Home  /  Guides  /  Employee Cybersecurity Basics
ABT Guide · Share With Your Whole Team

The Low-Hanging Fruit: A Practical Security Guide for Every Employee

Most successful attacks on small and mid-size businesses don't break through the firewall — they walk through the front door when someone clicks a link, approves a login prompt, or wires money to a "vendor." The good news: the habits that stop those attacks are simple, free, and learnable in one read. This guide is written to be shared with your entire team.

The Reality

Attackers Don't Hack In. They Log In.

The large majority of security incidents involve a human element — a click, a reply, a credential typed into the wrong page. That's not because employees are careless; it's because tricking a person is cheaper and more reliable than defeating technology, and attackers run it like a volume business: thousands of convincing emails, waiting for the one busy person on the one busy afternoon.

Two implications follow. First, "I'm too small to be a target" is backwards — small businesses are targeted because they combine real money with fewer defenses. Attackers don't pick you; their software does, indiscriminately. Second, the goal isn't turning your staff into security experts. It's installing a handful of reflexes — pause on urgency, verify money moves by phone, never approve a login you didn't start — that break the attack chain at its cheapest point.

Threat 2 · The Expensive One

Invoice, Wire, and Gift Card Fraud

The costliest attacks on SMBs often involve no malware at all — just a convincing email asking someone in finance or leadership's orbit to move money. Three classic shapes:

"Our Banking Details Changed"

A known vendor — or an attacker inside the vendor's compromised email — sends new payment instructions before an expected invoice. Everything about the thread looks legitimate because the thread is legitimate; only the account number is the lie.

The Executive Request

"It's [the owner]. I'm in a meeting — need you to handle a payment quietly and quickly." Authority plus urgency plus secrecy is the exact fingerprint. Real executives can survive a confirmation call.

The Gift Card Errand

Any request to buy gift cards and send the codes — for clients, for a party, for anything — is fraud. Full stop. There is no legitimate business version of this errand.

The Rule That Beats All Three

Verify out-of-band. Any request to send money, change payment details, or share sensitive data gets confirmed by calling a number you already have on file — never a number or link from the email itself, which the attacker also wrote.

Make It Policy, Not JudgmentThe strongest move a business can make this week costs nothing: a standing rule that no payment detail changes and no wires happen without voice confirmation on a known number — no exceptions, including for the boss. A written rule removes the social pressure that makes these attacks work; employees can say "company policy" instead of "I don't trust you."
Threat 3 · The Quiet One

Passwords, MFA, and the Login Prompt You Didn't Ask For

Reused passwords are the quietest risk in any company: one shopping site gets breached, and the same email-plus-password combination gets tried against your business email automatically. Three habits close the door:

  1. Use a Password Manager — and Stop Memorizing

    A password manager generates and remembers a different strong password for every account, so one breached site never unlocks another. You memorize exactly one master password. Browsers' built-in managers are acceptable; a dedicated manager is better for a business. Either beats the spreadsheet, the sticky note, and the one-password-everywhere habit by miles.

  2. Turn On MFA Everywhere That Matters

    Multi-factor authentication — the code or approval prompt after your password — is the single highest-value security setting that exists, because it makes a stolen password insufficient by itself. Priority order: email first (whoever controls email can reset everything else), then banking, payroll, and file storage. App-based codes or push approvals beat text messages, but any MFA beats none.

  3. Never Approve a Prompt You Didn't Cause

    Attackers with a stolen password will trigger MFA prompts repeatedly, hoping you'll tap "Approve" out of annoyance or assume it's a glitch — the "MFA fatigue" attack. The rule is absolute: an approval prompt you didn't just cause means someone has your password right now. Deny it, change that password, and tell whoever handles your IT — immediately.

The Two-Minute ExtrasLet your devices and browsers auto-update (most patches close holes attackers are actively using), lock your screen when you walk away (Windows key + L, or Ctrl + Cmd + Q on Mac), never plug in a USB drive you found or were given at an event, and be cautious doing sensitive work on public Wi-Fi — your phone's hotspot is the safer office-away-from-office.
When It Happens Anyway

You Clicked. Now What? (The First 10 Minutes)

Someone in your company will eventually click something bad — attackers only need to win once, and they send thousands of chances. What separates a near-miss from a disaster is almost always speed of reporting, and the enemy of speed is embarrassment.

  1. Stop and Disconnect

    Don't enter anything further, don't click "OK" on new popups. If you opened an attachment or a program started installing, disconnect the computer from the network — turn off Wi-Fi or unplug the cable. Don't power the machine off unless told to; whoever investigates may need it running.

  2. If You Typed a Password, Change It — From Another Device

    Change that password immediately, and anywhere else the same password is used (this is the moment password reuse becomes an emergency). Use a different, clean device to do it. If the account has MFA, review recent sign-ins and sign out all sessions if the option exists.

  3. Report It — Fast and Without Shame

    Tell your manager and whoever handles your IT right now, with specifics: what the email said, what you clicked, what you entered. Minutes matter — a reported click gets contained; a hidden one becomes next month's incident. If money moved, also call your bank immediately; rapid recall of fraudulent wires is sometimes possible in the first hours and rarely after.

For Owners & ManagersThis step only works in a no-blame culture. If reporting a click gets someone scolded, your employees will stop reporting clicks — and you'll trade small embarrassments for large breaches. Praise fast reporting publicly. The employee who says "I think I just clicked something bad" is doing exactly the right thing.
Print This One

The 10-Rule Team Checklist

The whole guide, compressed to what fits on a wall:

  • 01Urgency is the red flag. The harder an email pushes, the slower you go.
  • 02Hover before you click (press-and-hold on phones), and read the domain right-to-left from the first slash.
  • 03When in doubt, don't click — go direct. Type the site's address yourself and log in there.
  • 04Unexpected attachments and QR codes get verified with the sender through a channel you already trust.
  • 05Money moves get a phone call — to a number already on file, never one from the email. No exceptions, including the boss.
  • 06Gift card requests are always fraud. Always.
  • 07Different password for every account, kept in a password manager.
  • 08MFA on everything important — email first.
  • 09Never approve a login prompt you didn't cause. Deny it, change the password, report it.
  • 10If you clicked: disconnect, change the password from another device, and report immediately. Fast beats perfect, and nobody gets blamed for reporting.
The Honest Scope

What This Guide Covers — and What It Can't

Everything above hardens the human layer, which is where most attacks start — and it costs nothing but a team meeting. What it can't replace is the technical layer behind it: email filtering that stops most phishing before anyone sees it, patching that closes known holes, endpoint protection that catches what slips through, tested backups that turn ransomware from a catastrophe into a bad afternoon, and secured network devices — including, yes, the copiers and printers that quietly sit on your network with hard drives and firmware of their own. The human layer buys you fewer incidents; the technical layer decides how much the remaining ones cost.

Cover the Layer Your Team Can't

ABT's Managed IT Services handle the technical side — email security, patching, endpoint protection, backups, and network monitoring — with the same flat-rate, no-surprise-invoice approach as our print agreements. Share this guide with your team today; talk to us about everything it can't fix.