Spot the phish before it spots you.
Scammers are clever, persistent, and they've already picked a target. Hint: it's you. Good news — we see their tricks every day, and we'll send you one plain-English tip a week so you can spot them too.
Anatomy of a phish
Would you click this?
This email looks legit at a glance. Look closer — there are six red flags hiding in plain sight. Our weekly tips teach you to spot them in seconds.
Microsoft Account Team
<billing@.com>
to: customer@yourcompany.com
⚠️
We detected unusual sign-in activity on your Microsoft 365 account from an unrecognized device. To keep your account secure, we have temporarily restricted access.
You must verify your identity within 24 hours or your account will be permanently suspended. All emails, files, and shared documents will be deleted.
If the button doesn't work, copy this link into your browser: http://acct-verify-ms365.support-portal-login.com/auth/verify?id=u827
Thank you for your prompt attention to this matter.
— The Microsoft Account Team
This is an automated message. Please do not reply.
Tap any flag above (or the highlighted text in the email) to see why it's suspicious.
What's in every email
Short, useful, never scary.
What's hitting NJ inboxes this week
Real threats our team is blocking across NJ, NY, PA, and MD — not generic industry noise.
The giveaway signs
The exact red flags so you (and your team) stop the scam in the 5 seconds before a click.
Plain English, no FUD
No fearmongering, no acronyms you need to Google. Just what to do, and why it matters.
The archive
52 tips, grouped by what they protect.
A full year of plain-English cybersecurity for small and mid-sized businesses. Jump straight to what you need.
Phishing
9 tipsStop clicking links in emails.
Most cyberattacks start with a simple click. Here's why the click matters more than the email, and the one habit that stops most of them.
Read the tipSpot the urgency trick in phishing emails.
If an email is pressuring you to act right now, slow down. Urgency is the most common phishing tactic because it bypasses the part of your brain that thinks critically.
Read the tipQuishing: the QR code scam.
QR codes skip every anti-phishing filter because they're just images. A second of skepticism with your phone camera is worth millions in prevention.
Read the tipMalvertising: when ads attack.
That "sponsored" result at the top of Google? It might not lead where you think. Malvertising is now a top way businesses get malware.
Read the tipSpear phishing vs. phishing.
A generic phish is a shotgun blast. A spear phish is sniper fire — tailored to you, your company, and what you care about. The defenses are different.
Read the tipPhishing text messages (smishing).
SMS phishing skips your spam filter, lands on your phone, and exploits your trust in a small screen. Here's how to spot and ignore it.
Read the tipHoliday scam season.
Attackers exploit holidays — shorter staffing, distracted people, out-of-office replies. Here's what to expect and how to brace for it.
Read the tipPhishing year in review.
What phishing tactics worked this year, what got old, and what to train your team on for next year. A quick annual review.
Read the tipThe 5 habits that beat every scam.
52 tips condensed into 5 habits. Master these and you'll be in the top 5% of small businesses for practical cybersecurity.
Read the tipPasswords & MFA
5 tipsWhy multi-factor authentication matters.
Microsoft found that MFA blocks 99.9% of automated account takeover attempts. If you haven't turned it on yet, this is the single highest-leverage move you can make.
Read the tipThe password manager habit.
Nobody has the memory to use 40 unique strong passwords. A password manager gives you that superpower in about ten minutes of setup.
Read the tipWhy SMS-based MFA is not enough.
SMS codes are better than no MFA — and worse than you think. SIM swapping quietly bypasses them, especially for high-value targets.
Read the tipPassword manager family plans.
Protecting your family's accounts protects your business. One compromised personal account can cascade straight into the company.
Read the tipMFA fatigue attacks.
Attackers with your password just spam your phone with MFA prompts until you approve one out of exhaustion. Number-matching kills it.
Read the tipRansomware
7 tipsRansomware starts small.
Ransomware doesn't arrive with sirens. It arrives as one boring email, one click, one moment of trust — and then spreads quietly for days before the lock.
Read the tipWhat happens when you get breached.
A realistic walkthrough of the first 30 days after a breach — the calls, the costs, the clients, and what you wish you'd done sooner.
Read the tipThe ransomware first-hour playbook.
What you do in the first 60 minutes of a ransomware event determines whether it's a bad week or a bad year. Here's the playbook.
Read the tipTabletop-drill your incident plan.
You don't know if your incident plan works until you test it. A tabletop exercise costs two hours and saves weeks during a real event.
Read the tipThe ransomware playbook for owners.
The owner's job in a ransomware event isn't to fix anything. It's to make the hard decisions — communication, legal, financial — fast and well.
Read the tipThe real cost of a breach.
The ransom number is the smallest part of the total. Here's what actually hits your P&L when a breach lands.
Read the tipWhat 2027 looks like for cybersecurity.
AI-driven attacks, deepfake scams, and more automated reconnaissance. Here's what to expect and what to do about it — without panicking.
Read the tipRemote & mobile
4 tipsYour public Wi-Fi is not safe.
Hotel, airport, and coffee-shop Wi-Fi are still hunting grounds. Your phone's hotspot or a business VPN is a two-minute fix that shuts them down.
Read the tipThe remote worker security checklist.
Your employee's home network is now part of your company's security perimeter. Here's the ten-item checklist that actually protects it.
Read the tipYour laptop was just stolen — what now?
A stolen laptop is a breach waiting to happen. The four things you do in the next 30 minutes decide whether it's a property loss or a data incident.
Read the tipBYOD rules you should have.
Personal phones with work email are a policy minefield. A few clear rules protect your data without making employees miserable.
Read the tipData protection
5 tipsBackup basics that actually work.
Most small businesses have backups. Far fewer have backups that actually restore. Here's the 3-2-1 rule and the test that separates real from theater.
Read the tipEncrypt before you send.
Emailing sensitive files in the clear is still the #1 way data leaks from small businesses. Encryption takes thirty seconds and zero training.
Read the tipData classification in 10 minutes.
You don't need a 40-page policy. Three labels — Public, Internal, Confidential — cover most of what small businesses actually need.
Read the tipRetention policies that protect you.
Keeping data forever feels safe and isn't. A written retention policy cuts your breach exposure and your legal discovery costs.
Read the tipEncrypted messaging for teams.
Slack, Teams, and SMS are not built for sensitive communication. When it matters, use a tool that actually protects the content.
Read the tipCompliance
4 tipsHIPAA basics for small teams.
You don't need a compliance department to run a HIPAA-aware practice. Five controls handle most of what regulators actually care about.
Read the tipPCI basics for accepting cards.
You don't need a CISO to handle PCI compliantly. Five practical habits cover most of what small businesses accepting cards actually need.
Read the tipCyber insurance questions to ask.
Not all cyber insurance actually covers a cyber event. Here are the questions to ask your broker before you need the policy.
Read the tipNIST CSF for small teams.
NIST's Cybersecurity Framework sounds intimidating. Stripped down for small businesses, it's six plain-English functions you can audit yourself.
Read the tipInsider threats
3 tipsThe dangers of shared logins.
Shared accounts feel convenient. They destroy audit trails, leak with every turnover, and turn one small breach into a company-wide incident.
Read the tipWhy admin rights matter.
Every employee running as a local admin is one bad click away from company-wide compromise. Least privilege is free and astonishingly effective.
Read the tipOffboarding: the checklist.
The day an employee leaves is the day your security posture gets tested. A written offboarding checklist turns a weak spot into a non-event.
Read the tipCloud & SaaS
7 tipsMicrosoft 365 settings every business should turn on.
Microsoft 365 ships with insecure defaults. Five settings take under an hour and shut the door on the most common cloud attacks.
Read the tipShadow IT is hurting your business.
Every month, employees sign up for tools you don't know about. Shadow IT leaks data, breaks compliance, and multiplies your attack surface.
Read the tipSaaS password hygiene.
Your employees use 80+ SaaS tools. Reused passwords across any of them turn one small breach into a company-wide incident. Here's how to fix it.
Read the tipThe one report to check weekly.
If you only check one security report, make it the Microsoft 365 sign-in log. Five minutes a week catches compromises before they cost you.
Read the tipAI tools and data leakage.
AI tools are powerful — and not as private as people assume. What you paste into them can be stored, logged, or used to train the model.
Read the tipBrowser extensions are a security risk.
That extension you installed five years ago can be sold, updated, or hijacked into malware overnight — and you'd never know until it already happened.
Read the tipThe OAuth app you forgot about.
Every time an employee clicks "Sign in with Microsoft" or "Sign in with Google," they grant a third-party access. Years later, those grants are still live.
Read the tip