You get an email from your bank. It says there’s suspicious activity on your account and you need to verify your identity immediately. The logo looks right. The urgency feels real. You click the link.
And just like that, someone has your credentials.
This is phishing, and it’s the number one way businesses get compromised. Not through some Hollywood hacker breaking through firewalls. Through a convincing email and a moment of distraction.
Why Phishing Works So Well
Phishing doesn’t exploit technology. It exploits people. Specifically, it exploits the fact that you’re busy, you’re moving fast, and you trust the systems you use every day.
The FBI’s Internet Crime Complaint Center reported over $2.9 billion in losses from business email compromise in 2023 alone. That’s not counting the ransomware infections, data breaches, and operational downtime that start with a single phishing email.
And the emails are getting better. AI tools now help attackers write grammatically perfect, personalized messages that don’t have the obvious red flags we used to rely on.
The Five Things to Check Every Time
Before you click any link or open any attachment in an email, run through this checklist:
1. Check the sender’s actual email address. Not the display name — the actual address. Hover over it. “Bank of America Security” means nothing if the email comes from bankofamerica-security@gmail.com. Legitimate businesses send from their own domains.
2. Look for urgency and threats. “Your account will be closed in 24 hours.” “Immediate action required.” “Failure to respond will result in legal action.” Real companies don’t threaten you into clicking links. If it feels like pressure, it probably is.
3. Hover before you click. Put your mouse over any link without clicking. Look at the URL that appears. Does it go where you’d expect? A link that says “Chase.com” but actually points to “chase-login-verify.sketchy-domain.com” is a dead giveaway.
4. Watch for generic greetings. “Dear Customer” or “Dear Account Holder” instead of your actual name? That’s a mass-blast phishing attempt. Your bank knows your name.
5. Question unexpected attachments. You weren’t expecting an invoice? Don’t open it. Someone you don’t know sent a PDF? Don’t open it. When in doubt, call the sender directly using a phone number you already have — not one from the email.
What to Do When You’re Not Sure
The best response to a suspicious email is to do nothing with it. Don’t click, don’t reply, don’t forward it to your whole team asking “is this legit?”
Instead:
- Call the company directly using a number from their official website. Not from the email.
- Report it to your IT team. If you work with a managed IT provider like Robb.Tech, forward it to us. We’ll tell you in minutes if it’s real or fake.
- Delete it. If you’ve confirmed it’s phishing, trash it. Don’t just leave it sitting in your inbox where you might accidentally click it later.
Protecting Your Whole Team
One trained employee isn’t enough. Phishing works because it only needs one person to make one mistake. Here’s what actually moves the needle:
- Security awareness training for everyone, not just once, but regularly. Threats evolve. Training should too.
- Email filtering that catches the obvious stuff before it hits inboxes. Modern filters catch a lot, but not everything.
- Multi-factor authentication (MFA) on everything. Even if someone’s password gets phished, MFA stops the attacker from getting in.
- A culture where reporting is encouraged. If someone clicks a bad link, you want them to tell you immediately — not hide it out of embarrassment. Speed matters in incident response.
The Bottom Line
Phishing isn’t going away. It’s getting smarter, more targeted, and harder to detect. But with the right habits and the right systems in place, you can make your business a much harder target.
The cost of a phishing attack — financial loss, data breach, reputation damage, operational downtime — is orders of magnitude higher than the cost of prevention.
If you’re not sure where your business stands, we can help. Robb.Tech offers security assessments that include phishing simulation testing, email security configuration, and employee training. Contact us today to find out how exposed your business really is.
Philip Robb is the owner of Robb Technology Group, a Lubbock-based IT support company helping businesses stay secure and productive. Have questions? Reach out at (806) 370-4700 or support@robb.tech.