Most cyberattacks on small businesses do not start with a brilliant hacker breaking through a firewall. They start with an email, and someone clicking it. Phishing is the practice of tricking a person into handing over a password, opening a malicious file, or sending money. It works because it targets people, not technology.
The good news: phishing emails follow patterns. Once your team knows the red flags, the easiest way into your business closes.
What a phishing email wants
Every phishing message is trying to get you to do one of three things: click a link, open an attachment, or reply with information or money. Keep that in mind and the warning signs become easier to spot.
The red flags
No single sign is proof, but two or more together should stop you cold.
- A sense of urgency or fear. "Your account will be closed," "invoice overdue," "action required in 24 hours." Pressure is designed to make you act before you think.
- An unexpected request. A message asking you to log in, confirm a payment, or buy gift cards, when you were not expecting it, deserves a second look.
- A mismatched sender. The display name says "Microsoft" or your CEO, but the actual email address is a string of random characters or a look-alike domain.
- Links that do not match. Hover over a link (do not click) and check whether the address matches the company it claims to be from.
- Generic greetings. "Dear Customer" or "Dear User" from a company that knows your name.
- Attachments you did not ask for. Especially invoices, shipping notices, or "scanned documents."
One older tip, spelling and grammar mistakes, is now less reliable. Attackers increasingly use AI to write clean, professional messages. Judge the request, not just the writing.
How to check a suspicious email safely
If something feels off:
- Do not click or reply. Replying confirms your address is live.
- Verify through a channel you trust. If "your bank" or "your vendor" emails an urgent request, call them on a number you already have, not one from the email.
- Hover, don't click. Check where links actually go before deciding.
- Report it. Use your email platform's "Report phishing" button so the message can be removed for everyone.
Make reporting normal
The strongest defense is a team that reports suspicious emails without hesitation. Make it clear that reporting a real email by mistake is fine, nobody will be blamed for being careful. The FTC and CISA both recommend regular, short training so spotting phishing becomes a habit rather than a one-time lesson.
A confident, slightly skeptical team is worth more than any single security product. If you would like help setting up phishing reporting, simulated phishing tests, or staff training, the Flexnet Networks team can put that in place for you.
Sources
- Phishing — Cybersecurity for Small Business, Federal Trade Commission
- Cyber Guidance for Small Businesses, Cybersecurity and Infrastructure Security Agency (CISA)
- Cybersecurity Basics for Small Business, Federal Trade Commission
