Phishing & Social Engineering

What Is Phishing and How Do I Protect My Employees?

By Jean Roberson Hilaire · June 6, 2026 · 8 min read
The #1 cause of small business breaches. Over 91% of cyberattacks begin with a phishing email. This guide explains exactly what phishing is, how to recognize it, and what to teach your team — in plain language, no IT background required.

You can have the best firewall in the world, strong passwords on every account, and a fully updated network, and one employee clicking the wrong link can undo all of it in seconds. That is what makes phishing so dangerous: it bypasses your technical defenses entirely by going after the people in your business instead.

The good news is that phishing is also one of the most preventable threats. The attacks are not random. They follow predictable patterns. Once you and your team know what to look for, you become dramatically harder to fool.

What Is Phishing, Exactly?

Phishing is a social engineering attack in which someone pretends to be a trusted person or organization in order to trick you into handing over sensitive information or taking a harmful action. The name comes from "fishing" — attackers cast a wide net and wait for someone to bite.

The most common form is email phishing. You receive an email that appears to be from your bank, a vendor you work with, Microsoft, the IRS, or even someone inside your own company. The email asks you to click a link, open an attachment, confirm your password, or transfer money. If you do, the attacker gets what they came for.

Phishing attacks have become sophisticated enough that even cautious, experienced people get fooled. The emails look real. The websites they link to look real. The urgency feels real. Understanding the specific tactics they use is the most effective defense.

The 5 Most Common Phishing Tactics

1. Urgency and Fear

"Your account will be suspended in 24 hours." "Immediate action required." "Your payment has been declined."

Urgency is the phisher's most powerful weapon. When people feel rushed or scared, they skip the checks they would normally do. Any email that creates a strong sense of time pressure deserves extra scrutiny, not less.

2. Impersonating Trusted Brands

Emails that look like they are from Microsoft, PayPal, your bank, UPS, or the IRS.

Attackers copy logos, email formatting, and writing styles almost perfectly. The tell is the sender's actual email address. "support@micros0ft-help.com" is not Microsoft. Look at the domain, not the display name. The display name can say anything.

3. Business Email Compromise (BEC)

An email that appears to come from your boss, a coworker, or a vendor asking for a wire transfer or gift cards.

This is the most costly form of phishing. The FBI reports that BEC attacks cost businesses over $2.7 billion per year. The attacker may have studied your company for weeks and knows names, roles, and ongoing projects. Always verify financial requests by calling the person directly using a number you already have, never from the email.

4. Smishing (SMS Phishing)

Text messages claiming a package could not be delivered, your bank account has been locked, or a prize is waiting for you.

Phone numbers are easy to spoof, making smishing texts appear to come from legitimate sources. Shortened URLs in text messages — bit.ly, tinyurl, or similar — hide the real destination. Never click a link in an unexpected text. Go directly to the company's official website instead.

5. Vishing (Voice Phishing)

Phone calls from "Microsoft Support," "the IRS," or "your bank's fraud department."

Caller ID can be faked. A caller who says they are from your bank and asks you to confirm your account number or PIN should be hung up on immediately. Call the bank back using the number on the back of your card. Real support teams will understand.

The 6 Red Flags Your Employees Must Know

Train your team to pause and check when they see any of these:

1
Sender domain does not matchThe display name says "PayPal" but the actual address is paypal-support@help-account.net
2
Unexpected urgencyAct now, respond within 24 hours, your account will be closed
3
Link URL does not match the textHover over the link before clicking. The real URL shown at the bottom of the browser is what matters.
4
Request for payment or gift cardsNo legitimate company or manager will ever ask for gift card codes as payment
5
Unexpected attachmentAn invoice or document you were not expecting, especially .zip, .exe, or macro-enabled Office files
6
Request to keep it secret"Do not tell anyone about this transfer." Legitimate business requests are never secret.

What to Do If Someone Clicks a Phishing Link

It happens to careful people too. The response in the first few minutes matters enormously:

  1. Disconnect from the network immediately. Turn off Wi-Fi or unplug the ethernet cable. This stops any malware from spreading to other devices.
  2. Do not restart the computer. Some forensic evidence is lost on restart, and some malware completes its installation during a reboot.
  3. Do not delete anything. Leave everything as-is so an IT professional can assess what happened.
  4. Call your IT contact immediately. Time matters. The faster the response, the less damage.
  5. Change passwords from a different, unaffected device. Start with email and banking accounts.
  6. Document what happened. Write down what you clicked, when, and what you saw. This helps with the investigation and with any insurance or legal obligations.

What Phishing Training Actually Looks Like

A lot of businesses try to train employees by sending them a PDF or making them watch a compliance video once a year. That does not work. Research consistently shows that awareness training is only effective when it is:

  • Scenario-based — real examples, not abstract concepts
  • Interactive — questions, discussions, and practice
  • Regular — phishing tactics evolve; training needs to keep up
  • Followed by simulated phishing — sending fake phishing emails to see who clicks, then coaching those who do without embarrassment

Our phishing awareness training sessions cover all five attack types above, walk through real examples, and leave your team with a clear set of mental rules for evaluating suspicious messages. We tailor the content to your industry and the specific threats your type of business faces.

Train Your Team Before an Attacker Does

Our phishing awareness training is practical, engaging, and specifically designed for small businesses. One session can permanently change how your team responds to suspicious messages.

Learn About Phishing Training

Keep Reading