Small Business Cyber Hygiene Series: Part 6: Defend Your Inbox (Phishing & Email Security)

Introduction

Email is the front door to your business and your digital life. Attackers know it. Most cyberattacks begin with a phishing email designed to trick someone into clicking a link, opening an attachment, or giving up a password. These attacks are cheap, effective, and increasingly sophisticated.

The good news: with a few simple habits and settings, you can dramatically reduce your risk—whether you’re running a business or protecting your personal inbox.

Why Email Security Matters

Phishing is the most common attack method used against small businesses. It’s easy for attackers to impersonate vendors, banks, coworkers, or even your own email system.

A single successful phishing email can lead to:

  • Ransomware
  • Stolen passwords
  • Financial fraud
  • Unauthorized access
  • Data breaches

Strong email security:

  • Blocks malicious messages
  • Helps employees spot suspicious activity
  • Reduces the chance of account takeover
  • Supports compliance with NIST CSF, CIS Controls, and FTC Safeguards

Email security is foundational cyber hygiene — and it’s achievable for any small business.

What Good Email Security Looks Like

A small business with strong email security typically has:

  • MFA enabled for all email accounts
  • Spam and phishing filters turned on
  • Alerts for unusual sign‑ins
  • A simple process for reporting suspicious messages
  • Employees trained to recognize phishing attempts

These practices dramatically reduce risk with minimal effort.

How to Defend Your Inbox (Step‑by‑Step)

1. Learn to Spot Phishing

Phishing emails often look legitimate — but they usually contain subtle clues.

Common red flags

  • Unexpected attachments
  • Urgent or threatening language
  • Requests for passwords or sensitive info
  • Misspelled domains (e.g., “micros0ft.com”)
  • Links that don’t match the sender
  • Messages claiming your account is “about to be closed.”

Hover before you click

Always hover over links to see where they really go.

When in doubt, verify

Call the sender directly using a known phone number — not the one in the email.

2. Turn On Email Security Features

Most email platforms include built‑in protections — they just need to be enabled.

Microsoft 365 / Google Workspace

  • Enable MFA
  • Turn on spam and phishing protection
  • Block executable attachments
  • Enable alerts for unusual sign‑ins
  • Disable legacy authentication

Bonus protections

  • Enable “safe links” or “link scanning”
  • Enable “safe attachments” or sandboxing
  • Require admin approval for new email rules

These settings stop many attacks before they reach your inbox.

3. Protect Against Business Email Compromise (BEC)

BEC attacks impersonate executives, vendors, or employees to trick someone into sending money or sensitive information.

Common BEC scenarios

  • Fake invoice from a vendor
  • “Urgent” wire transfer request
  • CEO asking for gift cards
  • Request to change payroll direct deposit

How to prevent BEC

  • Require MFA for all email accounts
  • Use financial approval workflows
  • Verify payment changes by phone
  • Monitor for suspicious email‑forwarding rules

BEC attacks are preventable with simple checks.

4. Handle Suspicious Emails Safely

When something feels off, slow down.

Do NOT

  • Click links
  • Open attachments
  • Reply to the sender
  • Forward the message internally

Do

  • Report it using your email’s “Report Phishing” button
  • Notify your manager or IT support
  • Delete the message if confirmed malicious

If you clicked something, act quickly — early response limits damage.

5. Secure Your Email Accounts

Even the best filters can’t stop everything.

Minimum protections

  • MFA enabled
  • Strong, unique password
  • Alerts for unusual sign‑ins
  • Review email‑forwarding rules quarterly

Bonus protections

  • Separate admin accounts
  • Conditional access policies
  • Blocking sign‑ins from risky locations

These steps make account takeover far less likely.

Email Security Checklist

Monthly

  • Review spam and phishing reports
  • Check for unusual sign‑ins
  • Remind employees to report suspicious messages

Quarterly

  • Review email‑forwarding rules
  • Test your phishing‑reporting process
  • Confirm MFA is still enabled everywhere

Annually

  • Refresh employee training
  • Review email security settings
  • Update your incident‑response plan for phishing

Key Takeaway

Email is the most common way attackers target small businesses — but it’s also one of the easiest areas to secure. With MFA, strong filters, and simple habits, you can block most phishing attempts and protect your business from fraud, malware, and account takeover.

Need Help Strengthening Your Email Security?

SQ Risk helps small businesses build simple, sustainable email‑security practices aligned with NIST CSF and real‑world needs.

Contact SQ Risk for a consultation

Continue to the next article in the series

Small Business Cyber‑Hygiene Series

Start Here:

  1. Introduction: Why Cyber‑Hygiene Matters
  2. Know What You Have (Identify)
  3. Protect Access: Passwords, MFA, and Accounts
  4. Secure Your Devices — Updates, Antivirus, and Hardening
  5. Back Up What Matters — The 3‑2‑1 Rule
  6. Defend Your Inbox — Phishing & Email Security (You are here)

Next Articles:
7. Monitor for Trouble — Detection Basics
8. Respond Effectively — What To Do When Something Goes Wrong
9. Recover Quickly — Getting Back to Normal
10. Build a Security‑First Culture
11. Bonus: Safe Use of AI for Small Businesses
12. Cyber‑Hygiene Checklist: A One‑Page Summary

©2026 SQ Risk Management Solutions LLC. All rights reserved.