How to spot a phishing email as a small business, and what to do.

Phishing is the most common cyberattack targeting businesses. It does not only target large companies. Small businesses are frequent targets precisely because they rarely have a dedicated IT team. One click at the wrong moment can shut down your operations or expose customer data.

Here is how to recognize these emails and how to respond, without being a security expert.

What are the warning signs in a suspicious email?

Train yourself to check these elements before acting on any email:

The sender

• The email address looks like a known one but has a small difference: billing@paypal-secure.net instead of @paypal.com, for example.
• The display name is a colleague or supplier, but the actual address (visible by hovering over the name) is unknown.

Tone and content

• The email creates urgency: “Your account will be suspended in 24 hours”, “Payment overdue for 3 days”.
• It asks for an unusual action: a wire transfer, credentials, a quick approval.
• It contains spelling mistakes or awkward phrasing.

Attachments and links

• An unexpected attachment in .exe, .zip, or even .pdf format.
• A link where the visible text does not match the actual destination address.

How to check a link without clicking it

Never click directly on a suspicious link. Here is how to verify where it leads:

1. On a computer: hover your mouse over the link without clicking. The real address appears at the bottom of your browser or email client.
2. Compare the displayed address with the supposed company name. An email from “FedEx” pointing to fedex-tracking.ru is a trap.
3. When in doubt, copy the address and paste it into a tool such as VirusTotal (virustotal.com) to analyze it before visiting.

What to do if you clicked or entered a password

If you think you clicked a fraudulent link or entered your credentials on a fake site:

1. Disconnect the device from the internet immediately (cable or Wi-Fi).
2. Change your password from a different device (your phone, for example), starting with your work email.
3. Notify your manager or business partner without delay.
4. Contact a technician to analyze the device before reconnecting it.
5. Do not restart the affected PC before getting professional advice: restarting can erase traces useful for analysis.

If customer or employee data may have been compromised, check your local data protection obligations for breach notification requirements.

How to respond as a team to a suspicious email

Protection against phishing is a team effort. Simple rules to put in place:

• Create an internal channel or email address where anyone can report a suspicious email (for example: security@yourcompany.com).
• Set the following rule: “When in doubt, verify before clicking.” A quick phone call to the supposed sender is often enough to confirm or dismiss.
• Never criticize someone who reports a doubt: ten false alarms are far better than one real incident.

How to prevent phishing attacks

Concrete steps to reduce the risk:

• Enable two-factor authentication (MFA) on your email and online tools. Even if an attacker gets your password, they cannot log in without the second factor.
• Keep software up to date: updates fix the vulnerabilities attackers exploit.
• Train your team: a 30-minute awareness session once a year significantly reduces the risk.
• Use a quality spam filter on your business email (Microsoft 365 and Google Workspace both include one).

---

If you are unsure about an email you received, or if an incident has already occurred, iokoo experts can respond quickly. Create an account to ask your question, browse our cybersecurity expert pool, or visit our contact page.