Cybercriminals never take a break. In fact, cybercriminals have been increasing their efforts when you might not be paying as close attention, or when you’re putting sensitive data out there more often.

The most common way that scammers steal money, bank account info, passwords, credit cards, and Social Security numbers? They simply ask for them. The IRS continues to see people fall victim to phishing scams every single day.

We recently told you about a new email involving tax transcripts that could affect an entire business network if opened. But here, we’ll go over the top seven things every employee should do every time they receive any email.

Take these steps to protect against phishing and email scams.

1. Be skeptical.

It’s OK, really. Encourage your employees to never open a link or attachment from an unknown source – especially if it seems suspicious. Even if the email comes from a familiar source, proceed with caution. Scammers are experts at disguising as trusted businesses, friends, family, and the IRS.

2. Check the address.

It’s very possible that a cybercriminal has compromised a friend’s email address or are spoofing it with a slight change in the next. The IRS gives an example: Narne@example.com vs. Name@example.com. Simply changing one letter – in this case, the ‘m’ to an ‘r’ and ‘n’ can be enough to fool people.

3. Know the IRS.  

Well – just know what they won’t ever do. The IRS doesn’t initiate spontaneous contact with taxpayers by email asking for personal information. They also won’t ask for information over the phone with aggressive threats, text messages, or social media.

4. Just don’t click.

If there is any doubt that a hyperlink could be suspicious, don’t click on it. Instead, try going directly towards the source’s main web page (or ignore it all together). Reiterate to employees that no legitimate business would ever ask for sensitive financial information via email.

5. Use security software.

You’re probably already doing this (if not, call IT now!), but the IRS suggests that you use security software to protect against the malware and viruses found in phishing emails. Some of this software can help identify suspicious websites often used by cybercrooks.

6. Be strong in your passwords.

We all know it’s super easy to comprise multiple passwords with your dog’s name and your birthday. But as easy as those passwords are to remember, they’re even easier for scammers to hack into. The experts recommend using a phrase of sorts, with a minimum of 10 digits that includes a combination of letters, numbers, and special characters.

7. Multi-factor authentication.

What is this? Two-factor authentication means that that users must enter a security code to access certain things, in addition to a username and password. Typically, this code is sent as a text message. Why is this so effective? Even if a cybercriminal manages to steal a username/password – it’s unlikely they’d also have the victim’s phone.

Now that you know the steps (and share with your employees) to take before even opening an email, here’s what you should do if you come across a phishing scam. Forward it to phishing@irs.gov (and then delete it right away).

Don’t sleep on your cyber-awareness. Pass these tips along to your employees so you…and your small business stays safe.