What is phishing and how to prevent it
In this guide & where to go next
Part of the Small Business Cybersecurity series. Related: Signs Your Business Has Been HackedHow To Prevent Ransomware Attacks
Want it handled? IT Cares — hands-on managed IT across Canada.
Phishing is a cyberattack where criminals impersonate a trusted person or brand — usually by email — to trick you into revealing passwords, clicking malicious links, or sending money. To prevent it, combine email filtering, multi-factor authentication, and ongoing staff training so a single careless click cannot compromise your business. Phishing is the entry point for most ransomware and fraud against Canadian SMBs, which makes it the threat worth defending against first.
The main types of phishing
Phishing comes in several flavours, each exploiting trust in a different way:
- Bulk phishing: generic mass emails posing as banks, couriers, or Microsoft 365.
- Spear phishing: targeted messages personalized using details about you or your company.
- Business email compromise (BEC): impersonating an executive or supplier to authorize a fraudulent payment.
- Smishing and vishing: the same tactics delivered by text message or phone call.
The most damaging attacks on small businesses are usually targeted BEC and spear phishing, where a single convincing email leads to a wire transfer or credential theft.
Warning signs of a phishing message
Train staff to pause when an email shows these red flags:
- Urgency or threats: "act now or your account is suspended."
- Requests for credentials, payment, or gift cards.
- Mismatched sender addresses or look-alike domains (rnicrosoft.com).
- Unexpected attachments or links that don't match the displayed text.
- Slightly off grammar, branding, or tone for a known contact.
A reliable habit: when an email asks for money or login details, verify through a separate, known channel — a phone call to a saved number — before acting. Attackers rely on people responding quickly without checking.
Technical defences that stop phishing
People will occasionally slip, so technology has to catch what they miss:
- Email filtering that quarantines malicious links and attachments before delivery.
- Domain authentication (SPF, DKIM, DMARC) to block spoofed messages claiming to be from your domain.
- Multi-factor authentication so a stolen password alone is not enough to log in.
- Link and attachment sandboxing that detonates suspicious content safely.
These layers dramatically reduce how many phishing emails reach inboxes and limit the damage when one does. MFA in particular turns a successful credential-phish into a near miss rather than a breach.
Building a phishing-resistant culture
The strongest long-term defence is a workforce that treats suspicious email as routine to report, not embarrassing to admit. Run regular phishing simulations and short training so recognizing scams becomes second nature.
Make reporting easy and blame-free — a single "report phish" button beats staff quietly deleting (or worse, forwarding) a threat. Establish clear payment-verification rules so no wire transfer or banking change happens on email alone. For Canadian businesses, this also supports PIPEDA due-diligence expectations: documented training and procedures show you took reasonable steps to protect personal information against social-engineering attacks.
FAQ
What should I do if an employee clicked a phishing link?
Act fast: disconnect the device from the network, change the affected passwords, and revoke active sessions. Enable or confirm MFA, scan the device with endpoint protection, and check for forwarding rules or unfamiliar logins. If personal data may be exposed, assess your PIPEDA or Law 25 breach-reporting obligations and document everything you do.
How is spear phishing different from regular phishing?
Regular phishing blasts generic messages to many people, hoping a few respond. Spear phishing is targeted — the attacker researches you, references real colleagues or projects, and crafts a convincing, personalized message. Because it feels legitimate, spear phishing has a much higher success rate and is commonly used in business email compromise and wire fraud.
Can email filtering stop all phishing?
No filter catches everything, especially novel or highly targeted attacks. Good filtering blocks the large majority of malicious mail, but determined attackers still get the occasional message through. That is why filtering must be paired with multi-factor authentication and trained staff, so the rare email that lands cannot easily turn into a breach.
Why is multi-factor authentication so important against phishing?
Many phishing attacks aim to steal passwords. With MFA enabled, a stolen password alone is not enough — the attacker also needs the second factor, which they usually cannot obtain. This turns most successful credential-phishing attempts into harmless near misses, making MFA one of the highest-value defences a small business can deploy.