Phishing Scam
What is a Phishing Scam?
A phishing scam is a fake email, text, call, DM, QR code, or other communication designed to trick you into clicking a link, sharing passwords or data, or sending money by pretending to be a trusted brand or person.
Why It Matters for Beauty and Bodywork Professionals
- Nearly half of all cyberattacks target small businesses
- Everyone is online, for personal and professional purposes, and scammers use that to their advantage
- One click is enough for scammers to hack accounts, steal client info, or make fraudulent payments
- Standard general liability and professional liability coverage typically does not cover theft by deception, so you may need cyber liability coverage.
What are Common Phishing Tactics To Watch for?
Today’s phishing scams can be much harder to spot or just plausible enough to trick you, especially with the advancements of AI.
Swipe →
| Tactic | What it looks like | Telltale signs | What to do |
|---|---|---|---|
|
Fake invoice or overdue notice |
“Final notice” from a “vendor” with a PDF or link you must click or download |
Urgent tone, new bank details, mismatched sender email/web domain |
Do not click links; call your known vendor number |
|
Password reset bait |
“Your booking portal password expires in 60 minutes” |
Link goes to a look-alike, but not exact, website name or URL; odd grammar |
Do not click links; go directly to the real site or app and reset there |
|
Shipping text scam |
“Package undeliverable, reschedule delivery” or “pay $3 re-delivery fee” |
Short link or QR code, asks for card info |
Do not click links; check your official carrier app or website; ignore the text |
|
Client impostor DM |
“Buying 10 gift cards today, send codes” |
Won’t speak by phone; demands quick action |
Ignore/refuse; verify client identity by phone or in person |
|
Vendor bank change |
“Use our new routing number” |
Arrives right before payment; no signed or advance notice |
Require two-factor or multi-factor authentication on all bank changes |
|
QR code trap |
“Scan for appointment details” sticker |
Unsolicited/unknown QR near your front desk |
Remove unknown QR sticker; use your official URL/app |
Quick Spot-the-Phish Checklist Before You Click
- Hover over or long-press email sender addresses or URLs to see the full link; domain names must be exact, not close
- Verify bank changes, bookings, and any money exchanges with multi-factor authentication (MFA) tools
- Never send gift cards or money from an email or text request
- Use a password manager and unique passwords
- Treat urgency, threats, and freebies as red flags
What to Do if You Click on a Phishing Scam
If you do get tricked by a phishing scam, there are actions you can take to help minimize the damage.
Swipe →
| Timing | What to do | Why it matters |
|---|---|---|
|
Immediately |
Disconnect the affected device from Wi-Fi and cellular |
Limits data removal |
|
Within 1 hour |
From a clean device, change passwords (email, booking, banking, social); enable MFA |
Cuts off attacker access |
|
Same day |
Call your bank, payment processor, and booking/point-of-sale (POS) provider |
Freeze transfers; flag fraud |
|
Same day |
Preserve evidence (emails, headers, texts, screenshots, transaction IDs) |
Needed for claims, police, and forensics |
|
24 hours |
Scan the device; remove suspicious profiles/extensions; consult a professional IT specialist |
Removes malware and closes holes |
|
24-48 hours |
If personal client data is exposed, follow state notice rules and notify impacted clients |
Reduces legal exposure and rebuilds trust |
|
48 hours |
Contact your agent/broker/insurer about Cyber or Social Engineering coverage |
Starts claim guidance and support |
How Do Beauty Businesses Protect Themselves From Phishing Scams?
Start with insurance coverage, then layer on controls. Most phishing losses aren’t covered by general liability or professional liability/errors and omissions insurance. Look for cyber liability insurance options first, then build habits that actually prevent clicks and wire transfers.
- Insurance: Get cyber liability insurance for help with the financial costs of data breaches and cyberattacks
- Multi-factor authentication: Use multifactor authentication for everything, including email, banking, booking, and social media
- Record-keeping: Keep receipts/licenses for marketing material, client media releases, and other products and services you use
- Update and back up: Update devices and apps regularly; keep secure backups of all records and client files
- Role-based access: If you have employees, maintain separate owner and staff permissions in booking, POS, and social tools
- Train your team: If you have employees, run short training refreshes on spotting red flags
Related Terms
- Cyber Liability Insurance
- General Liability
- Insurance
- Exclusion
- Endorsement
- Declarations Page
- Data Breach
- Certificate of Insurance (COI)
