entirely.
These rules survive a password change if nobody looks for them, which is why they are worth a deliberate check after any scare.
Inspect mail rules and forwarding settings on the affected account, delete anything unrecognized, then reset credentials and revoke sessions.
Files moved, staged, or downloaded in bulk with no explanation
Investigators documented attackers searching document systems, staging files in a Downloads folder, and moving them out through ordinary transfer tools and cloud drives, sometimes within the first hour. Unusual bulk downloads, unfamiliar sign-in locations, or files gathered where they do not belong are late stage signs.
Late stage does not mean too late. It means the clock matters.
Isolate the machine, preserve everything, and go straight to the first hours playbook. This is a hotline call, not a wait and see.
Phishing does not look like a breach. It looks like a busy Tuesday.
Dallas Downey, CLCS, Commercial Lines and Workers Compensation Specialist
Sources worth opening before you decide.
This article uses public source material from the FBI's advisory to law firms and Google Cloud's Mandiant threat intelligence report.
The purpose is recognition speed. The FBI and Google describe what the attack looks like from the inside. Whether your team would spot it, and whether your policy is ready if they do not, is answered by training and documents, which is exactly what the review covers.
Keep reading, then read your policy.
Questions firm owners ask.
What is vishing?
Voice phishing, the phone call version of a phishing email. The caller impersonates someone trusted, most recently companies' own IT departments, and talks the target into granting access, installing software, or sharing credentials. The FBI and Google both documented vishing as the primary entry method in the current campaign against law firms and professional services.
Is one strange email really worth reporting?
Yes, especially the harmless looking ones. The documented opening move of the current campaign is an invoice email with no link and no attachment, designed to set up a follow-up call. Reporting it costs one minute and arms the whole team for the call that comes next.
What if an employee already gave someone access?
Move fast and skip the blame entirely. Isolate the machine, call your cyber carrier's breach hotline, reset credentials, and preserve everything, in that order. An employee who reports in five minutes just did the most valuable thing anyone can do in that situation. Firms that punish reporting train people to stay quiet, and quiet is what the attacker needs.
Can training actually prevent this?
It is the control both the FBI and Google's investigators recommend first, and carriers agree, often rewarding documented training and verification procedures at underwriting. Training does not make a team perfect. It makes reporting fast, and reporting speed is the difference between a story and a loss. About 40 percent of the time we tell clients to stay with their current carrier because that is the right answer.
What Houston clients say.
Six tells. One page. Every employee.
Send us the policies you carry today. We will read the coverage against the current campaign, show you which procedures your carrier rewards, and give your team the one page version of this checklist in plain English.
Commercial reviews route to our commercial desk and follow your calendar, not ours. Local broker. National infrastructure.
By