A Simple Anti-Phishing Rulebook (For Busy People)

A Simple Anti-Phishing Rulebook (For Busy People)

You’ve heard “don’t click suspicious links” a thousand times. The problem is that phishing emails don’t look suspicious anymore. They look like QuickBooks invoices, Microsoft login pages, shipping notifications, and messages from your boss.

The fix isn’t “be more vigilant.” The fix is a short set of habits that work even when you’re distracted.

Why this matters

Phishing is one of the most common ways small business compromises start. Not sophisticated hacking—just a convincing email that tricks someone into entering their password or approving a payment. One click, and an attacker has access to your email, your files, or your bank account. The good news: a few simple rules prevent the vast majority of these attacks.

The rules (tape these to the wall)

If you weren’t expecting it, don’t click it. This covers 90% of phishing. Got a “password reset” email you didn’t request? Don’t click. Got a shipping notification for something you didn’t order? Don’t click.

2. Go to the site yourself

If an email says “your account needs attention,” don’t use the link in the email. Open your browser, type the address you already know, and log in from there. This one habit defeats almost every phishing page.

3. Hover before you click (when you do click)

On a computer, hover your mouse over a link and look at the bottom of the browser window. Does the URL match where you’d expect to go? If it says microsoft-login-secure-verify.sketchy-domain.com instead of microsoft.com, that’s your answer.

4. Verify payment changes by phone

This is the big-money rule. If you get an email asking you to change bank details, wire money to a new account, or pay an invoice with different instructions than usual—call the person using a phone number you already have. Don’t use the phone number in the email. Don’t reply to the email. Pick up the phone.

5. Treat urgency as a red flag

“Act now or your account will be suspended.” “Immediate action required.” “You have 24 hours.” Real companies rarely create this kind of pressure. Attackers always do, because panic overrides judgment.

Make it easy to report

People need a way to say “this looks weird” without feeling dumb. That could be as simple as:

  • Forward suspicious emails to a designated person
  • A Slack/Teams message that says “can someone check this?”
  • An agreement that it’s always okay to ask before clicking

The worst outcome isn’t someone reporting a legitimate email by mistake. The worst outcome is someone clicking a phishing link because they were embarrassed to ask.

Common mistakes

  • “I can tell a phishing email when I see one.” Maybe sometimes. But the good ones are built to fool you when you’re busy, tired, or in a rush. Rules beat intuition.
  • Clicking “unsubscribe” on spam. Legitimate companies honor unsubscribe. Phishing emails use it to confirm your address is active. If it’s clearly junk or phishing, just delete it.
  • Trusting emails because they have your name or company details. That information is easy to find or steal. Personalization doesn’t mean it’s legitimate.
  • Only training once. A single “phishing awareness” session fades fast. Keep the rules visible. Mention it when something relevant happens in the news.

Quick checklist

  • Team knows the “don’t click, go to the site yourself” rule
  • Payment change requests verified by phone (known number)
  • Urgency in emails treated as a red flag
  • Simple way to report suspicious emails without judgment
  • Rules posted somewhere visible (kitchen, breakroom, pinned message)

This post is part of the Minimum Security Posture series.

If you’d like a second set of eyes, I can run through this with you and point out the top risks in your setup—no pressure.

Share this post
X Facebook LINE