Someone on your team gets an email. Happens thousands of times a day.
Here’s one that looks like it's from a trusted community partner. The name on the email checks out. There's a Microsoft document being shared.
Your employee opens it and enters their credentials.
And all of a sudden your business has a problem. A BIG problem.
You probably know this problem well. We see it often, too.
Phishing emails — messages designed to trick your people into sharing information, clicking dangerous links, or opening files they shouldn't — are one of the most common ways small and mid-sized businesses get compromised.
People don’t know what they don’t know, and if you don’t know the signs, it’s easy to fall into a phishing scam. The emails look real, and work moves fast, and people do these things not meaning to.
I almost got phished a couple months ago, out of my personal inbox.
It was Cyber Monday. “Amazon” asked me to update my payment information for my Prime subscription — and I had ordered a few things, so it was no surprise to see Amazon in my inbox. I clicked through, it looked like an Amazon web page, I had all my credit card information filled out.
Then this form asked for the last four of my Social Security number. Frankly that was the only reason my credit card didn’t get compromised that day.
Looking back on that, there were signs I missed. Had I slowed down a beat, I would have seen clear as day that it was a spam message!
Back to business, because Cyber Monday was four months ago…
There’s a couple things you want to set up as safeguards in your business in case one of your team members gets reeled in by a phishing email, such as:
Multi-factor authentication
Email security software
EDR or MDR (and here’s what those acronyms mean, if you’re new to them)
Even with tools and systems in place, the best defense will always be employee training. Are the people at your business vigilant enough to mark phishing attempts as spam and avoid compromise altogether?
One easy framework to use: I learned the SLAM method in my previous job during an email security training program, and it’s the easiest thing I can remember.
We shared a blog post in 2025 with a deeper breakdown, but here’s the short version on the framework:
SENDER: Is the sender name and email address spelled EXACTLY as expected? Does the email address of a business or community partner use their exact email domain? Spoiler alert: my “Amazon” email I mentioned earlier didn’t come from an @amazon.com domain.
LINKS: Is the email requesting you to click a link that you weren’t expecting to get?
ATTACHMENTS: Attachments should not be clicked or opened unless you are absolutely certain of the contents that are included.
MESSAGE: If an email is trying to connect with you emotionally to drive quick action, that’s a good indicator you should pause for a closer look.
Save the fishing for the lake.
Let 2026 be the year you and your team learn to cut the lines hackers lob your way.
Thanks for checking out this week’s newsletter! While I have you here, mind if I share a bit more of what we’re producing at Lighthouse?
The Beacon is designed to be for storytelling and memorable lessons like this one. For deeper education around technology, talent, and the work we do everyday, our company blog is the home for that.
Two posts that you might enjoy from the start of the year:
How to Reduce Hiring Risk for Technology Roles: Don’t get compromised by someone who has a great resume — or by someone who has a friend do the whole interview process for them. Trust me, we’ve seen some things.
Beyond IT Basics: For 2026 and beyond, we want to help you see technology for what it is. It’s the systems that enable your team to do their best work — and your business to grow stronger.
See you back here next week!