Phishing is a type of online scam in which someone sends an email pretending to be someone else. Fraudsters might send messages impersonating your financial institutions to trick you into providing account information so they can steal your money. They might send messages directing you to websites that install malware, like viruses or spyware, on your computer. They might even send messages to your employees impersonating you or other company leaders.

Know the risks—and know what to do to reduce your risk.

Types of phishing attacks

There are different types of phishing attacks with slightly different aims.

Impersonating an organization like a financial institution, a government agency or an online store, and directing you to a fake website that instructs you to log in with your password or provide other information such as account information or Social Security numbers. They’ll try to create a sense of urgency by telling you there is some sort of problem, such as your account is in danger of suspension or that a recent order may be cancelled. They may reference events in the news, such as the COVID-19 pandemic, to get your attention.

Tricking you into installing malware on your computer, which scammers can then use to hold your valuable business data for ransom (called ransomware) or steal your passwords and account numbers as you type them into other sites. They might redirect you to a website that attempts to install the malware on your computer or displays misleading pop-ups tricking you into installing the software.

Asking for payments through business email compromise attacks. These emails specifically target businesses and attempt to impersonate company leaders, urging employees to wire money to a certain place. They may claim to be a vendor that needs to be paid or a customer who needs a refund, but the money will actually go to the scammers.

How to spot phishing

To reduce the risk of falling for phishing attacks, you and your employees should look carefully at all incoming emails before acting on them. If you fall for a phishing attack, you may lose money, or your computer systems may be taken down or compromised. You may suffer a damaging data breach that impacts employee and/or customer privacy and endangers your company’s reputation.

Phishing emails often have telltale signs they are fraudulent. Look for misspelled words and generic greetings. On a computer, move your mouse over links in the email—without clicking on them—to see the corresponding address and confirm they match the legitimate source the email claims to come from.

If an email comes from someone inside your organization and makes an unexpectedly urgent request, like asking for confidential information or a wire transfer, contact the sender some other way. Pick up the phone or send a text or instant message and confirm the email is genuine.

If you’re in doubt about whether an email is legitimate, contact the person or institution it claims to be from before you take any action or share any information. If it’s from a financial institution or store, reach out to them directly rather than clicking a link or calling a number in an email that could also be fraudulent and set up to support the email.

Keep phishing away from your business

Talk to employees about the risk of phishing and what to do if they spot suspicious emails. Set up procedures for specific situations, such as unexpected requests for money or information from people who claim to work within your organization.

Install reputable antivirus and other security software. Good software programs can update automatically to keep on top of the latest scams. Make sure your employees know how to recognize when the software flags email as potentially dangerous.

Report phishing attacks

If you do see incoming phishing attacks, warn your employees and coworkers to ensure they don’t accidentally fall prey to the scam.

You can report the attacks to an organization that tracks them. Tracking groups include the U.S. Computer Emergency Readiness Team within the Department of Homeland Security and the Anti-Phishing Working Group, a coalition of government and industry organizations.

If you see a phishing attack impersonating a particular business or organization, such as a vendor or bank you work with, be sure to let them know immediately.

When you get phished, take action

Disconnect the victim’s computer from your network so it can’t spread malware throughout your business. Scan it with antivirus software or call in a security expert for help. Consider erasing and reformatting the hard drive out of caution.

Figure out what confidential information might have been provided to the scammers. Change any passwords that may have been exposed, and contact financial institutions if account or credit card information may have been leaked or accessed. Keep an eye on your statements and accounts, and sign up for credit monitoring, if applicable.

Contact your insurer if you have coverage for cybersecurity issues and your attorney if you are concerned about your legal obligations.