Phishing is a type of cyber attack where an attacker uses email, instant messages, fake text messages (smishing), or spoofed websites to trick people into giving up usernames and passwords, personal information, banking details, or other confidential data. Once you submit your information, the attacker can log in to real systems and steal money, data, or your identity.
Phishers use social engineering tactics—like urgency, fear, authority, or too-good-to-be-true offers—to pressure employees into quick, careless clicks.
Examples of phishing
- Phishing email asking you to review or e-sign a document
- Spoofed email pretending to be from your bank or a well-known brand
- Fake online banking or Microsoft 365/Google Workspace login page
The most common phishing attacks targeting SMBs:
- Spear phishing (targeted messages aimed at specific employees, such as finance or HR).
- Business Email Compromise (BEC), using spoofed or lookalike emails to impersonate executives, vendors, or partners.
Small and medium-sized businesses often face spoofed emails as part of phishing or BEC scams, along with voice phishing phone calls (vishing) and fake text messages (smishing). The goal is the same—trick employees and gain access to money, accounts, or sensitive data.
How to spot a phishing attack?
- Phishing scams can be hard to detect. Train employees to watch for red flags: mismatched or suspicious sender addresses, unexpected attachments or links, urgent payment or gift card requests, requests to change banking details, and lookalike domains or misspellings.