Phishing tactics can target any internet user, but the results can be particularly devastating when your small business is affected. Losses from business email compromise scams reached $2.7 billion in 2018, according to the FBI’s Internet Crime Report, with no sign of the problem ending anytime soon.

To protect your business, it’s important to know about the most common phishing tactics and what you can do to protect against them.

10 Common Phishing Tactics

  • Sending you an invoice: A well-known company, bank or vendor emails an invoice with instructions to click a link to make a payment, but the link takes the user to a hacker’s site set up to steal their personal and financial information.
  • Requesting you reset a password: A familiar third-party brand seemingly emails about a security breach that’s affected your account. Again there is a malicious link to reset your password or otherwise verify your information.
  • Asking you to update payment info: An email arrives from what seems to be a legitimate vendor claiming your recent order can’t be shipped until your payment details are updated.
  • Prompting you to click a download link: A scammer sends an email offer with a download link, which if clicked, will download a malicious file onto the user’s computer.
  • Impersonating a boss or VIP: A fake email arrives appearing to be from the user’s boss or a business VIP with an urgent request for private company information, login or password details, or financial credentials.
  • Using compromised credentials: As a variation on the above, a user receives an email from their real boss or coworker asking for sensitive payment or login information. In this case, the scammer gained access to the boss’s email before attempting to use it to gain additional access to systems or finances.
  • Faking websites and URL addresses: A user clicks on a link in an email that appears to take them to the correct website, but it’s a fake, designed to look like the original, with a URL that is similar enough to deceive at first glance.
  • Compromising real websites: A user visits a well-known third-party website that a hacker has targeted and compromised by exploiting a vulnerability. From there, the hacker can launch an attack against the user’s computer. In one such famous “Watering Hole” attack, a Department of Labor web page was hacked to get to user’s computers.
  • Hiding links in PDF and Office attachments: A scammer sends an email with a PDF or Microsoft Office attachment. There’s nothing malicious about the attachment file’s code itself, but links within the file, if clicked, will send the user to a hacker’s website.
  • Targeting Office 365 users: Because of its popularity as a business solution, scammers tailor a phishing email scam to evade Office 365’s security features, giving users who relying on those security features a false sense of security and possibly leading to a hack.

What to Do

You can reduce your risk of becoming a victim of these and other phishing attacks by knowing these common tactics, sharing them with your employees and paying attention to the details on the screen. Here’s how:

  • Slow down. Be especially cautious with unusually urgent requests.
  • Check the details. Ensure senders, links and downloads are all authentic.
  • Be aware of URL addresses. Verify the authenticity of links by typing out addresses or using search tools.
  • Keep the possibility of phishing top of mind. Attacks are incredibly common and get more sophisticated every year.
  • Be wary of downloads. The safest downloads are those where you personally know the sender and are expecting a file from them. If in doubt, check with the sender before downloading.

More Steps You Can Take

  • Conduct a cyber audit to identify weaknesses before hackers do.
  • Train employees on phishing detection and avoidance.
  • Make cyber security a part of your onboarding process.
  • Invest in firewall and antivirus tools.
  • Install necessary security software patches and updates.
  • Consider purchasing Cyber Liability Insurance.


Remember that phishing scammers rely on social trust factors as well as technical vulnerabilities. You can help protect your business by thinking first before you click.