Phishing

Also known as: phishing email, phishing scam, credential theft email

Phishing is a fake message designed to trick someone into handing over passwords, money, or details — and when criminals dress it up as coming from your business, your customers get hurt and your name takes the blame.

What it is

Phishing is the use of a deceptive message — usually email — to trick someone into doing something harmful: typing their password into a fake login page, paying a fake invoice, or revealing personal details. The message pretends to be from someone trustworthy so the target lowers their guard.

Two angles matter for a business: phishing aimed at you and your staff, and phishing that impersonates you to fool your customers and the public.

Why it matters to your business

When attackers send phishing emails that look like they’re from your business, the fallout lands on you even though you did nothing. Customers who get burned by a fake “from you” message lose trust in your real emails too — so your genuine offers, renewals, and invoices start getting ignored or reported as spam. Your name effectively gets poisoned.

Phishing aimed at your own team is just as serious: one staff member entering their password on a fake page can hand a criminal the keys to your email or accounts, which they then use to scam others — often your customers.

How to tell / what to do

You can’t stop criminals from trying, but you can stop them wearing your name convincingly. Locking down DMARC (set to reject), with SPF and DKIM, means email faking your exact domain gets thrown away before it reaches anyone — protecting your customers and your reputation. For your team, the rule of thumb is: slow down, and verify any password prompt or payment request through a channel you already trust. Check your domain free; the fixes are free. Start with the DMARC fix guide.

Want to fix this on your own domain? See the free guide →