Owner: IT Department
Audience: All staff
Applies to: Email, Teams/Slack, SMS, web browsing, and file downloads
This article equips you to spot and report phishing attempts, avoid malware links, and follow everyday practices that keep our organisation secure. Share it with your teams and refer back to it whenever something looks suspicious.
Look for one or more of these red flags:
Sender anomalies: Misspelled domain (e.g., micros0ft.com), personal email for business matters, or display-name spoofing.
Link tricks: Button text says one thing, but the real URL (hover to preview) is unrelated or shortened.
Urgency or fear: “Immediate action required”, “account will be closed”, “final warning”.
Unusual attachments: Unexpected invoices, ZIP/ISO/IMG files, or macros-enabled Office docs.
Poor quality: Spelling/grammar mistakes, off-brand logos or colours.
Requests for sensitive data: Passwords, MFA codes, card/bank details, or internal documents.
Context mismatch: “Reply to HR” about a system you don’t use; or you weren’t expecting the message.
Quick check: If it provokes a strong emotion (panic, curiosity, reward), pause and verify before you click.
“Payroll Update” with a link to payr0ll-secure[.]info → Phishing.
“DocuSign” requesting re-login via docs-verify[.]com → Credential harvest.
“CEO request” asking you to buy gift cards urgently → Business Email Compromise (BEC).
“Package Delivery” with an attachment Label.zip → Malware dropper.
Avoid downloading software from pop‑ups or unknown websites.
Never open unsolicited attachments, especially .exe, .js, .vbs, .scr, .iso, .img, .zip.
Treat macro-enabled Office files (.docm, .xlsm) as high risk.
Prefer official app stores or vendor sites; verify the publisher.
Check that sites using login forms show HTTPS (padlock) and a domain you recognise.
Remember: A single click on a malicious link can install malware or steal credentials.
Do not click links or open attachments.
Do not reply or forward to others (except Security).
Report it immediately (see Reporting below).
Await guidance from IT/Security before deleting.
Disconnect from the internet (Wi‑Fi off / unplug network cable) if you downloaded or ran a suspicious file.
Contact Security immediately via security-team@cityandcommercial.com or submit a ticket at https://smart-support.smartek.co.uk.
Change your password for affected accounts; ensure MFA is on.
Inform Security of any credentials you entered and the exact time.
Do not power off your device unless instructed (we may need live forensics).
Monitor for unusual account activity and report it.
Use the Report Phishing button (if enabled).
Or Forward as attachment to security-team@cityandcommercial.com with subject: Suspected Phish.
Click the More (⋮) menu → Report phishing.
Also forward to security-team@cityandcommercial.com for tracking.
A short note on why it looked suspicious.
Time received, sender, and any action taken (clicked, opened, replied).
MFA everywhere: Enable and keep your second factor secure.
Unique, strong passwords: Use a password manager; never reuse passwords across sites.
Lock devices: Use strong device PIN/biometrics; lock screens when away.
Update promptly: Install OS and app updates; don’t postpone restarts.
Least privilege: Request only the access you need; avoid using admin accounts for routine work.
Data handling: Don’t export or share data to personal accounts; avoid unauthorised cloud tools.
Verify requests: For payment/bank details changes or document requests, call a known number to confirm.
Clean browsing: Avoid pirated software and “free” coupon/streaming sites; they’re common malware hosts.
✔️ Make sure the IT Department has enabled these safeguards and enforced strong password policies.
Treat links in SMS/DMs like email links—verify first.
Do not install apps from unknown sources; review app permissions.
Beware of impersonation in Teams/Slack (similar display names, external guests).
Report suspicious DMs to Security.
Do not plug in unknown USB sticks or drives.
Use company‑approved encrypted media only.
Scan removable media before opening files.
Vishing (phone): Caller pressures you to reveal codes or transfer money → hang up, call back via official number.
Smishing (SMS): Delivery/HR/Bank texts with urgent links → verify via the official app/portal.
BEC: Unexpected wire instructions or supplier bank‑detail changes → require dual approval and out‑of‑band verification.
Use company VPN on public Wi‑Fi; avoid untrusted hotspots.
Keep work data off personal devices and cloud accounts.
Store files only on approved locations (SharePoint/OneDrive/Team drives).
Do
Hover to preview links first.
Report suspicious messages immediately.
Use MFA and strong passwords.
Update devices and software.
Don’t
Don’t share passwords or MFA codes.
Don’t download untrusted files.
Don’t rush when a message feels urgent.
Don’t move company data to personal tools.
Q: I received a suspicious email that mentions a colleague. What should I do?
A: Verify with the colleague via a known channel (phone/Teams) and report the email.
Q: Can I forward suspicious emails to my manager?
A: Forward only to security-team@cityandcommercial.com. We will notify relevant stakeholders.
Q: How do I know if a link is safe?
A: Hover to preview, check the domain, and when in doubt, type the official address manually in the browser.
Q: Are QR codes safe?
A: Treat them like links—only scan trusted sources and check the URL before proceeding.
Refer to the Security Awareness Portal for short modules on phishing, password hygiene, and safe browsing.
Managers: schedule a 10‑minute team refresher using this article once per quarter.
Security Desk: security-team@cityandcommercial.com
Emergency (critical incidents): +44-2036423023
Tickets: https://smart-support.smartek.co.uk
Keep this page bookmarked. If it looks odd, report it—when in doubt, we’ll check it out.
