Phishing & Email Security: How to Spot and Stop Digital Scams

Welcome back! This post is part of our ongoing Cybersecurity Essentials series for small and medium-sized business (SMB) owners and non-technical teams. If you’ve ever felt overwhelmed by IT security jargon, you’re in the right place. We’re here to make these important topics simple and actionable—so you can protect your business without needing a degree in computer science.

Today, we’re diving into one of the most common cyber threats facing SMBs: phishing and email-based attacks.

What Is Phishing and Why Should You Care?

Phishing is a type of cyber attack where criminals pose as someone you trust—like a customer, supplier, or bank—in an attempt to trick you into revealing sensitive information or clicking a malicious link. These scams often arrive via email, but they can also show up through text messages, social media, or messaging apps.

Think: fake invoices, urgent requests from “the boss,” or phony password reset emails.

According to Verizon’s 2023 Data Breach Investigations Report, about 75% of breaches involve the human element, including phishing, social engineering, and human error. And while large companies make headlines, SMBs are especially vulnerable—they often lack formal training and protections, lack dedicated IT team, and their teams are more likely to click something suspicious.

Real life examples of Phishing attacks

• Facebook & Google (2013–2015). A phishing campaign tricked employees at both companies into paying over $100 million in fake invoices. The attacker impersonated a real supplier, Quanta Computer, and sent convincing-looking payment requests. Link

• Elara Caring (2020). This U.S. healthcare provider fell victim when attackers accessed employee email accounts through phishing. The breach exposed personal data of over 100,000 elderly patients, including names, Social Security numbers, insurance, and financial information. Link

• Levitas Capital (2020). A hedge fund company fell victim to a whaling attack (a phishing attack specifically targeting high-level executives like CEOs and CFOs) via a fake Zoom link sent to its co-founder. The malware led to fraudulent invoices totaling $8.7 million. Though only $800,000 was lost, the reputational damage caused Levitas to lose its biggest client and ultimately shut down. Link

How Phishing Works

Phishing relies on social engineering—manipulating people into doing something risky, like clicking a link, entering credentials or paying invoices. It usually starts with a message that appears to be from someone you trust, such as your bank, a vendor, or a colleague.

The Bait Phishing can take many forms, not just email:

• Email phishing: The classic scam “Click to reset your password” or “Your invoice is attached.”
• Spear phishing: A more targeted version, customized to you or your role.
• Smishing: Fake texts (“Your package is delayed. Track here: ”)
• Vishing: Scam phone calls impersonating tech support or financial institutions, becoming more common with the rise of AI-generated voice technology.
• Social media phishing: DMs with fake job offers or alerts.

The Hook Once the bait lands, the attacker pushes you to act quickly like clicking a link, opening an attachment, or logging in to a fake website. These actions are designed to feel routine and urgent, lowering your defenses.

The Catch When you follow through, that’s when the real damage happens. Depending on what you clicked or entered, attackers might:

• teal your passwords or credentials
• Install malware or ransomware
• Access your company’s files, emails, or financial systems
• Impersonate you to scam others in your organization
• Redirect payments or steal funds directly

Often, the person who was phished doesn’t even realize it immediately. That’s why prevention and early detection are critical.

How to Spot a Phishing Email

Phishing can be delivered by email, text, phone, or even chat platforms but the red flags are often the same:

• Urgency: language to pressure you to act fast like “reset now,” “account suspended,” “your boss needs this ASAP”
• Spelling and grammar mistakes: Many phishing emails are poorly written
• Suspicious links: Hover over links (but don’t click) to check their true destination.
• Unexpected attachments. Be wary of strange or unsolicited files
• Lookalike email addresses: Slight changes, like [email protected] instead of microsoft.com

How You Can Protect Yourself

Phishing targets people not systems so a few smart habits go a long way. Here’s what we recommend:

1. Train Your Team Educate employees about phishing. Share examples like this article, and include cybersecurity in onboarding and ongoing training.

2. Use Multi-Factor Authentication (MFA) MFA adds an extra layer of protection. Even if a password is stolen, the attacker won’t get in without the second step.

3. Enable Email Filtering Tools Most platforms (like Google Workspace or Microsoft 365) offer built-in filters to detect spam, suspicious links, and spoofed senders. Use them, and mark suspicious messages accordingly.

4. Run a Phishing Drill Send your team a simulated phishing email once or twice a year. It’s a safe way to measure awareness and reinforce training.

5. Adopt a “Pause and Verify” Culture Encourage employees to double-check unusual requests especially for money or login credentials by contacting the person directly using known contact info.

Don’t Let Hackers Impersonate You

The tips above protect you from phishing but what if someone tries to phish as you? Hackers can spoof your company’s email address and trick your clients into paying fake invoices. Even if you’re not breached, it can still harm your brand and customer trust.

To stop this, set up three simple email protections:

SPF, DKIM & DMARC are the tools that tell email providers which servers are allowed to send mail from your domain—and what to do if someone else tries to fake it.

• SPF: Lists allowed email servers (your company) & blocks unauthorized senders (hackers)
• DKIM: Adds a digital signature to emails to prove the message wasn’t altered
• DMARC: Tells mail servers how to handle failed SPF/DKIM checks. Stops spoofed messages & provides reports

Once set up (usually by your IT provider or domain host), these tools run automatically to help protect your clients and your reputation.

Quick Checklist for Email Safety

Enable MFA on all email accounts
Never click links in unexpected emails—verify first
Train staff annually
Use strong passwords and don’t reuse them
Use email filters and flag external messages
Enable SPF, DKIM and DMARC

Final Thoughts

Phishing is one of the easiest ways for attackers to break into your business—but it’s also one of the easiest to prevent with the right habits and tools in place. A little awareness can go a long way in protecting your team, your data, and your reputation. Stay tuned for our next post: Ransomware and Data Backup !

Sources:

Verizon Data Breach Investigations Report (DBIR)

U.S. Department of Health and Human Services, Elara Caring Breach Report (2020)