Phishing is the #1 way attackers get into small business systems. Not sophisticated hacking – just a convincing email that tricks someone into clicking a link or entering their password. Here’s how to spot them and what to do when you see one.
Red Flags That Scream Phishing
Urgency and Threats
“Your account will be suspended in 24 hours.” “Immediate action required.” “Unauthorized login detected.” Legitimate companies rarely demand immediate action via email. If it makes you panicky, that’s by design – slow down and verify.
Sender Address Doesn’t Match
The display name says “Microsoft Support” but the actual email address is support@micros0ft-alerts.com. Always check the actual address, not just the name. On mobile, tap the sender name to reveal the full address.
Generic Greetings
“Dear Customer” or “Dear User” instead of your actual name. Your bank knows your name. A phishing attacker blasting 10,000 emails doesn’t.
Suspicious Links
Hover (don’t click) over any link. Does the URL match where it claims to go? “paypal.com” vs “paypal-secure-login.sketchy-domain.com” – the second one is phishing.
Unexpected Attachments
An “invoice” from a company you don’t do business with. A “voicemail” attached as a file. A “shipping notification” you didn’t expect. Don’t open attachments you weren’t expecting.
Requests for Credentials or Payment
No legitimate service asks you to “verify your password” via email. No real vendor suddenly needs you to update payment info via a link in an email. When in doubt, go directly to the website (type the URL, don’t click the link) and check your account there.
What to Do When You Get One
- Don’t click anything – No links, no attachments, no “unsubscribe”
- Don’t reply – Even to say “stop” or “this is a scam”
- Report it – Forward to your IT provider or use your email’s “report phishing” button
- Delete it – After reporting, trash it
- If you already clicked – Call your IT provider immediately. Change your password from a different device. Enable MFA if you haven’t.
Protecting Your Business
Individual vigilance helps, but it’s not enough. One mistake by one employee is all it takes. Proper protection requires email security filtering (catches most phishing before it reaches inboxes), MFA (makes stolen passwords useless), and endpoint protection (stops malware even if someone clicks). This is standard in flat-rate managed IT.
Need IT help? Seashore IT provides flat-rate managed IT for businesses with 5-250 computers across the Western US – from auto shops and contractors to law firms and healthcare practices. Call (833) 997-6886 or email info@seashoreit.com.
Seashore IT – Your transparent IT partner, aligned to your goals, embedded in your success.