Article · 6 min · For Owners

The "CEO needs gift cards" play

The original — and still the most common. The attacker scrapes your team page, finds the CEO's name, and sends a panicked note from a near-identical Gmail address asking the office manager to pick up Amazon cards "for a client gift." The tells: it always arrives between 4–6 PM, the sender domain is wrong, and there is always an excuse for why the CEO can't take a phone call. The fix: every wire and gift-card request gets a phone call to a known number. No exceptions.

The fake invoice from a real vendor

A vendor you actually use sends an invoice — except they don't. The attacker has compromised the vendor's email and sent a real-looking PDF with new bank routing details. The tells: the routing number is different from last month, the email signature is slightly off, and there's urgency about a "new ACH system." The fix: any change to a vendor's payment details requires a call to a phone number you already have, not the one in the email.

The DocuSign / Microsoft login lure

A "shared document" notification that looks exactly like a real DocuSign or M365 message. Click the link and you're on a pixel-perfect login page that quietly captures your credentials. The tells: the URL bar shows a suspicious domain, the sender is a vaguely familiar name with an unfamiliar address, and the document title is generic ("Q4 Plan.pdf"). The fix: never log in via an email link. Open Outlook, M365, or DocuSign in your browser directly.

Frequently asked questions

What should I do if an employee already clicked a phishing link?
Move fast: have the user disconnect the device from the network, reset the password from a different device, revoke active sessions in Microsoft 365 (Entra admin center → Users → Sign-ins → revoke), require MFA re-enrollment, scan the endpoint with EDR, and check the mailbox for new inbox rules an attacker may have created. Then audit sent items for the last 7 days. Document everything for the cyber-insurance carrier.
How often should we run phishing-simulation training?
Quarterly is the right baseline cadence: one annual full-length training, three quarterly simulated phishes, with click-rate metrics tracked. Some carriers want monthly for high-risk roles (finance, executives, IT admins). The metric to watch is whether click-rate trends down quarter over quarter, not the absolute number.
Who should I call first if I think I've been phished?
Your MSP or internal IT, immediately. Then your cyber-insurance carrier within the policy's notification window (often 24–72 hours). If money has moved, the bank's fraud line, in that order. Don't wait to "see if it was real" — the cost of a false alarm is one phone call; the cost of waiting is exponential.
Does MFA stop phishing?
Basic MFA stops most credential-stuffing and bulk attacks. Phishing-resistant MFA (hardware keys, passkeys, Windows Hello) also stops adversary-in-the-middle attacks that defeat code-based MFA. For finance, executives, and IT admins, phishing-resistant should be the default. See what MFA actually buys you.

Related reading