Phishing: how to protect your small business
  1. Blog
  2. HR Headaches
  3. Phishing: how to protect your small business

Protecting your customer and employee data might seem easy, but with different hacking techniques coming into play on a daily basis, it’s becoming increasingly difficult to know if you are emailing Helen the HR Assistant or Sam the Scammer. But never fear. There are ways to stay vigilant and things to look out for so you can sleep easy.

Without vigilance, there’s a risk that you could walk into the office one day to find files deleted, cards maxed out, and no money left.

With the increase in staff working from home due to the COVID-19 pandemic, 2020 marked the start of a new wave of hacking volume and sophistication, with one small business in the UK being successfully hacked every 19 seconds.

And every day, there are 65,000 attempts to hack small businesses, around 4,500 suspicious emails are opened and links clicked, giving scammers access to personal details and sensitive systems.

It’s very clear that we all need to have our wits about us, but what should we look for in our inboxes and what can we do to prevent being caught out by a phishing hacker?

But first…


What is phishing?

Not to be mistaken for the leisurely weekend activity, phishing is when criminals use scam emails, texts, or phone calls to get sensitive or confidential information. How? They do this by tricking the recipient into thinking they’re talking with someone else.

For example, in August 2021, Microsoft issued a warning about phishing scams pretending to be their secure file sharing platform SharePoint. In these emails, recipients were asked to provide a signature on a SharePoint document.

This scam was really hard to spot, and many people fell for it, sharing confidential files, private information, and much more, causing some serious breaches and a lot of unhappy customers. And how did this happen? While the SharePoint link itself looked exactly like the real deal, the email message it came with was poorly written . But readers were so concerned with the SharePoint link they didn’t stop to read the email properly and were only too happy to send information across.

And if you are not careful, there’s a risk of being conned out of £35,000 just like Julia Whittaker, who clicked on a text about a fee for a parcel (supposedly) from Royal Mail… and ended up with criminals emptying her bank account!

Email phishing is increasingly popular with cyberhackers, where one in every 3,722 emails in the UK is a phishing attempt (20% higher than the global average).

And with the number of emails that flow into your inbox each day, being careful about what you are clicking on, downloading or even replying to has never been more important.


What can you do to avoid phishing emails?

  1. Install security software

 You wouldn’t leave your door open for a burglar to walk straight in, and the same thing applies to your work inbox

Installing security software on all your employees’ emails can be your first line of defence against hackers and can literally block unidentified emails from odd addresses arriving in the first place.

This could quite easily stop you from being the latest victim of the bogus emails pretending to be QuickBooks that are doing the rounds this year, giving up everyone’s bank details, NI numbers and other payroll information over to some very bad people.


  1. Password policies

We know that people find changing passwords annoying. If you haven’t had any issues with it, why would you change it, right?

Wrong! This can be one of the easiest ways for hackers to get into to your accounts and make a grab of your data.

But how do these hackers get our passwords in the first place? There are a few ways these clever criminals can get them, including:

  • Guesswork – The most common password of 2020 was “123456”, followed by “123456789”. Coming in at number four was the one and only “password”. You can see how it would be easy to guess a lot of people’s passwords and be in their accounts instantly and get the job done.
  • Malware – Phishing emails are a prime example of this kind of attack, although you can also fall victim by clicking on a malicious advert online (malvertising), or even by visiting a compromised website that basically opens the gates to someone to steal your data.
  • Credential stuffing – Hackers feed large volumes of previously breached username and password combinations into some software hoping to find the match.

By keeping the same password forever, your risk of this happening increases. Once a hacker is in one of your accounts, they can then quickly pop your details into lots of different login portals, making hundreds of attempts on dozens of websites in a matter of minutes. And then, poof, they have all your data.

And don’t forget, this goes for personal accounts as well. Using the same password you used to sign up for your Amazon account website for your QuickBooks account is a recipe for disaster.

Here are our password dos and don’ts:


  • Use the commonly used word ‘password’ or even a variation like ‘Password1’. Anyone could guess this in seconds, let alone a clever hacker, and be straight into your accounts stealing your data.
  • Create a password using your name, or anyone’s name you know
  • Use common words on their own like ‘princess’ or ‘dragon’, or number sequences such as ‘1234567’. These are too simple and will be obvious to any hacker and it’ll be the first passwords they try.
  • Use common phrases either, like ‘iloveyou’ or ‘arsenalarethebest’, because again these are guessable.


  • Use a mix of uppercase, lowercase, special characters, and numbers to make a strong and durable password. This makes it way harder for hackers to get into your accounts, as the combinations are endless.
  • Choose something you’ll remember but mix it up. Say your favourite footballer is Juan Mata Garcia. Instead of ‘juanmatagarcia’, try ’ju@nM4ta9arc!a’. This will be memorable because it’s something you know but a hacker would struggle to get anywhere close to this one.
  • Create different passwords for different logins and accounts. We know first-hand that it can be annoying having to remember different passwords and what site they are all for. But having to take 5 minutes to remember what your Xero password is a better option than having someone get into your accounts in seconds and cause all types of dangerous chaos.
  • Whatever you decide, don’t write it down!

The more random the better! We also recommend creating a password policy so all your staff can be aware of what is expected and that you will be reminding them to keep their passwords fresh.

Check out the most popular passwords of 2022 here and see if you might need to change your current password pronto.


  1. Multiple factor authentication

A lot of us might be working from home a lot but it doesn’t stop hackers from trying their luck, so having two factor authentication (2FA) in place is a good preventative measure. 2FA adds another layer of security to your login, asking you to verify the sign in, usually on a different device like a smartphone. It might seem like a bit of a pain to have to prove it’s you more than once before you login to an account, but it can save you so much in the long-term.

If your password was guessed but they were then hit with another barrier – such as a passcode that is sent to your phone – they aren’t getting in! This will also help you stay GDPR compliant, by ensuring cyber security, preventing phishing and data breaches, and protecting your users. This means you also don’t need to worry about fines for exposing sensitive data.


  1. Be a vigilant whale

It’s not just your employees getting these emails. As a small business owner, you are a prime target for email scams, or what is called ‘whale phishing’.

In 2017, the owner of a real estate company in Seattle responded to an email from his business partner about transferring money into a bank account like they’d agreed. “The cadence and timing of the email was so normal that it wasn’t suspicious at all,” he told NPR. It was only when the partner later asked about money that he realised his mistake. The email had been a whale phishing attack. $50,000 dollars, gone.

You are the biggest fish in your company’s pond and because you pretty much know everything there is to know. That’s why you may be targeted more than your employees – so watch out.


  1. Be aware of spoofing

Spoofing might sound like something out of the Ghostbusters, but it can be disastrous for your small business. Why? Because it usually exploits human error and our tendency to reply quickly without reading everything properly. Let’s face it, we are all really busy, and running a business means juggling a thousand things at once.

But what is spoofing?

Spoofing is when a hacker contacts you using an email address that looks pretty much identical to a real one. This could be using your company’s email domain or something close to a bank, client or someone you’ve bought something from. They do this with the hope that you won’t notice and will willingly pass over bank details or personal data because it looks real at quick glance.

Imagine you have an event coming up. You’ve advertised all over social media that you’re going, and now you need to order merch. You receive an email from Megan in Marketing saying she’s found some great bottles to buy but she needs the card details to process the payment and order.

This could quite literally be legit, but Megan’s email most definitely isn’t so make sure you look out for those crafty email addresses.


  1. Avoid sending sensitive or personal information via email

Have you ever received a dodgy call from a mobile number claiming they are HSBC and need your password? Maybe you don’t bank with HSBC. If you do, you know they’d never phone you and ask for your password.  Either way, you hang up.

We don’t give that kind of information over the phone. And the same applies to email.

We never like to tell you want to do, but we highly recommend not sending sensitive or personal information via email, whether that be your employees’ bank details, the clients you are invoicing or anything in between. So, it’s sensible to completely avoid doing this to protect yourself and your employees against some very dangerous, and potentially expensive, repercussions.

These are just a few ways you can prevent phishing emails from causing major issues in your small business and increase the protection you have over your data. And it means more than just protecting your money. It protects your employees, your clients, and your business’s reputation.

Here at citrus HR, we practice what we preach, and see security of your data as a top priority.

All our customers can enable the use of two-factor authentication in addition to the usual username and password login to provide an extra layer of security.

Want to learn more about how we can help protect your data? We’d love to hear from you, so don’t hesitate to…

Get in touch on or give us a call on 0333 014 3888 to find out more about our easy to use HR Software. Or start your free trial today.

The content of this blog is for general information only. Please don’t rely on it as legal or other professional advice as that is not what we intend. You can find more detail on this in our Terms of Website Use. If you require professional advice, please contact 0333 014 3888 or email

You might also want to read these articles

Get help with your HR

Take the stress out of HR with help from our friendly experts and easy to use HR software.
Find out more


  • Get free employment law alerts

    Keep up to date with employment law changes that might affect your business.