Skip to main content

Phishing scammers have gotten more sophisticated. They still send out mass emails asking consumers for credit card numbers or bank account information. But they’re also targeting small businesses by imitating the look of messages your employees routinely receive. The FTC has new resources to help small businesses address cybersecurity, including the risks posed by phishing.

How phishing works

PhishingWhen phishing scammers hit small businesses, they often send you or your employees emails or texts that appear to come from a familiar source – perhaps a vendor, a client, or even a co-worker at your company. To add to the apparent authenticity, crooks may mimic recognizable email addresses or embed cut-and-pasted corporate logos. What’s more, enterprising fraudsters may search publicly available sources for the name of a colleague at your business, and use it to overcome an employee’s initial suspicions. (“Fred from Accounting said I should contact you.”)

Once the phishing scammer has an employee on the hook, they’ll ask for account information or insist that a company higher-up needs money wired immediately for a business transaction. Or they may direct your staffer to click on an innocent-looking link that secretly installs malicious code or even ransomware.

What you can do

Train your staff to take five before responding. They should mention the message to a co-worker, who may have been targeted, too. They should call the purported client, company, or colleague using a phone number they know to be genuine to determine if the email or text is legit. The FTC’s factsheet includes more practical tips to impart when educating your employees about the ways and wiles of phishing.

How to protect your business

Keep your security current with the latest patches and updates. Install a safety net by using additional means of protection. For example, email authentication software can help prevent phishing emails from reaching your company’s inboxes in the first place. Intrusion prevention software can serve as a sentry to keep cyber crooks at bay. In addition, back up your data regularly by saving important files to a drive or server not connected to your network. The factsheet features additional suggestions.

What if a phishing scheme strikes your company?

Have a copy of the FTC’s Data Breach Response: A Guide for Business on hand before you need it. As the Guide recommends, limit the damage by disconnecting from the network any computers or devices infected with malware. Follow your company’s procedures for looping in staff members or contractors who help with IT. If personal information has been compromised, notify the affected parties. They could be at risk for identity theft.

Report phishing attempts to the FTC’s emailbox,, and to Also notify the Anti-Phishing Working Group – a public-private partnership that includes ISPs, security companies, financial institutions, and law enforcement agencies – at And let the company or person who was impersonated know their good name is being used in a phishing scheme.

Next: Business email imposters


Brian Traian P…
December 03, 2018
Even the Courts of Law have been influenced to negate the existence of Phishing, may as well state that there is no internet
anthony galindo
December 01, 2018
So yeah um i got scammed buying an account for something and basically the account doesnt even work. i wasted 50 bucks on it and the seller wont answer me please help me
November 21, 2019
Someone at the number 863-692-6083 contacted me claiming to be CHase Bank (my bank) and said my account was blocked due to unusual activity (and I had made some unusual purchases, so I was fooled). I called the number provided 863-692-6083 and was asked for my ASTM debit card number and my security code which I stupidly gave. It crossed my mind after I hung up that the voice on the recording seemed weird- so I called my bank who told me my card had not been blocked. I canceled my atm card before it could be used. No actual crime had been committed because I caught it in time - or so I think unless phishing is illegal even if the information isn't successfully used. My bank told me they could not report it since money had not been taken successfully.

Get Business Blog updates