Why this matters

More than 90% of cyber attacks on small businesses start with a phishing email. The good news: with 10 minutes of training, most people can spot the vast majority of them. This is the brief Letsma uses with our managed clients — designed to be read in a single tea break and shared with every staff member.

What phishing actually is

A phishing email is one designed to make you do something the sender wants — click a link, open an attachment, send money, reveal a password, change bank details — by pretending to be someone you trust. The most expensive ones target finance teams (“urgent invoice change”) or directors’ assistants (“the CEO needs gift cards now”).

The four red flags that catch 95% of phishing emails

🚩 Red flag 1: Urgency

“Pay this today or your supplier will cancel.” “Your mailbox will be deleted in 24 hours.” “Action required immediately.” Real businesses rarely need you to do something this minute. Urgency exists to switch off your critical thinking. Slow down.

🚩 Red flag 2: Mismatch between sender name and email address

The display name says “Sarah Mitchell, CEO” but the email address is sarah@gmail.com or sarah.mitchell@letsma-ltd.co (note the missing .uk). Always hover your mouse over the sender name to see the real address — and on mobile, tap the name to expand it.

🚩 Red flag 3: Hover-link doesn’t match the visible text

The email says “click here to log in to Microsoft 365” but when you hover over the link, the real destination is microsoft-365-login.weird-domain.ru. Always hover before clicking — every desktop email client shows you the real link in the bottom corner.

🚩 Red flag 4: Unexpected attachments or money requests

“Please update our bank details for this Friday’s payment.” “Here’s the invoice you weren’t expecting.” “Open this DocuSign envelope.” If you weren’t expecting it, treat it as suspicious. Bank-detail changes especially should always be verified by phone using a number you already have on file — not the number in the email.

The “two-channel” rule for money or data requests

This single habit will save your business more money than any technology. If an email asks you to send money, change banking details or share sensitive information, verify it on a second channel before acting.

• Pick up the phone using a number you already have, not one from the email.
• Walk over to the colleague’s desk.
• Send a Teams message to a known account.
• Ask them a question only they would know the answer to.

Yes, it adds two minutes to the request. It also prevents the average £30,000 BEC (Business Email Compromise) loss we see hit small businesses.

What to do when you spot a phish

1. Don’t click anything in the email.
2. Don’t reply. Replying confirms your address is active.
3. Report it using Outlook’s “Report Phishing” button (it’s built into Outlook on the web and the desktop app).
4. Delete it.
5. Tell IT if you clicked anything by accident — speed matters. A click reported in five minutes is recoverable; a click reported five days later usually isn’t.

What to do if you clicked or shared a password

Don’t panic and don’t hide it. Tell IT immediately. The faster we know, the faster we can:

• Reset the affected password
• Force a sign-out of every active session
• Revoke any malicious app permissions granted
• Check for forwarding rules added to your mailbox (a classic next step in BEC)
• Confirm MFA is still in place

Reporting a click is never a disciplinary issue at well-run businesses. Hiding it is.

Things Letsma does for managed clients behind the scenes

• Safe links and safe attachments — Microsoft Defender scans every link and attachment at click time, not just when delivered.
• Impersonation protection — Microsoft 365 flags emails from people pretending to be your CEO or finance team.
• External email tagging — every email from outside your organisation gets a visible “external” tag.
• Quarterly phishing simulations — controlled, harmless test phishes that train your team without embarrassment.
• Just-in-time micro-training — if a user clicks a simulated phish, they get a 90-second training video, not a telling-off.

The one-page printout

If you want a one-page summary of this post to print and stick on the kitchen wall, drop us a line and we’ll send you the branded PDF version.

“Letsma’s phishing simulations went from 23% click-rate to 4% over three quarters — and our finance team caught a real CEO-impersonation attempt last month using the two-channel rule.”

— Finance Director, Reigate

Want a controlled phishing simulation for your team?

It takes 10 minutes to set up, runs invisibly over a week and gives you a board-ready report. Letsma includes one per quarter for managed clients.

Related reading: Cyber Security · Cyber Essentials made simple · Talk to our helpdesk