What Is Phishing? How Small Businesses Stop Attacks
By Tom Hermstad · HD Tech
What is phishing, and how do small businesses stop it?
Phishing is a cyberattack where criminals impersonate trusted sources — banks, vendors, colleagues — to trick your employees into handing over passwords, financial data, or network access. It's the leading cause of data breaches, accounting for 68% of breaches via the human element per Verizon's DBIR. Small businesses are the primary target. The good news: three practical steps — multi-factor authentication (MFA), email filtering, and staff training — stop the vast majority of attacks before they do damage.
What Is Phishing, Exactly?
Phishing is a form of social engineering. That means it doesn't rely on cracking your firewall or exploiting a software vulnerability. It relies on tricking a human being.
A criminal sends an email, text, or makes a phone call pretending to be someone your employee trusts — your bank, your payroll provider, even your CEO. The goal is simple: get the employee to click a link, open an attachment, or hand over login credentials. Once they do, the attacker is inside.
What makes phishing dangerous isn't sophistication. It's volume and patience. Attackers send thousands of messages and wait for one person to have a bad moment — distracted, rushed, or just not trained to spot the warning signs.
What Are the Most Common Types?
Not all phishing looks the same. Here are the four types your team is most likely to encounter:
- Email phishing — The most common. A fake message from a trusted brand, often with urgency baked in ("Your account will be suspended in 24 hours"). Email is the most common phishing channel.
- Spear phishing — Personalized attacks targeting a specific employee, usually someone in finance or leadership. These reference real details — your vendor's name, a recent invoice — to appear legitimate.
- Smishing — Phishing via text message. "Your delivery was delayed — click here to reschedule."
- Vishing — Phone-based phishing. A caller impersonates IT support, your bank, or a government agency to extract information verbally.
Spear phishing is where the real risk lives for small businesses. In 2023, the Scattered Spider group used a simple phone call — vishing — to impersonate a helpdesk worker at MGM Resorts. They gained VPN access without touching a single firewall. Ten days of disruption and $100 million in losses followed.
That wasn't a Fortune 500 security failure. It was a human failure. And it can happen to any business.
Why Small Businesses Are the Target
There's a common belief that attackers only go after large corporations. That belief is wrong — and holding it is expensive.
According to Verizon's 2024 DBIR, 43% of cyberattacks target businesses with fewer than 1,000 employees. Small businesses often have weaker defenses, less-trained staff, and fewer resources to recover when something goes wrong. That's not a criticism — it's just the math attackers are running.
The FBI's 2024 IC3 Report documented $2.9 billion in business email compromise (BEC) losses across 21,489 reported incidents in a single year. Business email compromise is when an attacker impersonates a vendor or executive to redirect a payment — and by the time anyone notices, the money is gone.
It's not if, it's when. The question is whether you've built any defenses before the attempt lands.
How Do Small Businesses Stop Phishing?
Three controls stop most phishing attacks. None of them require a dedicated IT department. All of them work better together than alone.
1. Turn On Multi-Factor Authentication Everywhere
Multi-factor authentication — MFA — means requiring a second form of identity verification beyond a password. A code texted to a phone. An authentication app. A hardware key.
Microsoft reports that MFA blocks 99.9% of automated account compromise attacks. That number alone should end the debate.
Start with your highest-risk accounts: email, payroll, banking, your cloud storage. If your team uses Microsoft 365 (and many manufacturers in Orange County do), MFA is already built in — it just needs to be turned on and enforced.
No single step you take this month will have a bigger return than enabling MFA across your organization.
2. Deploy Email Filtering with DMARC
Your email system is the front door. Most phishing attempts arrive there first.
Modern email filtering tools use AI to scan incoming messages for known phishing patterns — suspicious sender domains, mismatched links, spoofed display names. AI-driven email filters catch the vast majority of phishing attempts before they reach your inbox.
Pair that with DMARC (Domain-based Message Authentication, Reporting, and Conformance) — a technical standard that tells other mail servers whether an email claiming to be from your domain is actually from you. Setting up DMARC on your domain stops attackers from spoofing your company name to attack your vendors or clients.
If your current IT setup doesn't include email filtering and DMARC, that's a gap worth closing this quarter. The cost is minimal. The protection is significant. For a full picture of what unplanned downtime from a successful attack actually costs, read what SMBs need to understand about the real cost of IT downtime in 2026.
3. Train Your Team — and Test Them
Technology alone won't save you. Phishing is a people problem as much as a technology problem.
Proofpoint research shows that security awareness training reduces malicious clicks by up to 40%. That's not a marginal improvement — it's the difference between an attack that lands and one that gets reported.
Training doesn't have to be a half-day workshop. Quarterly phishing simulations — where you send your own fake phishing emails to see who clicks — are one of the most effective tools available. CISA offers free phishing awareness resources your team can use today.
The goal isn't to punish employees who click. The goal is to build a culture where suspicious emails get flagged, not acted on. When your team knows what to look for — urgent requests, mismatched email addresses, unexpected attachments — they become your last line of defense.
Understanding how your help desk handles phishing reports is part of this equation. A well-structured support function makes it easy for employees to escalate suspicious messages fast. See how help desk support has evolved in 2026 to understand what that looks like in practice.
What HD Tech Does About Phishing
At HD Tech, phishing prevention is wired into every managed IT engagement we run. It's part of the Lifeguard Loop™ — our four-stage framework that starts with discovery, moves into implementation, hardens your environment over time, and keeps you informed in plain English every step of the way.
We don't just flip on MFA and walk away. We configure your email filtering, verify your DMARC records, run simulated phishing tests with your team, and report back on who clicked and what to do about it. When something suspicious hits your inbox at 11 PM, the Relentless Response Engine™ is already on it.
You're also not navigating this alone. Phishing prevention connects directly to endpoint protection — the security that lives on your laptops, desktops, and servers. If you haven't thought through that layer yet, start with what endpoint protection is and why it's no longer optional.
Don't be a casualty. Be exceptional. HD Tech: Your Cyber Lifeguard, Always On Duty.
Frequently Asked Questions
Phishing is when a criminal pretends to be someone you trust — a bank, a vendor, your CEO — to trick you into clicking a link, opening an attachment, or sharing a password. It works by exploiting human trust rather than breaking through technical defenses. Most data breaches start with a phishing email, which is why employee awareness and email security are the first lines of defense.
Look for these warning signs: the sender's email address doesn't match the organization it claims to be from, the message creates urgency ("act now or your account will close"), there are unexpected attachments or links, and the greeting is generic ("Dear Customer") instead of your name. When in doubt, don't click — contact the sender through a separate, known channel to verify the request.
Yes. Text-based phishing is called smishing, and phone-based phishing is called vishing. Both are increasingly common. A text claiming your package can't be delivered until you verify your address, or a caller claiming to be from your bank's fraud department, are classic examples. The same rule applies: never provide credentials or click links from unsolicited contacts. Verify independently before acting.
Yes. Microsoft reports that MFA blocks 99.9% of automated account compromise attacks. Even if an attacker steals your employee's password through a phishing email, they still can't access the account without the second factor — the code sent to the employee's phone or generated by an authentication app. MFA is the single highest-return security control available to small businesses and should be enabled on every account that supports it.
Start with these three steps in order: enable MFA on all business accounts (email, payroll, banking, cloud storage); deploy email filtering with DMARC on your domain; and run quarterly phishing simulations with your team. These three controls, working together, stop the overwhelming majority of phishing attempts before they cause damage. If you're unsure where your current gaps are, a Cyber Preparation Assessment is the fastest way to find out.
Phishing isn't going away. But it is preventable. Three practical controls — MFA, email filtering, and staff training — give your business a fighting chance against the most common attack vector in cybersecurity. If you're not sure where your defenses stand right now, the fastest way to find out is a free conversation with our team. Book your free Cyber Preparation Assessment and get a plain-English picture of where you're exposed and what to do about it.
Tom Hermstad
President & CMO, HD Tech
Tom Hermstad has led HD Tech since 1995, building one of Southern California's most trusted managed IT and cybersecurity firms. He specializes in helping Orange County businesses eliminate IT headaches and stay ahead of evolving cyber threats — in plain English.