The last few years has taught us that global pandemics, civil unrest, and a faltering global economy have not deterred email scammers in the slightest. Anyone who mistakenly believed that a conscience would influence these fraudsters has misjudged their adversary. Simply put, these individuals are criminals, preying on people's vulnerabilities, and the current circumstances present a heightened opportunity for them to intensify their attacks, particularly as an increasing percentage of employees work from home have left them unprotected by their business firewalls.

In fact, fraud statistics have shown that small businesses lost an average of 5% of the gross revenues to fraud in 2025, with online billing schemes comprising of 29% of the frauds perpetrated against businesses with less than one hundred employees.

The ransomware statistics are even more chilling:

• Ransomware attacks have been on the rise. In 2024, there were approximately 5,414 successful ransomware attacks globally, marking an 11% increase compared to 2023. This translates to an average of about 15 successful attacks per day.
• In 2024, businesses lost a staggering $813.55 million to ransomware attacks. This figure, although lower than the $1.2 billion lost in 2023, still highlights the significant financial impact of ransomware. Additionally, the average cost for a company to recover from a ransomware attack was around $1.82 million in 2023.
• Phishing emails are the cause of 45% of ransomware infections.
• About 9% of the American population has been a victim of a phishing or ransomware attack at some point.
• 1.2% of all emails were harmful, leading to around 3.4 billion phishing emails sent globally.
• The number of unique phishing sites detected worldwide reached over 1.5 million in the third quarter of 2024.

Yes, the threat is real, and while the overall sophistication of the attacks has increased compared to the old brutish "spray-n-pray" methods of the past, there are a number of simple tips that can keep you safe from these fraudsters and will defuse a majority of the current phishing threats:

1. Watch for spoofers: "Spoofers" are senders that cloak themselves as people you know in the email header, causing you to pay less attention to the actual sending address. For instance, my team regularly gets emails from "Ken Quigley" <This email address is being protected from spambots. You need JavaScript enabled to view it.>. The habit is to pay more attention to the header than the source, and this leads people to trust nefarious sources. Always check the source. It's not a guarantee of authenticity, but it will filter out the majority that are not.
   Also, look for slight misspellings of popular domains like amazon, ebay, federalexpress, UPS, etc. It only takes a single misspelling to reveal its true identity.
2. Don't get attached: As a general rule, do not open an attachment in an email unless you're expecting it, and certainly none that provide you a password. To be clear, trusted vendors do not send you bills in a zip file, nor do customers provide you RFQ's or accepted quotes in the same format. While it may seem obvious, the majority of ransomware and viruses propagate through this method. To make matters worse, file format's like Excel, Word, and even PDF's can contain pernicious code, so apply this rule to all attachments. If you REALLY need to confirm an attachment you believe to be genuine, open it on a mobile device first. If it points to an external link or, prompts again for a password, you should delete it with extreme prejudice.
3. Confirm the source in a meaningful way: Virus profiteers are becoming increasingly sophisticated, so many targets are being duped when they reply to a suspicious mail with the question "Is this for real?" and they get a quick reply confirming it's authenticity. Expect that most phishing victims will vet these emails with the same weak security questions, so ask something more challenging like "How do we know each other?". You'll be surprised at how few, if any, correct responses you get.
4. Give it a mouse-over: A simple trick to separate fraudulent emails from those that are genuine is to mouse over all hyperlinks and graphics in the email to reveal whether the hyperlink matches the displayed link (again, remember not to be fooled by misspelled popular domains). Some email programs will allow you to right-click on the email body and "reveal source," which will show you all the back-end code at once, but generally you need only concern yourself with the hyperlinks and graphics.
5. Delete, never Unsubscribe: The presence of a benign-looking "Unsubscribe" link at the bottom of an email does not make the sender conscientious or the email genuine. An unsubscribe link is still a hyperlink and presents just as big a security risk as any other link in the email. Also, even if an email is more spammy than scammy, clicking "Unsubscribe" will often just verify your address as "working" to spammers and land you on more distribution lists.
6. Distrust by default: If you view all emails with scrutiny, you'll develop a mindset to look for reasons to "distrust" messages rather than looking for reasons to trust them. There are too many suspicious signs in scammy emails to be fooled by one apparent sign of authenticity, so look for reasons to "delete" a suspicious email, not for one to open. For instance, here are a few telltale signs that an email may be fraudulent:
   1. Bad spelling or grammar
   2. Does not contain your exact name, account number, and address (generally "Dear Customer" emails should be deleted)
   3. The email is sent to a different account than the one you generally use for ecommerce
   4. A source email with a TLD (Top Level Domain) that ends with a foreign or unrecognizable domain (for eample., *.ru, *.xyz, *.chn) should be deleted.
   5. As my father used to say, "No one is looking to give you money." Apply this logic to your front door and your inbox, and you'll be safer for it. No legitimate source needs your help accepting payments or wire transfers, and you will NEVER learn of an unexpected inheritance by email.
   6. Emails promising cures for diabetes, enhancements in memory or sexual performance, or reductions in fat, debt, wrinkles, or blood pressure are not genuine. Don't mistake your "wish" for reality. Delete and move on.

Always remember that there is no antivirus or security software that will safeguard you and your business as well as common sense. Security threats, ransomware, and viruses do not come through the front door, they penetrate businesses through the weakest link, so teach your team to be vigilant, to distrust by default, and share these simple tips to stay safe.