Phishing is responsible for the majority of ransomware infections, business email compromise, and credential theft affecting small businesses. It works not because people are careless, but because modern phishing attacks are well-crafted and difficult to distinguish from legitimate communications.
The good news is that recognition can be taught. Staff who know what to look for are significantly harder to compromise than those who don’t.
What Phishing Is
Phishing is a fraudulent communication, almost always email, though SMS (smishing) and voice calls (vishing) are also used. This is designed to trick the recipient into taking an action that benefits the attacker.
That action is usually one of:
- Clicking a link that leads to a credential-harvesting page
- Opening an attachment that installs malware
- Transferring money or sensitive data in response to a fraudulent request
The name comes from fishing, casting a wide net and waiting for someone to take the bait. Mass phishing campaigns send millions of emails hoping a small percentage of recipients will bite. Targeted attacks (spear phishing) are aimed at specific individuals or organisations and are considerably more convincing.
How to Recognise a Phishing Email
No single indicator is definitive. Phishing recognition is about patterns, and the more indicators present, the more suspicious a message should be.
The Sender Address
The display name (what you see in your email client) can say anything. The actual sending address, visible when you hover over the sender name or check message headers. THIS is what matters.
Look for:
- Addresses that look almost right but aren’t:
support@micros0ft.com,accounts@paypa1.com - Legitimate-looking domains that are subtly different:
amazon-support.cominstead ofamazon.com - Completely unrelated domains sending messages claiming to be from a known organisation
Note that sophisticated attackers can sometimes spoof legitimate addresses entirely, an email appearing to come from a real address isn’t automatically trustworthy. This is why email authentication (SPF, DKIM, DMARC) matters, and why it’s covered in a separate post in this series.
Urgency and Pressure
“Your account will be suspended in 24 hours.” “Immediate action required.” “This offer expires today.”
Urgency is a manipulation tactic. Legitimate organisations rarely demand immediate action under threat of serious consequences, and they don’t typically send one email with a very short deadline.
Generic Greetings
“Dear Customer.” “Dear User.” “Hello.”
Organisations you have a genuine relationship with know your name. A message that doesn’t address you by name may have been sent to thousands of recipients.
Links That Don’t Match Their Destination
Hover over any link before clicking it. The URL that appears in the status bar or tooltip is where you’ll actually go, not necessarily where the link text says.
Watch for:
- URLs that contain a legitimate brand name but have additional text around it:
amazon.com.suspicious-domain.net - Shortened URLs (bit.ly, tinyurl.com) that hide the real destination
- HTTP rather than HTTPS on pages asking for credentials
Unexpected Attachments
An invoice you weren’t expecting. A document from a supplier you don’t recognise. A “voicemail” or “fax” as an email attachment.
Malicious attachments are often disguised as PDFs, Word documents, or ZIP files. Even a file that looks like a PDF can contain an executable. If you weren’t expecting an attachment, verify with the sender by a separate channel before opening it.
Requests That Bypass Normal Processes
“Please process this payment directly. I’ll explain later.” “Don’t mention this to anyone else.” “This is confidential.”
Legitimate business requests don’t typically involve circumventing normal approval processes or asking for secrecy. These are red flags regardless of who appears to be asking.
Spelling, Grammar, and Formatting
Poorly written phishing emails are becoming rarer as attackers use better tools, but inconsistent formatting, odd phrasing, or mismatched logos are still worth noting. A message that looks visually off (wrong font, misaligned logo, inconsistent spacing) may have been assembled rather than generated by the organisation it claims to be from.
What to Do With a Suspicious Email
Don’t click any links or open attachments.
Don’t reply: replying confirms your address is active.
Report it: to your IT team or managed service provider. Most email platforms have a built-in reporting button (Report Phishing or Junk) that feeds threat intelligence.
If you think it might be legitimate, verify by a separate channel, look up the organisation’s contact details independently and call or email them directly, not using any contact information in the suspicious message.
If you’ve already clicked: tell someone immediately. The sooner your IT team knows, the faster they can contain any potential damage. Clicking a link or opening an attachment doesn’t mean you’re definitely compromised, but it needs to be assessed. No one should feel too embarrassed to report it.
Training Your Staff
Awareness training doesn’t need to be expensive or time-consuming to be effective. The goal is familiarity, making staff feel like they’ve seen a phishing attempt before when a real one arrives.
Regular, short training sessions are more effective than a single annual exercise. A 10-minute refresher every quarter, covering recent phishing examples relevant to your industry, keeps the topic current.
Simulated phishing exercises send fake phishing emails to staff and track who clicks. This isn’t about blame, it’s about identifying where additional training is needed and giving people a low-stakes experience of what a phishing attempt feels like. Staff who click on a simulated phishing test and receive immediate feedback are less likely to click on a real one.
Make reporting easy and safe. Staff who aren’t sure whether an email is legitimate should feel comfortable asking without fear of appearing incompetent. A culture where questions are welcomed catches more phishing attempts than one where people hesitate to raise concerns.
Focus on the most relevant scenarios. Invoice fraud, parcel delivery scams, and Microsoft 365 credential phishing are among the most common attacks targeting small businesses. Training that uses realistic examples from your industry is more effective than generic awareness content.
Technical Controls That Help
Training reduces the likelihood of a successful phishing attempt; technical controls reduce the damage when one succeeds.
- MFA on all accounts — a phished password alone can’t be used to log in
- Email filtering — most business email platforms include spam and phishing filtering; ensure it’s enabled and tuned
- DNS filtering — blocks connections to known phishing and malware domains at the network level
- Endpoint protection — can detect and block malicious attachments and connections even if a user clicks
These controls work alongside staff awareness, not instead of it.