The single most common way businesses get breached isn't a sophisticated hack — it's a convincing email that tricks someone into clicking a link, opening an attachment, or handing over a password. That's phishing, and it works because it targets people, not just technology. The best defence is a team that knows the warning signs. Here's a practical guide you can share with yours.
What phishing is
Phishing is a fraudulent message — usually email, sometimes text or phone — designed to look legitimate so you'll take an action that benefits the attacker: click a malicious link, enter your credentials on a fake login page, open malware, or approve a payment. The goal is almost always your money or your access.
The warning signs
Train your team to pause when they see any of these:
- A sense of urgency or threat. "Your account will be suspended," "Immediate action required," "Invoice overdue." Urgency is designed to make you act before you think.
- Requests for credentials or payment. Legitimate companies don't email asking you to "confirm your password" or urgently change banking details.
- A mismatched sender address. The display name says "Microsoft," but the actual email address is a random or misspelled domain. Always check the real address.
- Links that don't match. Hover over a link (don't click) and check where it actually goes.
microsoft-support-login.xyzis not Microsoft. - Unexpected attachments. Especially invoices, shipping notices, or documents you weren't expecting.
- Spelling and formatting that's slightly off. Odd grammar, wrong logos, or generic greetings ("Dear Customer") are red flags.
- A request that breaks normal process. A "CEO" emailing to urgently buy gift cards, or a supplier suddenly changing bank details, should always be verified another way.
The most dangerous kind: targeted phishing
Generic phishing is easy to spot. Spear phishing and business email compromise are harder — attackers research your business and impersonate a real colleague, boss, or supplier. If an email asking for money or a change to payment details feels even slightly off, verify it through a separate channel (a phone call to a known number), not by replying to the email.
What to do when you spot one
- Don't click, don't reply, don't open attachments.
- Report it to whoever handles IT or security at your business.
- Delete it after reporting.
- If someone already clicked or entered a password, act fast — change the password, enable MFA if it isn't on, and tell your IT provider immediately. Speed limits the damage.
Technology helps, but people finish the job
Good email filtering stops most phishing before it ever reaches an inbox, and multi-factor authentication limits the damage if a password is stolen. But some messages always get through, which is why a trained, alert team is essential. The Government of Canada's Get Cyber Safe program has excellent free resources on recognizing phishing.
The bottom line
Phishing succeeds by rushing people into mistakes. A team that knows to slow down, check the sender and links, and verify unusual requests will stop the overwhelming majority of attacks.
We combine email and phishing filtering with practical guidance for your team. Want to strengthen your defences? Book a free evaluation, or read our 7 cybersecurity essentials.
