Phishing attacks have exploded over the past two years, and businesses in Johnson City and the broader Tri-Cities region are squarely in the crosshairs. According to the FBI's Internet Crime Complaint Center (IC3), phishing incidents surged over 300% between 2023 and 2025, driven largely by the weaponization of generative AI tools that allow attackers to craft flawless, highly convincing emails at scale. If your office still relies on "just be careful with email" as a security strategy, you're operating on borrowed time.
The days of obvious phishing emails — riddled with typos, sent from suspicious domains, asking a Nigerian prince to wire money — are over. Today's phishing campaigns are sophisticated, targeted, and increasingly difficult to distinguish from legitimate communications.
How AI Changed the Phishing Game
Generative AI tools like ChatGPT, and their uncensored dark-web counterparts like WormGPT and FraudGPT, have fundamentally transformed phishing. Attackers can now generate emails with perfect grammar, natural tone, and contextually appropriate content in seconds. They can mimic the writing style of a specific executive, generate fake invoice PDFs with accurate formatting, and even create deepfake voice messages for vishing (voice phishing) calls.
For Johnson City businesses, this means a phishing email might look exactly like a message from your accountant at a local CPA firm, a purchase order from a vendor on South Roan Street, or an IT notification from your managed service provider. The attacker doesn't need to be a skilled writer or even speak English natively — AI handles all of that.
Phishing Tactics Targeting Tri-Cities Businesses
Our security team has observed several phishing patterns specifically targeting businesses in the Johnson City, Kingsport, and Bristol area:
- Fake local vendor invoices: Attackers research local business relationships using LinkedIn, public records, and company websites, then send spoofed invoices that appear to come from real Tri-Cities suppliers. The email asks accounts payable to update the vendor's banking details — routing the next payment to the attacker's account.
- Spoofed ETSU emails: East Tennessee State University is the region's largest institution, and attackers exploit that trust. Phishing emails masquerading as ETSU IT, financial aid, or HR departments target both university staff and the hundreds of local businesses that interact with the university.
- IRS and TN-DOR tax scams: Every tax season brings a surge of phishing emails impersonating the IRS or the Tennessee Department of Revenue. These are especially effective against small businesses and accounting firms in the Tri-Cities during Q1 filing deadlines.
- Microsoft 365 credential harvesting: The most common phishing attack we see across the region targets Microsoft 365 login credentials. The victim receives a convincing email about a shared document, clicks the link, and lands on a pixel-perfect fake Microsoft login page. Once the attacker has the credentials, they own that entire mailbox.
Business Email Compromise: The Billion-Dollar Threat
Business Email Compromise (BEC) is the most financially devastating form of phishing, and it's hitting small and mid-size companies the hardest. In a BEC attack, the attacker either compromises a real email account or creates a near-identical spoofed address, then uses it to authorize fraudulent wire transfers, redirect payroll deposits, or exfiltrate sensitive data.
The FBI's IC3 reported that BEC attacks caused over $2.9 billion in losses in 2025 alone — more than ransomware, more than any other category of cybercrime. The average BEC loss for a small business is approximately $125,000, which is catastrophic for most Johnson City companies.
Here's a scenario we've seen play out locally: A Tri-Cities construction company receives an email from what appears to be a long-term subcontractor, requesting that future payments be sent to a new bank account. The email comes from the subcontractor's "new email address" (one letter different from the real one). Accounts payable processes the change, and three payments totaling $87,000 are wired to the attacker before anyone notices.
How Phish-Proof Is Your Team?
Blue Ridge Security runs realistic phishing simulations that test your employees against the same tactics real attackers use. Find out where your team is vulnerable before a real attack costs you.
Request a Phishing AssessmentBuilding a Real Defense Against Phishing
Stopping modern phishing attacks requires a layered approach that combines technology, policy, and human training. No single tool can catch everything — especially when AI-generated emails are nearly indistinguishable from legitimate messages.
1. Implement Email Authentication (DMARC, DKIM, SPF)
These three email authentication protocols work together to verify that emails actually come from the domains they claim to come from. SPF specifies which mail servers are authorized to send email for your domain. DKIM adds a cryptographic signature to outgoing messages. DMARC ties them together with a policy that tells receiving servers to reject or quarantine messages that fail authentication. If you haven't configured these for your domain, spoofed emails using your company name are landing in your clients' inboxes right now.
2. Deploy Advanced Email Filtering
Modern email security gateways use AI and machine learning to analyze message content, sender reputation, URL destinations, and attachment behavior in real time. Look for solutions that provide sandboxing (detonating suspicious attachments in an isolated environment), URL rewriting (checking links at the time of click, not just delivery), and impersonation protection (flagging emails where the display name mimics a known executive).
3. Enforce Multi-Factor Authentication (MFA)
MFA is the single most effective control against credential theft from phishing. Even if an employee enters their password on a fake login page, the attacker can't access the account without the second factor. Use phishing-resistant MFA methods like FIDO2 hardware keys or authenticator apps — avoid SMS-based codes, which can be intercepted through SIM-swapping attacks.
4. Run Regular Phishing Simulations
Technology catches most phishing emails, but the ones that slip through are the most dangerous — and those are the ones your employees will encounter. Monthly phishing simulations train your team to recognize suspicious emails, report them through proper channels, and resist the urgency tactics that attackers rely on. Track click rates, report rates, and repeat-offender rates to measure your human risk over time.
5. Establish Verification Procedures for Financial Requests
No banking change, wire transfer, or payroll redirect should ever be executed based solely on an email request. Establish a mandatory out-of-band verification process: call the requestor at a known phone number (not the one in the email) to confirm any financial instruction. This single policy prevents the vast majority of BEC losses.
Human Training Is Your #1 Defense
Here's the uncomfortable truth: no email filter is 100% effective. AI-generated phishing emails are designed specifically to evade automated detection. The last line of defense is always the person sitting at the keyboard. That's why security awareness training isn't optional — it's the most important investment you can make.
Effective training goes beyond a once-a-year slideshow presentation. It means continuous micro-learning modules, real-time coaching when someone clicks a simulated phish, and building a culture where reporting a suspicious email is rewarded rather than punished. The goal isn't to make employees feel stupid for clicking — it's to make them instinctively cautious.
The Bottom Line
Phishing is the number one attack vector for businesses in Johnson City, Kingsport, Bristol, and across the Tri-Cities. AI is making these attacks more convincing, more targeted, and more frequent every month. The companies that survive are the ones that layer technical controls with ongoing human training.
At Blue Ridge Security, our BlueHook phishing simulation platform delivers realistic, customized phishing campaigns that test and train your team against the exact tactics being used against Tri-Cities businesses today. Combined with our email security assessments and security awareness programs, we help you close the human gap in your defenses.
Don't wait for a six-figure wire fraud to take action. Contact Blue Ridge Security today to find out how vulnerable your team really is.