If you’ve been on a fishing trip, you already know how “phishing” works. The angler disguises their hook with an enticing lure and waits for a fish to take the bait. Phishing works the same way, minus the worm. Phishing (pronounced “fishing”) is a crime where a hacker poses as a legitimate institution and contacts a target by email, telephone, text message, or direct message.

No target is too small for a scammer. We are all at risk of a phishing attack on our personal or small business accounts. Read on to learn how to identify seven types of popular phishing scams, how to prevent a phishing attack, and how to protect your business with cyber insurance.

What is a phishing attack?

Phishing scammers create captivating communications that can look and sound like the real thing, only to steal your information and leave you on the hook for the consequences. These cybercriminals lure individuals into providing sensitive data such as personal identity, banking, credit card, or account password information. Then, the scammer will use the information to access personal or business accounts to carry out identity or financial theft.

According to the FBI, more than 241,000 people in the U.S. were victims of phishing scams in 2020.1 While these attacks aren’t always sophisticated, they are a successful numbers game. Even computer-savvy business owners can fall victim to a phishing attack if they rush to respond to messages and miss the obvious signs.

The cost of data breaches — often the result of phishing scams — rose 10 percent in total from 2020 to 2021, reaching $4.2 million.2 Just one way that phishing can be a profitable crime with high rewards for scammers.

How does phishing work?

While it may seem like phishers are expert computer hackers, they are actually “social hackers.” They may have little-to-no knowledge of computer coding. In most cases, the only tools a phishing scammer needs to access your company’s accounts are a fake email address and a compelling message.

Phishing scammers will typically send you a message pretending to be a representative from your bank, office, or other trusted institution. Their email address may look similar to a legitimate one, but it may contain a typo or other red flag. Often the message will include a time-sensitive offer or problem to address. They may ask you to click a link or forward your account information to claim the deal or fix the issue.

Consider this phishing scam that dates back to the internet’s earliest days. An email comes in with a desperate plea from a foreign prince — he just needs a little help transferring bank funds out of his country. Could you provide him with your company’s bank account number for safekeeping the funds? The next thing you know, your business’s bank account takes a massive hit. The FBI still lists this “Nigerian prince” routine as a common scam.

Types of phishing attacks

Phishing scammers have many different methods to carry out their attacks. Here are seven of the most popular types of phishing attacks.

  1. Emails — Email phishing attacks come from fake accounts asking you to click a link or respond with sensitive information.
  2. Text messages — Text message phishing attacks appear to be alerts from your organization. They typically ask you to click a link to address a time-sensitive issue.
  3. Phone calls — Phishing phone calls will come from someone posing as an organization representative asking you to convey sensitive account information.
  4. Spear phishing — Spear phishing is an ultra-targeted phishing attack where cybercriminals pose as a trusted source (like your colleague) to convince victims to divulge confidential information.
  5. Clone phishing — Clone phishing attacks directly copy legitimate email messages from trusted organizations and replace the links to redirect to a fake website to collect sensitive information, like account passwords.
  6. Whale phishing — Whale phishing is a targeted phishing attack on a company’s senior executives, encouraging them to forward an email to other staff members or transfer large amounts of funds to fake accounts.
  7. Pop-up phishing — Phishing pop-ups are ads that appear while surfing the web. These ads typically promote a “once-in-a-lifetime” deal or convey an urgent warning about your computer’s security.

How to spot a phishing message

Phishing messages can be sneaky, but they all have some tell-tale signs that give themselves away. Here’s how to spot a phishing message:

  • If the email sounds too good to be true, it probably is! Be wary of emails claiming lottery wins, inheritances from wealthy distant relatives, or royalty wishing to marry you.
  • Phishing emails push you to act fast. If there is a sense of urgency or claims of suspending your account in a few short moments, be skeptical. Reputable organizations will give you plenty of time to respond.
  • Double-check links and don’t click on things that look suspicious. Many phishing emails will send you to a scam site that looks like the real thing. Check the URL for typos and inconsistencies.
  • Never click email attachments that look suspicious or that you weren’t expecting. They could contain viruses.
  • Phishing emails will come from unusual senders. The email address may seem familiar at first, but make sure to check for typos or strange domains.
  • Common signs of phishing emails include poor grammar and typos. Communications from large and trustworthy organizations will be proofread before being sent out. Remember that typos are “phishy.”

How can you prevent phishing from affecting your business?

In most cases, you can prevent phishing scams before they affect your business. Here are some of the best ways to avoid phishing:

  • Think before you click. Train employees to evaluate communications and check for the tell-tale signs of a phishing scam before clicking links or submitting information.
  • Remind workers to verify that a website’s URL is real before they enter account login information. They can ensure the site’s URL begins with “https” and contains a closed lock icon near the address bar.
  • Install anti-phishing web plug-ins, firewalls, and other virus security on all of your company’s computers and devices.
  • Let employees know they should never click on pop-ups.
  • Don’t send personal information via email. If in doubt, instruct employees to call the organization in question for verification.

How do you report phishing emails?

Thousands of phishing scammers act without consequence every day because few people take steps to report phishing emails and track them down. If you receive or fall victim to a phishing email, here are some ways to report the cybercrime:

  • Notify employees of the phishing email. It’s possible they received a similar bogus communication. Consult with your IT provider to prevent further phishing.
  • Phishing.org, a resource to keep you up to date on the latest phishing threats, provides a list of the best organizations to report phishing scams.
  • If you fall victim to a phishing scam, you can report the crime to your State Consumer Protection Offices and local police.

How do you recover from a phishing scam?

Falling victim to a phishing scam is scary, but your business can recover. Here are a few steps to begin recovering from a phishing attack.

  • Instruct employees to report any incidents to company leadership.
  • Disconnect the affected device(s) from the company’s WI-FI to prevent a spread.
  • Reset company account passwords.
  • Scan your business’s network for malware and check for signs of theft.
  • Research if others have been affected by the phishing attack.
  • Take measures to protect your business from future phishing scams.

Cyber insurance & phishing

Cyber liability insurance protects individuals and businesses from damages associated with online attacks, like phishing scams. With cyber insurance, your business is covered from liability claims related to leaked information and personal losses from the attack. Most cyber insurance policies include both first- and third-party liability coverage, providing some protection for your clients and customers as well.

As cyber threats continue to evolve, cyber insurance is there to protect your company from potentially damaging impacts. These include lost or damaged data, loss of income, notification costs, and resulting damage to your company’s reputation. It can even help cover extortion payments.

Don’t get reeled into a phishing scam!

You and your employees can do everything right — learn how phishing works, understand the warning signs, and take appropriate precautions — and still get hooked by a scammer. But that doesn’t mean you need to be on the hook for all of the damages.

The best way to protect your business from phishing scams is to look out for the signs and avoid falling for the lure. In most cases, preventing the con is as easy as recognizing the characteristics of a scam communication, blocking the sender, and deleting the email.

Stay protected with insurance from Thimble. Click “Get a quote” or download the Thimble mobile app, answer a quick set of questions, and get covered within minutes. It’s that easy to get affordable small business insurance that works when you do.


  1. Federal Bureau of Investigation Internet Crime Complaint Center. Internet Crime Report 2020. 
  2. IBM Security. Cost of a Data Breach Report 2021.