Skip to main content

Phishing scammers have gotten more sophisticated. They still send out mass emails asking consumers for credit card numbers or bank account information. But they’re also targeting small businesses by imitating the look of messages your employees routinely receive. The FTC has new resources to help small businesses address cybersecurity, including the risks posed by phishing.

How phishing works

PhishingWhen phishing scammers hit small businesses, they often send you or your employees emails or texts that appear to come from a familiar source – perhaps a vendor, a client, or even a co-worker at your company. To add to the apparent authenticity, crooks may mimic recognizable email addresses or embed cut-and-pasted corporate logos. What’s more, enterprising fraudsters may search publicly available sources for the name of a colleague at your business, and use it to overcome an employee’s initial suspicions. (“Fred from Accounting said I should contact you.”)

Once the phishing scammer has an employee on the hook, they’ll ask for account information or insist that a company higher-up needs money wired immediately for a business transaction. Or they may direct your staffer to click on an innocent-looking link that secretly installs malicious code or even ransomware.

What you can do

Train your staff to take five before responding. They should mention the message to a co-worker, who may have been targeted, too. They should call the purported client, company, or colleague using a phone number they know to be genuine to determine if the email or text is legit. The FTC’s factsheet includes more practical tips to impart when educating your employees about the ways and wiles of phishing.

How to protect your business

Keep your security current with the latest patches and updates. Install a safety net by using additional means of protection. For example, email authentication software can help prevent phishing emails from reaching your company’s inboxes in the first place. Intrusion prevention software can serve as a sentry to keep cyber crooks at bay. In addition, back up your data regularly by saving important files to a drive or server not connected to your network. The factsheet features additional suggestions.

What if a phishing scheme strikes your company?

Have a copy of the FTC’s Data Breach Response: A Guide for Business on hand before you need it. As the Guide recommends, limit the damage by disconnecting from the network any computers or devices infected with malware. Follow your company’s procedures for looping in staff members or contractors who help with IT. If personal information has been compromised, notify the affected parties. They could be at risk for identity theft.

Report phishing attempts to the FTC’s emailbox,, and to Also notify the Anti-Phishing Working Group – a public-private partnership that includes ISPs, security companies, financial institutions, and law enforcement agencies – at And let the company or person who was impersonated know their good name is being used in a phishing scheme.

Next: Business email imposters

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Brian Traian P…
December 03, 2018
Even the Courts of Law have been influenced to negate the existence of Phishing, may as well state that there is no internet
anthony galindo
December 01, 2018
So yeah um i got scammed buying an account for something and basically the account doesnt even work. i wasted 50 bucks on it and the seller wont answer me please help me
November 21, 2019
Someone at the number 863-692-6083 contacted me claiming to be CHase Bank (my bank) and said my account was blocked due to unusual activity (and I had made some unusual purchases, so I was fooled). I called the number provided 863-692-6083 and was asked for my ASTM debit card number and my security code which I stupidly gave. It crossed my mind after I hung up that the voice on the recording seemed weird- so I called my bank who told me my card had not been blocked. I canceled my atm card before it could be used. No actual crime had been committed because I caught it in time - or so I think unless phishing is illegal even if the information isn't successfully used. My bank told me they could not report it since money had not been taken successfully.

More from the Business Blog

Get Business Blog updates