Phishing tricks a person into clicking a malicious link, opening a bad attachment, or handing over a password. It arrives by email, SMS ("smishing"), WhatsApp, or phone. Teach your team the signs below and you stop most attacks before they start.
The red flags
- Urgency and pressure. "Your account will be closed in 24 hours." Fear makes people click.
- Unexpected requests. A supplier suddenly changes bank details; the "CEO" asks for a gift card or urgent transfer.
- Mismatched sender. The display name looks right but the real address is off (e.g. support@micros0ft-secure.com).
- Suspicious links. Hover to see the real destination before clicking. It rarely matches the text.
- Unexpected attachments. Especially invoices, "receipts," or files asking you to enable macros.
- Generic greetings and odd language. "Dear customer," strange phrasing, or subtle spelling errors.
Two rules that stop most attacks
- Verify money and credential requests on a second channel. If an email asks to change bank details or send funds, call the person on a known number. Never use the contact details in the suspicious message.
- Never enter your password after clicking an email link. Go to the site directly by typing the address or using a bookmark.
Build defenses beyond people
- Turn on MFA everywhere — it limits the damage of a stolen password.
- Use email filtering with link and attachment scanning.
- Configure SPF, DKIM, and DMARC so attackers can't easily spoof your domain.
- Run security awareness training and occasional simulated phishing tests.
If someone clicks: don't blame them — speed matters more than shame. Have them report it immediately, change the affected password, sign out all sessions, and check for new inbox rules or forwarding. Fast reporting turns a near-miss into a non-event.
Give your team the reflex
Our Security Awareness sessions teach staff to spot and report phishing, and an optional simulated phishing test shows where the gaps are — without embarrassing anyone.