Small businesses get phishing emails that are indistinguishable from real vendor invoices and have no way to verify

A 15-person accounting firm receives an email from 'accounts@quickb00ks-billing.com' with a PDF invoice for their QuickBooks subscription renewal: $299.99. The email looks identical to previous legitimate QuickBooks invoices — same logo, same formatting, same 'Pay Now' button. The only difference: the domain has two zeros instead of 'oo.' The office manager clicks Pay Now, enters the company credit card, and just gave it to a scammer. This happens to 1 in 4 small businesses annually. So what? Enterprise companies have email security gateways (Proofpoint, Mimecast) that catch 95%+ of phishing. Small businesses use Gmail or Outlook with default spam filtering, which catches obvious spam but not targeted phishing that mimics real vendors. The cost of a single successful phishing attack on a small business averages $120K (FBI IC3 data). For a 15-person firm, that can be fatal. An employee who clicked a phishing link is not stupid — the email was genuinely indistinguishable from a real invoice without checking the domain character by character. Why does this persist? Phishing-as-a-service platforms let attackers generate pixel-perfect replicas of any company's emails for $50/month. SPF/DKIM/DMARC email authentication exists but only 33% of domains have DMARC enforced. Small businesses cannot afford enterprise email security ($3-8/user/month) and do not have IT staff to configure it. Google Workspace and Microsoft 365 basic plans include limited phishing protection that misses the well-crafted attacks.