Staff Phishing & Login Safety One‑Pager

A copy/paste-ready staff guide you can send today + a lightweight reporting process

When to use

Send to staff quarterly (or after any suspicious email incident).
Pin it in Teams/Slack or print it near shared workstations.
Use it as the “single source of truth” for what to do in the moment.

1) The golden rules (60 seconds)

✅ Always: if in doubt, stop and think/ask, better safe than sorry.

✅ Never log in from an email link. Use a bookmark or type the known URL.

✅ If it feels urgent, slow down. Verify in a different channel.

✅ If you get an unexpected MFA prompt, record/screenshot it (if possible), deny it and report it.

✅ If you’re not sure, ask. You won’t get in trouble for checking.

2) Common phishing patterns in NZ

Microsoft 365 / OneDrive: “Password expired”, “Shared document”, “New voicemail”.
Courier / parcels: “Delivery failed”, “Pay a small fee”, “Track your parcel”.
Invoices: “Outstanding invoice attached”, “Urgent payment today”.
Social engineering: “Hi it’s me-quick favour” (especially after hours).

3) What to do if you clicked a link

Do not enter your password. Close the tab.
If you entered credentials: change your password immediately.
Report it (see reporting process below).
If you approved an MFA prompt you didn’t initiate: report it immediately (time matters).

4) Lightweight reporting process (no tools required)

Option A - “Forward + Subject” (easy mode)

Forward the email to your IT contact / helpdesk.
Change the subject to: PHISH REPORT - [Your name] - [Short reason]

Option B - Screenshot + details (when forward is blocked)

Take a screenshot of the email and the sender address.
Send: time received, what you clicked (if anything), and whether you entered a password.

5) Quick “spot the phish” checklist

Check	What you’re looking for
Sender	Look for slight spelling differences, odd domains, or display-name tricks.
Urgency	“Today”, “now”, “account locked”, “last chance”.
Links	Hover (don’t click) and check the destination domain.
Attachments	Unexpected ZIP/HTML/Office files, “enable macros”, password-protected attachments.
Request	Passwords, MFA codes, payments, bank changes, gift cards.

6) Template message to send to staff

Copy/paste into email or Teams:

Team - quick reminder: please don’t log in via email links. Use bookmarks for Microsoft 365 and other services.
If you get an unexpected “account locked / shared file / invoice” message, pause and verify before clicking.
If anything looks suspicious, forward it with subject PHISH REPORT (or screenshot it) and let us know. Thanks!

Note: This document is general operational guidance and does not replace legal advice. It helps you establish a practical baseline and reduce common privacy risks.

👉 Free 30-minute consultation

No hard sell - just clarity and practical next steps.

hello@virtusgroup.biz
virtusgroup.co.nz
0800 847 887 (VIRTUS)

Book now