It’s likely you’ve heard of phishing and know it’s something you want to avoid.

But do you know what it really means and exactly how a phishing attack works?

In our experience, lots of people don’t know the specifics. And that’s OK. But the key to keeping your business protected from phishing attacks is to know exactly how they work and the red flags to look out for.

This guide is here to do just that.


It’s called ‘phishing’ because cyber criminals bait unsuspecting victims into ‘biting’, just like you’d lure a fish to a hook with a big juicy maggot.

This virtual bait is usually in the form of an email. And when the victim gets hooked, their device and potentially their whole network can become infected with malware.

Or the victim is enticed into giving away login credentials which can lead to data and even financial theft.

Phishing isn’t just inconvenient. You should see how much time, expense and stress has to be invested in fixing the damage.

Understand this: You want to avoid a phishing attack.

Oh, and phishing doesn’t always come in the form of an email either. But more on that later.


A phishing email will drop into your inbox like any normal email.

Often, it’ll look like it’s been sent from a legitimate sender, so you don’t suspect anything is wrong.

This is dangerous when it’s pretending to be from a popular company, like Amazon or PayPal.

But in some cases, the attacker will have learnt information about you, such as the services you subscribe to, and the email becomes all the more believable – and riskier.

At a glance, the email won’t look suspicious. Everything is as it’s supposed to be, so it’s likely you won’t question the contents…
especially as it’s often an urgent request for
you to act, which can be distracting in itself.

This urgent request will work in different ways: It can ask you to open an attached file, perhaps asking you to confirm details of a recent purchase.

By doing this, your device may become infected with malware. And if that device is connected to a network, it’s possible the malware could spread to other devices.

Another common approach is to ask you to click a link. This might take you to a fake page
(known as a spoof web page) pretending to be a service you really use… and when you login, you have given your login details to the criminals.


Sorry to say it, but everyone in your
business and especially you, as the boss (See whaling, above). It’s a real threat you need to take seriously.

This isn’t something you can ignore as “it’ll never be targeted at us, we’re too small or obscure a business.”

Cyber criminals use automated tools to target all businesses, all the time.

You don’t read about small businesses being affected, as those stories don’t end up in the news.


Some of the biggest companies
in the world have been fooled by phishing scams.

Between 2013 and 2015, Facebook and Google were scammed out of $100 million when cyber criminals carried out an extended phishing campaign.

They took advantage of the fact that both companies used the same Taiwanese vendor, Quanta. They sent a series of invoices pretending to be from Quanta, and both Facebook and Google paid.

When the scam was discovered,
it was taken to the US courts. The attacker was arrested and extradited from Lithuania,

and Facebook and Google recovered just under half of what was stolen.

In 2014, Sony Pictures became the victim of a phishing attack that wasn’t about money.
The attackers were believed to have a connection to North Korea, and targeted Sony because of a movie it refused to withdraw that mocked Kim Jong Un.

The cyber criminals used fake emails to steal huge amounts of information from Sony’s network. That included email conversations about staff members, scripts, and employees’ personal information.

They even gained access to Sony’s offices by tricking their way in. Then they impersonated IT staff and installed malware on Sony’s systems.

The attack ended up costing Sony around $35 million in IT repairs.


As with most types of cybercrime, protection against phishing starts with education.

Everyone in your entire business should have regular cyber security awareness training.

And we really do mean everyone. Because if someone is using any device, they need to be aware of the risks and the red flags to look out for.

This may relate to a phishing attempt, or it could relate to one of the other forms of cyber-attack or threats that businesses like yours face every day.

When it comes to phishing attacks, there are a number of warning signs you and your team should be on the lookout for:

  • Misspelled words, websites, or email addresses
  • Oddly named attachments
  • Who the email is addressed to
  • Poor grammar and punctuation
  • An unusual layout to the email