Phishing is a type of cyber crime where an attacker uses deceptive messages to get access to important information. They often use email, but a phishing attack might also be a text message, a social media direct message or a phone call.
Keep an eye out for emails or messages that look suspicious. Threatening or urgent language, suspicious links, incorrect email addresses, poor spelling or unusual requests are some telltale signs.
Your employees are your first line of defence against phishing attacks, so it’s important that they understand the risks, what to look out for and what to do if they suspect something. To ensure your team is up to date with the latest information, give them regular training provided by a trusted source.
What is phishing?
Phishing is an internet scam. It’s a type of cyber crime where an attacker uses deceptive messages to steal sensitive information. This could be a password, bank details, customer data or anything else that’s valuable to you or them.
Scammers are highly skilled at fooling their victims. For example, they might pick a time when you’re likely to be distracted or say something that plays to your vulnerabilities.
Small businesses are common targets, as they tend to have fewer cyber security resources and less robust IT systems than large corporations.
Phishing could take the form of:
- Phishing emails.
- Smishing, or SMS phishing, via text message or WhatsApp.
- Vishing, or voice phishing, via phone calls.
- Social media phishing, where criminals set up fake profiles, or hijack legitimate accounts to send malicious links.
- Spear phishing, which is highly targeted to a specific individual or company.
How does phishing work?
How to spot a phishing attack?
Attackers use several techniques to convince you to act without thinking. Here are some ways to tell if a message is legitimate or not:
- Urgent or threatening language: e.g. ‘Your account will be suspended’ or ‘Payment needed urgently’.
- Generic greetings: e.g. ‘Dear customer’, instead of a personalised message.
- Suspicious links: to find out if a link is legitimate, hover your cursor over it to see the real URL.
- False sender’s email address: check the address and make sure the domain name is real.
- Poor spelling and grammar.
- Unusual requests: such as asking for sensitive information.
What to do if you fall for a phishing attack
If you only remember three things:
- Train your team. Build knowledge and alertness through regular, up-to-date security awareness training with phishing simulations.
- Pause. These cyber attacks rely on you being time-poor and distracted. Take a moment to check for signs that something could be a phishing attempt.
- Report if you suspect something’s wrong. Action Fraud and the NCSC have guidance for small businesses.
Protecting against phishing is a constant process. But if everyone is armed with the right knowledge, it’s possible to spot the red flags and make sure your business doesn’t become the criminals’ next victim.
You may also be interested in
ESSENTIALS EXPLAINED
September 03, 2025
ESSENTIALS EXPLAINED
September 03, 2025