Small Business Phishing Defense Guide

Small businesses are phishing targets of choice. CISA and FBI data show that businesses with fewer than 500 employees account for a disproportionate share of BEC and phishing victims, largely because they lack dedicated security teams. The average cost of a data breach for small businesses was $2.98 million in 2024 — often enough to threaten the business itself. According to the National Cyber Security Alliance, 60% of small businesses close within six months of a cyberattack.

The good news: effective phishing defense for small businesses does not require enterprise budgets. The most impactful controls are free or low-cost.

The Small Business Phishing Threat

Why Attackers Target Small Businesses

Weaker defenses: Limited IT staff, minimal security tools, inconsistent training
Valuable access: Small businesses hold customer data, financial information, and vendor relationships
Supply chain entry: Compromising a small business provides a trusted pathway to larger clients — see our supply chain phishing guide
Payment authority: Small business owners often have direct authority over wire transfers and financial transactions
Lower reporting: Small businesses are less likely to report phishing incidents, reducing attacker risk

Common Attack Scenarios

Invoice fraud: Fake invoices from “vendors” with updated payment instructions
CEO fraud: Email impersonating the owner requesting urgent wire transfers
Payroll diversion: Emails impersonating employees requesting direct deposit changes
IT impersonation: Fake IT support requesting credentials or remote access
Credential harvesting: Login page clones for Microsoft 365, Google Workspace, or banking

The Five-Step Small Business Defense Plan

Step 1: Enable MFA on Everything (Cost: Free)

Multi-factor authentication is the single highest-impact control. Enable MFA on:

Email accounts (Microsoft 365, Google Workspace)
Banking and financial applications
Cloud storage (OneDrive, Dropbox, Google Drive)
Social media accounts
Any application containing customer data

Use authenticator apps (Google Authenticator, Microsoft Authenticator) at minimum. For the business owner and anyone with financial authority, use FIDO2 security keys ($25-$50 per key).

Step 2: Implement DMARC/SPF/DKIM (Cost: Free)

Email authentication prevents attackers from spoofing your business email domain. This protects your customers and partners from receiving phishing that impersonates your business.

Implementation requires DNS changes only:

Add an SPF record listing your authorized email sending services
Configure DKIM signing through your email provider
Publish a DMARC record starting at p=none, then moving to p=reject

Most email providers (Microsoft 365, Google Workspace) offer guided setup.

Step 3: Configure Email Filtering (Cost: Included or Low)

Maximize the security features already included in your email platform:

Microsoft 365 Business:

Enable Safe Links (URL protection)
Enable Safe Attachments
Configure anti-phishing policies
Enable the Report Message button for employees

Google Workspace:

Enable enhanced pre-delivery message scanning
Turn on spoofing protection for employee names
Enable external email warnings
Configure phishing and malware protection to quarantine suspicious messages

For additional protection, consider a layered email security service ($2-$10 per user/month).

Step 4: Establish Verification Procedures (Cost: Free)

Simple procedures prevent the costliest phishing attacks:

For wire transfers and payment changes:

Verify any payment instruction change by phone using a number from your existing records (never from the requesting email)
Require two people to approve wire transfers above a threshold (even if that threshold is $500)
Implement a 24-hour holding period for new payment instructions

For credential requests:

Establish that IT support will never ask for passwords via email
Communicate this policy to all employees

For sensitive data requests:

Verify any request for employee data, customer data, or financial records through a second channel

See our social engineering red flags guide for recognizing manipulation.

Step 5: Train Your Team (Cost: Free to Low)

You do not need an expensive platform for basic phishing awareness:

Free training resources:

CISA’s free six-week Phishing Campaign Assessment for public and private organizations
Google’s Phishing Quiz (phishingquiz.withgoogle.com)
Monthly 10-minute team discussions about recent phishing examples
Share screenshots of phishing emails that target your industry

Low-cost options:

Microsoft 365 E5 includes Attack Simulation Training (if you upgrade)
Google Workspace built-in security training features
Standalone platforms start at $10-$25 per user/year for small businesses

Train on the specific threats your business faces. A medical practice needs different scenarios than a financial services firm. See our phishing simulation guide for program design.

Quick-Reference Response Card

Print this and post at every workstation:

If you receive a suspicious email:

Do NOT click links or open attachments
Check the sender’s actual email address (not display name)
Ask yourself: did I expect this? Is the request normal?
If suspicious, forward to [your IT contact/security email]
If you clicked a link or entered information, tell [your IT contact] IMMEDIATELY

If money was sent to a fraudulent account:

Call your bank NOW — request a wire recall
Report to FBI IC3 at ic3.gov within 72 hours
Contact [business owner/manager]

See our credential compromise checklist and IC3 reporting guide for detailed steps.

Free Resources for Small Businesses

Resource	Provider	What It Offers
Phishing Campaign Assessment	CISA	Free 6-week phishing simulation
Cyber Hygiene Services	CISA	Free vulnerability scanning
CyberSecure My Business	National Cyber Security Alliance	Free training materials
Google Phishing Quiz	Google	Interactive phishing identification
Small Biz Cyber Planner	FCC	Customized security planning

Key Takeaways

Small businesses face disproportionate phishing risk with limited resources
The five highest-impact defenses (MFA, DMARC, email filtering, verification procedures, training) are free or low-cost
MFA on all accounts and FIDO2 keys for financial authority holders provide the strongest single protection
Simple verification procedures (phone callback for payment changes, dual approval) prevent the costliest attacks
CISA offers free phishing assessment and cyber hygiene services to all businesses
Post a quick-reference response card at every workstation

For the complete phishing defense framework, see our phishing recognition and reporting guide.

Sources

This content is for educational purposes only. Small businesses should consider engaging a managed security service provider (MSSP) for assistance with implementation and ongoing monitoring.