How to Spot a Phishing Email Before It Costs Your Business Thousands

by Jon Lober | NOC Technology

Your employees are going to receive a phishing email this week.


That's not a scare tactic. It's a statistical probability. The FBI's Internet Crime Complaint Center reported over $2.7 billion in losses from business email compromise in their annual report released in April 2025— and those are just the cases that got reported.

 

The emails are getting better, too. The days of "Nigerian prince" scams with broken English are long gone. Today's phishing emails look like invoice approvals from your accounting software, shared documents from a colleague's OneDrive, or password reset notices from Microsoft. They use your company's name. They reference real projects. And they land in inboxes at businesses in Chesterfield, MO just as often as they land anywhere else.

Here's the thing: most of these attacks don't succeed because of some sophisticated hack. They succeed because a busy person clicked a link without thinking twice. And that's actually good news, because it means the fix is education, not just technology.

What Phishing Actually Looks Like in 2026

Forget what you think you know about spam. Modern phishing falls into a few categories that every employee should recognize:

 

Business Email Compromise (BEC)

An email that appears to come from your CEO, CFO, or a vendor asking for a wire transfer, gift card purchase, or updated payment information. These often target accounting staff and office managers. The email address might be off by one character, or the attacker may have actually compromised someone's real account.

 

Credential harvesting

A fake login page for Microsoft 365, Google Workspace, your bank, or your industry-specific software. You click a link, see a login screen that looks exactly right, enter your password, and now someone else has it. These pages are often hosted on legitimate-looking domains and even have valid SSL certificates.

 

Malware delivery

An attachment or link that installs ransomware or a remote access tool on your computer. These often pose as invoices, shipping notifications, or shared documents. The file might be a PDF, a Word document with macros, or a ZIP file containing an executable.

 

Conversation hijacking

An attacker compromises one email account and then jumps into existing email threads with other people. Because the conversation is real and ongoing, the recipient has no reason to suspect the new message is malicious. This is one of the hardest types to detect because the context is legitimate.

 

The Red Flags That Give Phishing Away

No single indicator means an email is definitely phishing, but a combination of these should make anyone pause:

 

 

Urgency that doesn't make sense.

"Your account will be locked in 2 hours." "This invoice is past due and we're escalating to legal." "The CEO needs this handled before the board meeting today." Real business communications occasionally have deadlines, but phishing emails almost always manufacture false urgency to short-circuit your judgment.

 

 

The sender address doesn't match.

The display name might say "Microsoft 365 Support" but the actual email address is support@m1crosoft-alerts.com. Always check the full email address, not just the name. On mobile devices, you often need to tap the sender name to reveal the actual address.

 

 

Links that don't go where they claim.

Hover over any link before clicking it. If the text says "Sign in to Microsoft 365" but the URL points to something like login-microsoftonline.security-update.com, that's not Microsoft. On mobile, press and hold the link to preview the URL.

 

 

Unexpected attachments.

If you weren't expecting a document from this person, don't open it. Call them and ask. It takes 30 seconds and could save you weeks of recovery.

 

 

Something just feels off.

The tone isn't right. Your vendor doesn't usually email at 2 AM. The formatting is slightly different than normal. Trust that instinct. It's better to verify a legitimate email than to click a malicious one.

 

Why Training Matters More Than Filters

Email security tools are essential. Multilayered cybersecurity should include spam filtering, link scanning, attachment sandboxing, and domain-based authentication like SPF, DKIM, and DMARC. These tools catch the majority of phishing attempts before they ever reach an inbox.

 

But "the majority" isn't "all of them." The emails that make it through the filters are the good ones. The ones that look right, come from legitimate-looking domains, and don't trigger any automated red flags. Those are the emails your team needs to be trained to recognize.



Security awareness training isn't a one-time event. It's an ongoing practice. The businesses in the greater St. Louis area that handle this well typically do a few things consistently:

 

Simulated phishing tests.

Send realistic fake phishing emails to your own team. Not to punish people who click, but to identify who needs more training and to keep awareness high. When employees know they might be tested, they look at every email a little more carefully.

 

 

Short, regular training modules.

Five to ten minutes per month is more effective than a two-hour annual session that everyone forgets by the following week. Focus on real examples, not abstract concepts.

 

 

A clear reporting process.

Make it easy for employees to report suspicious emails. A dedicated button in Outlook, a specific email address to forward to, or a quick Slack/Teams message to IT. If reporting feels complicated, people won't do it. If they feel like they'll be judged for false alarms, they won't do it either.

 

 

Leadership participation.

If the CEO and management team skip training, everyone else takes the cue that it's not important. The most effective programs have leadership going through the same simulations as everyone else.

 

What to Do When Someone Clicks


It's going to happen. Someone on your team will eventually click a phishing link or open a suspicious attachment. The speed and quality of your response determines whether it's a minor incident or a major breach.

 

 

Step 1: Don't panic, but act fast.

Have the employee disconnect from the network (unplug ethernet or turn off Wi-Fi) and contact IT immediately. The faster you isolate the affected machine, the less time an attacker has to move laterally through your network.

 

 

Step 2: Change credentials.

If they entered a password on a fake login page, change that password immediately. If they use the same password anywhere else (which they shouldn't, but often do), change those too. Enable multi-factor authentication on the compromised account if it wasn't already in place.

 

 

Step 3: Investigate scope.

Did the compromised account send any emails to other people? Were any files accessed or downloaded? Is there any evidence of the attacker moving to other systems? This is where having proper managed IT support matters, because your IT team should have monitoring tools that can answer these questions quickly.

 

 

Step 4: Document and learn.

What made this phishing email convincing enough to fool someone? Use it as a training example (anonymized, of course) for the rest of the team. Every incident is an opportunity to make the next one less likely.

 

 

Having a written incident response plan before something happens is what separates businesses that recover cleanly from businesses that scramble. If you don't have one, that's the single most important thing you can do after reading this.

 

The Business Case for Security Awareness

For businesses in Chesterfield and the surrounding communities, from the retail and restaurant operations along Clarkson Road to the professional services firms in Chesterfield Village, the math on security training is straightforward.

 

A decent security awareness training platform costs $3 to $8 per employee per month. A single successful phishing attack that leads to a wire transfer scam typically costs $50,000 to $250,000. A ransomware incident can cost multiples of that when you factor in downtime, recovery, potential data loss, and reputational damage.

 

The return on investment isn't theoretical. It's one of the clearest cost-benefit calculations in all of business IT.

 

And it's not just about the money. If your business handles sensitive data (client financials, patient records, legal documents, proprietary designs), a breach creates compliance issues, notification obligations, and potential legal liability. For businesses subject to CMMC , HIPAA, or other frameworks, security awareness training isn't optional. It's a documented requirement.

 

Getting Started

You don't need to overhaul everything at once. Start with three things:

 

1. Turn on multi-factor authentication for every account. Every single one. This alone stops the majority of credential-based attacks even when someone falls for a phishing email.

2. Set up simulated phishing tests. Most managed IT providers can deploy these through platforms like KnowBe4, Proofpoint, or Huntress SAT. They're low-effort to administer and high-impact.

3. Create a one-page incident response checklist. What do employees do if they think they clicked something bad? Who do they call? What steps does IT take? Print it out and post it somewhere visible.

 

If you want help evaluating where your business stands on phishing readiness, or you want to talk through what a security awareness program looks like for a company your size, reach out for a conversation . We work with businesses throughout the Chesterfield, West County, and greater St. Louis area, and we've seen the full range from "we've never thought about this" to "we have a program but it's not working." Both are fine starting points.

 

NOC Technology provides cybersecurity services and managed IT support from our office in Washington, MO. We serve businesses across the St. Louis metro area, including Chesterfield, Wildwood, Ballwin, Ellisville, and surrounding communities. Call us at 636.390.6621 or visit noctechnology.com.

Frequently Asked Questions

How often should we do phishing simulations? +
Monthly is the sweet spot for most businesses. That's frequent enough to keep awareness high without creating "simulation fatigue." Vary the types of phishing emails you send (credential harvesting one month, BEC the next, malware attachment after that) to cover different attack vectors. Track click rates over time. You should see a steady decline as your team gets better at spotting the fakes.
What's the best security awareness training platform? +
KnowBe4, Proofpoint Security Awareness, and Huntress SAT are all solid choices for small to mid-size businesses. The "best" one depends on your budget, your existing security stack, and how much customization you want. Your managed IT provider can help you evaluate which platform integrates best with your environment and provides the reporting you need.
Can multi-factor authentication really stop phishing? +
MFA stops the most common outcome of phishing: stolen credentials being used to log into your accounts. If an employee enters their password on a fake site, the attacker still can't log in without the second factor (usually a phone notification or authenticator code). It's not perfect. Advanced "adversary-in-the-middle" attacks can intercept MFA tokens in real time, but these are significantly more complex and less common. MFA remains the single most effective defense against credential theft.
Should we punish employees who click phishing simulations? +
No. Punishment creates a culture where people hide mistakes instead of reporting them. If someone is afraid of getting in trouble for clicking a phishing link, they won't tell IT when it happens for real, and that delay is where the real damage occurs. Use failed simulations as training opportunities. If someone clicks repeatedly, they need more targeted training, not discipline. The goal is a culture where reporting suspicious emails is encouraged and normalized.
How much does a phishing attack actually cost a small business? +
Direct costs vary widely. A wire transfer scam might cost $25,000 to $500,000 depending on what was sent before it was caught. Ransomware incidents average $150,000+ in recovery costs for small businesses, plus days or weeks of downtime. Beyond the direct costs, factor in potential regulatory fines, client notification requirements, increased insurance premiums, and lost business from reputational damage. For most businesses with 20 to 100 employees, a serious phishing-related breach costs $100,000 to $300,000 when all factors are included.

IT Support for Family Medicine Practices in Arnold, Missouri

By Jon Lober February 11, 2026
Family medicine practices in Arnold depend on fast, invisible IT. Here is what actually matters for your EHR, HIPAA compliance, and daily operations.

IT Compliance for Law Firms in Clayton, MO: What You Actually Need to Know

By Jon Lober February 10, 2026
Clayton law firms face real compliance obligations around client data protection. Here's what IT compliance looks like in practice, not theory.

Dental IT Support for Eureka Practices That Never Miss a Beat

By Jon Lober December 28, 2025
Expert dental IT support in Eureka. HIPAA compliance, 15-second live response, automated backups. Your practice runs smoothly while we handle the tech. Call 636.390.6621
More Articles