What is phishing?
Phishing is a fake message that tries to trick someone into clicking a link, opening an attachment, sharing sensitive information, or signing in to a fake website.
Simple example
A small business receives an email that looks like it came from Microsoft. The message says the user’s mailbox will be disabled unless they verify their password.
Why it matters
Phishing is one of the most common ways attackers get into business accounts. One successful message can lead to stolen passwords, invoice fraud, malware infection, or unauthorised access to cloud services.
Common warning signs
- The activity is unexpected or unusual for the business context.
- The request or system behaviour creates pressure to act quickly.
- Normal approval, verification, or security processes are bypassed.
- There are signs of unauthorised access, data exposure, or system change.
- Staff are unsure whether the request, message, or system behaviour is legitimate.
Cyber Doc view
This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.
What to do
Proactive steps
- Use multi-factor authentication on important accounts.
- Train staff to pause before clicking links or opening unexpected attachments.
- Check sender addresses carefully, especially for payment or password-related messages.
- Use email security filtering where possible.
- Verify banking detail changes by phone using a trusted number.
Reactive steps
- Do not reply to the suspicious message.
- If a password was entered, change it immediately from the real website or app.
- Check mailbox rules, forwarding rules, and recent login activity.
- If payments are involved, contact the bank or supplier using trusted details.
- Preserve the email and any related logs or screenshots for investigation.
Related terms
- Business email compromise
- Social engineering
- Credential theft