First things first, just to make sure we’re all on the same page.

Phishing is a type of cybersecurity attack. Someone impersonates a legitimate entity to try to persuade the recipient to hand over sensitive information. Most phishing happens via email.

Compared to other forms of hacking, phishing is quite easy to execute. In fact, the first “phishers” used AOL in the 1990s to get information from unsuspecting AOL users. These attacks were painfully simple. But here’s the kicker. They didn’t differ much from phishing attacks of today!

The attackers simply pretended to be AOL employees. Even if only a few victims believed their ruse, the attack was worth it. That’s because if even one person falls for a phishing tactic, the results can be devastating.

Here are the fundamental things all your employees need to know to protect your company from phishing attacks.

1. Phishing can happen anywhere

While most people think of phishing as occurring exclusively via email, it can also happen on social media sites, in messaging apps, and through any method of online communication.

If your employees are communicating anywhere online, they need to make sure they really know who is at the other end.

2. Phishing can get complex

Some phishing attempts are just hackers sending out emails to a random group of people and hoping one of them will bite. But an increasing number of phishing attacks are getting more sophisticated.

In some cases, hackers will spend months or more building a relationship with the target through false social media profiles and frequent communications. This combines catfishing and phishing, forming a dangerous combination.

After a while, the target grows comfortable with the hacker and trusts them enough to share personal information.

3. Phishing costs businesses a lot

Some sources estimate that phishing attacks may cost American businesses up to $500 million per year, with thousands of businesses targeted and more personal consumers attacked at home.

That figure comes only from the attacks that were investigated by the FBI over a period of three years, so it is likely that the total cost to US businesses is more than that.

4. There are multiple types of phishing attacks

There are a few major types of phishing attacks. The most basic is when attackers email a random group of people and hope that a few of them will fall prey to the scam.

“Spear phishing” is a targeted attack that centers on one organization or a group of individuals. Attackers pretend to be someone from within the organization—a client or vendor—in order to infiltrate and get access to sensitive information. Some spear phishers are able to hack into organizational communication systems so the messages really do appear to be coming from the inside.

“Whaling” is when a spear phisher goes after a huge target.

5. Here’s how you can recognize phishing

There are many trademarks of a phishing attack. Educating employees about these signs can save your business a whole lot of money. Some of these may seem a bit obvious, but to those who are not as savvy, it’s important information that could stop an attack.

Phishing emails often come from addresses that seem like they could be legit. But if you examine the address more closely you’ll notice that it’s a little off. Perhaps it’s one letter off from the company’s actual name or the email address doesn’t follow the convention of other people you have met from that organization. You will find a similar situation with URLs in phishing messages.

Many phishing emails have bad spelling and improper grammar, typically due to poor translations. If it was coming from a legitimate organization, typos are possible, but not usually at the magnitude seen in phishing emails.

Finally, if a message seems too good to be true, it probably is!

Use these tips to avoid harmful phishing attacks. For more information on how to protect your business, be sure to contact your IT support partner.