The Low-Hanging Fruit: A Practical Security Guide for Every Employee
Most successful attacks on small and mid-size businesses don't break through the firewall — they walk through the front door when someone clicks a link, approves a login prompt, or wires money to a "vendor." The good news: the habits that stop those attacks are simple, free, and learnable in one read. This guide is written to be shared with your entire team.
Attackers Don't Hack In. They Log In.
The large majority of security incidents involve a human element — a click, a reply, a credential typed into the wrong page. That's not because employees are careless; it's because tricking a person is cheaper and more reliable than defeating technology, and attackers run it like a volume business: thousands of convincing emails, waiting for the one busy person on the one busy afternoon.
Two implications follow. First, "I'm too small to be a target" is backwards — small businesses are targeted because they combine real money with fewer defenses. Attackers don't pick you; their software does, indiscriminately. Second, the goal isn't turning your staff into security experts. It's installing a handful of reflexes — pause on urgency, verify money moves by phone, never approve a login you didn't start — that break the attack chain at its cheapest point.
Spotting Malicious Links and Phishing Emails
Phishing works by manufacturing a feeling — urgency, fear, curiosity, authority — strong enough to override the two-second pause that would expose it. So the defense starts with the feeling, not the technology: the more an email pressures you to act right now, the more it deserves a slow look.
Manufactured Urgency
"Your account will be suspended in 24 hours." "Payment failed — update immediately." Legitimate organizations rarely operate at gunpoint. Urgency is the tell, not the reason to comply.
The Sender Doesn't Match
The display name says a company you know; the actual address behind it is a jumble or a public domain. On phones, tap the sender name to reveal the real address — display names are freely fakeable.
Unexpected Context
An invoice from a vendor you don't use, a shipping notice for nothing you ordered, a shared document from someone who never shares documents. Unexpected is the flag — even when the email itself looks flawless.
Generic + Perfect Is Still Suspect
The old advice — look for typos — is obsolete. Modern phishing is polished and personalized. Judge emails by what they ask you to do, never by how professional they look.
The Hover Habit — Reading a Link Before You Click It
On a computer, hover the mouse over any link without clicking — the true destination appears in the bottom corner of the window. On a phone, press and hold the link to preview it. Then read the domain the right way: the part that matters is the last chunk immediately before the first single slash.
https://microsoft.com/security/login ← really Microsoft https://microsoft.com.Attackers stack the real brand's name in front of their own domain, betting you'll read left-to-right and stop early. Read the domain right-to-left from the first slash and the trick collapses. When in doubt, don't click the link at all — type the site's address yourself or use your bookmark, and log in there. If the alert was real, it'll be waiting in your account.
Invoice, Wire, and Gift Card Fraud
The costliest attacks on SMBs often involve no malware at all — just a convincing email asking someone in finance or leadership's orbit to move money. Three classic shapes:
"Our Banking Details Changed"
A known vendor — or an attacker inside the vendor's compromised email — sends new payment instructions before an expected invoice. Everything about the thread looks legitimate because the thread is legitimate; only the account number is the lie.
The Executive Request
"It's [the owner]. I'm in a meeting — need you to handle a payment quietly and quickly." Authority plus urgency plus secrecy is the exact fingerprint. Real executives can survive a confirmation call.
The Gift Card Errand
Any request to buy gift cards and send the codes — for clients, for a party, for anything — is fraud. Full stop. There is no legitimate business version of this errand.
The Rule That Beats All Three
Verify out-of-band. Any request to send money, change payment details, or share sensitive data gets confirmed by calling a number you already have on file — never a number or link from the email itself, which the attacker also wrote.
Passwords, MFA, and the Login Prompt You Didn't Ask For
Reused passwords are the quietest risk in any company: one shopping site gets breached, and the same email-plus-password combination gets tried against your business email automatically. Three habits close the door:
-
Use a Password Manager — and Stop Memorizing
A password manager generates and remembers a different strong password for every account, so one breached site never unlocks another. You memorize exactly one master password. Browsers' built-in managers are acceptable; a dedicated manager is better for a business. Either beats the spreadsheet, the sticky note, and the one-password-everywhere habit by miles.
-
Turn On MFA Everywhere That Matters
Multi-factor authentication — the code or approval prompt after your password — is the single highest-value security setting that exists, because it makes a stolen password insufficient by itself. Priority order: email first (whoever controls email can reset everything else), then banking, payroll, and file storage. App-based codes or push approvals beat text messages, but any MFA beats none.
-
Never Approve a Prompt You Didn't Cause
Attackers with a stolen password will trigger MFA prompts repeatedly, hoping you'll tap "Approve" out of annoyance or assume it's a glitch — the "MFA fatigue" attack. The rule is absolute: an approval prompt you didn't just cause means someone has your password right now. Deny it, change that password, and tell whoever handles your IT — immediately.
You Clicked. Now What? (The First 10 Minutes)
Someone in your company will eventually click something bad — attackers only need to win once, and they send thousands of chances. What separates a near-miss from a disaster is almost always speed of reporting, and the enemy of speed is embarrassment.
-
Stop and Disconnect
Don't enter anything further, don't click "OK" on new popups. If you opened an attachment or a program started installing, disconnect the computer from the network — turn off Wi-Fi or unplug the cable. Don't power the machine off unless told to; whoever investigates may need it running.
-
If You Typed a Password, Change It — From Another Device
Change that password immediately, and anywhere else the same password is used (this is the moment password reuse becomes an emergency). Use a different, clean device to do it. If the account has MFA, review recent sign-ins and sign out all sessions if the option exists.
-
Report It — Fast and Without Shame
Tell your manager and whoever handles your IT right now, with specifics: what the email said, what you clicked, what you entered. Minutes matter — a reported click gets contained; a hidden one becomes next month's incident. If money moved, also call your bank immediately; rapid recall of fraudulent wires is sometimes possible in the first hours and rarely after.
The 10-Rule Team Checklist
The whole guide, compressed to what fits on a wall:
- 01Urgency is the red flag. The harder an email pushes, the slower you go.
- 02Hover before you click (press-and-hold on phones), and read the domain right-to-left from the first slash.
- 03When in doubt, don't click — go direct. Type the site's address yourself and log in there.
- 04Unexpected attachments and QR codes get verified with the sender through a channel you already trust.
- 05Money moves get a phone call — to a number already on file, never one from the email. No exceptions, including the boss.
- 06Gift card requests are always fraud. Always.
- 07Different password for every account, kept in a password manager.
- 08MFA on everything important — email first.
- 09Never approve a login prompt you didn't cause. Deny it, change the password, report it.
- 10If you clicked: disconnect, change the password from another device, and report immediately. Fast beats perfect, and nobody gets blamed for reporting.
What This Guide Covers — and What It Can't
Everything above hardens the human layer, which is where most attacks start — and it costs nothing but a team meeting. What it can't replace is the technical layer behind it: email filtering that stops most phishing before anyone sees it, patching that closes known holes, endpoint protection that catches what slips through, tested backups that turn ransomware from a catastrophe into a bad afternoon, and secured network devices — including, yes, the copiers and printers that quietly sit on your network with hard drives and firmware of their own. The human layer buys you fewer incidents; the technical layer decides how much the remaining ones cost.
Cover the Layer Your Team Can't
ABT's Managed IT Services handle the technical side — email security, patching, endpoint protection, backups, and network monitoring — with the same flat-rate, no-surprise-invoice approach as our print agreements. Share this guide with your team today; talk to us about everything it can't fix.