Phishing This is a fraud attempt in which attackers use fake messages, websites, QR codes, or phone calls to steal login credentials, money, or confidential information. This type of fraud is particularly relevant for SMEs because small teams often need to make quick decisions: approving an invoice, confirming a login, opening an attachment, or responding to a supposed request.
The core principle is always the same: people are shaped by Social Engineering They are pressured into taking an action they wouldn't consider calmly. Therefore, when working with SMEs, I don't treat digital security as a source of anxiety, but rather as a structural issue: clear processes, trained personnel, and basic technical safeguards often reduce risks more effectively than a single security tool.
A phishing attack is not purely an IT problem. It is a process problem, a competence problem, and a trust problem all at once.
Recognizing phishing: typical forms and examples
Such attacks don't just come in the form of poorly written emails. Modern deception attempts often appear professional, linguistically polished, and visually convincing. The Federal Office for Information Security points out that fake emails and websites are becoming increasingly professional-looking and can be identified, among other things, by unusual web addresses.
- Email phishing: A fake bank email asks you to "verify" your account.
- Spear phishing: A targeted message uses real names, projects, or supplier relationships from your company.
- Whaling: Attackers impersonate management and demand urgent payment approval.
- Smoking: A package SMS contains a link to an alleged additional payment or shipment tracking.
- Viewing: A call is impersonating support, a bank, a government agency, or an IT service provider.
- QR phishing: A QR code on a fake invoice leads to a manipulated payment or login page.
- Fake login page: A website that looks like Microsoft 365, Google, a bank or shop system, but collects your login data.
Why phishing is so dangerous for SMEs
The Verizon Data Breach Investigations Report 2024 identifies the theft of login credentials as the most frequent initial access vector in data breaches, accounting for 38%; phishing is identified as the initial access vector in 15% of data breaches. This demonstrates that login credentials are a key target for attacks.
ENISA, the European Union agency for CybersecurityCybersecurity protects digital systems, networks, devices, and data from attacks, misuse, failures, and data loss. For SMEs, cybersecurity is not a luxury and not solely an IT issue... Click to learn moreSocial engineering is listed as one of the highlighted threat categories in the Threat Landscape 2024. This is particularly critical for small businesses because a compromised email account often grants access to quotes, invoices, customer data, project information, and internal approvals.
In practice, I often see that the problem isn't a lack of goodwill. The problem is a lack of clarity. If no one knows which reporting procedure applies, who checks payment authorizations, or how a suspicious domain is monitored, people under time pressure make decisions alone.
How to recognize phishing in everyday life
If you want to check suspicious messages, don't just judge them by their appearance. Check the context, the sender, and the requested action.
- Absentee address: Does the address actually match the well-known company, or is only the displayed name correct?
- Domain: Does it say, for example, "microsoft.com" or a similar-looking variant with additional characters?
- Print: Phrases like "immediately", "final warning" or "account will be blocked" are intended to speed you up.
- Payment request: Unexpected changes to bank details and urgent transfers always require a second check.
- Attachments: Unexpected ZIP, Office, or PDF files may contain malware.
- Login links: It's better to access important services via saved bookmarks or your password manager.
- Process deviation: If payment approval suddenly arrives via email instead of the usual method, that's a warning sign.
Phishing prevention: simple protective measures for small teams
Effective prevention consists of technology, processes, and awareness. A Microsoft Research study concludes that multi-factor authentication reduces the overall risk of account takeover by 99,22%. For SMEs, this means: two-factor authentication belongs on email accounts, cloud tools, website logins, accounting, and administrative access.
- Enable two-factor authentication: Especially for email, website, payment services and central cloud accounts.
- Use a password manager: A password manager often detects whether you are on the real domain and prevents password reuse.
- Define payment approvals: New bank details, large sums of money and urgent transfers require a second channel, for example a callback via known numbers.
- Maintaining updates and backups: This reduces the risk of a click leading to malware or ransomware.
- Conduct awareness training: Not as an assignment of blame, but as joint training for real everyday situations.
- Establish reporting procedure: Everyone on the team needs to know who a suspicious message is forwarded to and what happens next.
Digital security is part of the Cybersecurity, but also part of the Corporate CultureCorporate culture, simply put, is the lived culture of a company. Corporate culture is reflected in behavior, decisions, leadership, and... Click to learn moreIf you want to use digital tools more securely with your team, Digital Literacy just as important as technical security. At Berger+Team, we combine such questions in the strategic digitalization consulting with clear processes, website structures and meaningful responsibilities.
FAQ about phishing
What should I do if I've clicked on a suspicious link?
Do not delete any documents, but act systematically: change your password immediately via the official website, log out of active sessions, check two-factor authentication, and use the internal reporting channels. If bank details, customer data, or administrator access are affected, the bank, IT manager, and, if applicable, data protection officer must be informed.
Is phishing a crime?
Phishing is generally used for fraud, identity theft, data theft, or unauthorized access and can have legal consequences. For you as an SME, it's important to: document suspicious messages, do not interact further, and, in case of damage, seek professional help or contact the authorities.
How can I recognize a fake domain?
Check the domain character by character, especially before the first forward slash. "login.microsoft.com.sicher-konto.example" is not Microsoft, but a subpage of an external domain.
What is the difference between spam and phishing?
Spam is usually unsolicited mass advertising, while phishing aims to steal login credentials, money, or confidential information. Spam messageSpam – a word you may have heard before, but what does it really mean? In the digital age we live in,... Click to learn more It can be annoying; a phishing message can lead to data loss, malware, or ransomware.
Why are SMEs affected by phishing?
SMEs often possess valuable data, real cash flows, and direct decision-making processes, but less formalized security processes than large organizations. Therefore, clear rules, simple auditing processes, and a sound digital infrastructure are particularly helpful.
Sources
- Federal Office for Information Security: How do I recognize phishing emails and websites? — bsi.bund.de
- Verizon 2024 Data Breach Investigations Report — verizon.com (2024)
- ENISA Threat Landscape 2024 — enisa.europa.eu (2024)
- Microsoft Research: How effective is multifactor authentication at deterring cyberattacks? — microsoft.com
