[Offer Grid] 📬 | Business Owners Who Never Get Phished | Issue No. 11

Phishing scams only work on the unprepared.

Every year, businesses lose billions to fraudulent emails, fake invoices, and account takeover attacks. But some business owners never fall for these tricks. They don’t ignore security, but they also don’t live in fear. Instead, they follow simple, smart habits that keep their inbox, and their business, safe.

What are they doing differently? Here are the best practices that set them apart.

Treat Every Unexpected Email with Skepticism

It's called Zero Trust.

Have you ever gotten an email that looks like it’s from your accountant or a vendor, requesting an urgent wire transfer or immediate payment? Instead of acting immediately, they verify the request through another channel and avoid a $50,000 scam.

At the simplest, don’t click on links or reply to emails without verifying their legitimacy. Assuming that if an email looks real, it must be real is the first step to disaster.

The world has gotten a lot more sophisticated since the first Nigerian Prince emails went out.

I’m constantly surprised at how real these emails look!

Cybercriminals rely on urgency and familiarity. They get you by sending a message that looks legit.

Pause to verify. These bad guys rely on the element of surprise when they send emails that refer to an account you think is familiar.

Train yourself and your team to question unexpected requests. Verify large transactions via a second method, such as a phone call.

And don't call numbers from within the emails. The best practice is to call companies from the number published on their website.

Use Multi-Factor Authentication (MFA) for Everything

Many business owners are used to using MFA to secure accounts. Meta has required it for many years now in ad accounts.

What used to feel like a big ole pain in the butt is really a nearly water-tight way to keep your business safe.

For example, let's say an employee’s password is stolen in a phishing attack, but the hacker can’t access the company’s email system because the confirmation code appears on the employees phone. Attack blocked.

I have MFA set up on just about everything in my world. My partner just about has to show me ID in the kitchen at breakfast.

And don't make this mistake of relying solely on strong passwords. Thinking that MFA is too inconvenient to implement isn't the right approach.

For any account access, the username and password are just the first line of defense.

Passwords Matter, But Less

When you don't have to worry (because we know that worry fixes everything--ha!) then even if passwords get compromised, MFA acts as a second layer of protection, stopping unauthorized access.

Require MFA for all email accounts, banking logins, and internal systems. Use app-based authentication instead of SMS codes whenever possible.

With MFA, if a password is stolen, you’ll still have a confirmation code to use to access your account.

It’s a huge time saver.

Better, it’s a huge data and dollar saver.

Sure, your staff may resist using MFA. They think it’s a hassle. But the small inconvenience is nothing compared to the cost of a data breach.

I don't actually know a way to make MFA fun. It takes time to set up. It takes extra time to get into your account after you've set it up. It slows everything down.

But any person or business that's been hacked knows that a phishing attack isn't fun at all. So in your staff training and SOPs, you can make it clear that this mandatory step is, well, mandatory.

Passwords get stolen every day. MFA keeps that loss from mattering.

Never Click Links Without Thinking Twice

Check this out.

A supplier emails a retailer about an “important invoice” with a link to download the document. Payment is late, and a fee is about to be imposed.

Instead of clicking, the retailer calls the supplier to confirm—and discovers the email was a phishing attempt.

One angle phishing attackers frequently use is establishing authority.

So that when the email recipient opens the email they think the message is from a higher authority.

A bank. A vendor.

What if the standard practice in your business was to confirm all links received by email or SMS with direct information from the company website?

Clicking on links without checking where they lead is a plan for disaster. You can't assume a link is safe just because it’s in an email from a familiar name.

When I get emails that appear to be from companies I do business with, I don't click. I go directly to the company website and access my account there, or call the number in the contact information.

I've received too many emails that, upon inspection, used an email address that was close to the company email but had a typo or just one character that was different.

Phishing emails often disguise malicious links as legitimate ones. Clicking blindly can install malware or expose login credentials.

Hover over links before clicking to see where they lead. When in doubt, go directly to the company’s website instead of using email links.

Attackers are getting better at making fake emails look real. Sometimes it takes me two or three reads of an email to confirm that it's a scam. Vigilance is essential.

Train Your Team to Recognize Phishing Scams

A new employee receives a fake email from “IT Support” asking them to reset their password. Because of phishing awareness training, they recognize the red flags and report it instead of falling for the scam.

I have a friend who works for a large accounting firm. She received an email with instructions to purchase $2,000 worth of electronic gift cards and send them to her boss at a specific email address.

First of all, this is a common scam. It's been worked for a few years now.

But she'd never heard of it before. And she fell for it.

Email safety training would have saved this company from the attack.

Employees will not recognize scams without training. Regular, short, and easy training will keep employees in the loop.

Thinking cybersecurity is only the IT department’s responsibility.

Every employee is a potential entry point for hackers. A well-trained team reduces the overall risk.

Hold regular phishing awareness sessions. Test employees with simulated phishing attacks. Reward those who report suspicious emails.

According to CISA.gov, "more than 90% of successful cyber attacks start with an email."

A CEO of a small business thinks cybercriminals only go after big companies—until an employee falls for a phishing email that nearly compromises customer data or results in a large financial loss.

Believing “it won’t happen to me,” is putting your head in the sand. Small businesses are spectacular targets for phishing attacks.

Every business, big or small, is a target. Training in the organization is the best defense.

Regularly review and update security protocols. Conduct phishing drills. Always stay one step ahead of attackers.

Complacency is the biggest weakness. The moment you think you’re safe is when you’re most vulnerable.

Of all kinds of hacking, phishing is the easiest to defend against.

At its simplest, the policy of "don't click that" is a great start.

Running regular training to keep up with current known scams, helping staff to know the best ways to get their work done without helping attackers breech the company... these are simple ways to keep your business safe.

These methods helped my clients stay 100% safe against approximately 200 phishing attacks. We had zero data loss, and zero financial loss.

Phishing is a Business Problem

It’s not an IT problem. All employees can help protect the business.

The business owners I've worked with who were never victims of phishing attacks aren’t just lucky. They’ve built habits that make them resilient against cyber threats.

By questioning unexpected emails, using MFA, avoiding suspicious links, training employees, and staying prepared, you can protect your business from costly scams.

The next time an email demands urgent action, take a step back. You don't have to let the bad guys in.

Until next time…

Talk soon,

Amy

P.S. I've opened two slots in my calendar for consulting calls this quarter. You get four, one-hour phone calls. It's one phone call a week, for a month.

I didn't write a sales page for this offer. Just reply to this email and answer the following questions:

1. What's your average monthly revenue? And what would you like it to be?

2. Are you currently doing email marketing? Is your effort producing the returns you want?

3. What percentage of your monthly traffic is organic, versus paid traffic? What's your average order value (AOV)?

That's it. Those simple questions will help me get started on a plan with you.

The investment is $1500. Your ROI will far exceed the expense. Working with me isn’t a cost—it’s an investment. For every $1 you spend, you’re positioning yourself to gain $10 back. That’s a 10x return on investment.

Based on experience, I actually expect to find much more than $15,000 sitting in your business.

With only two consulting positions open in my calendar, it's important to reply quickly. Deadline is April 15.