Everyday I hear about more business being caught out by phishing scams. Growing up, fishing was easy! Today you have to be on your guard.
These attacks succeed due to user error, you click on a link in an email which you think is from your bank, or your email company and go and change your password. Normally you can see something thats not just right in an email, but the recent spate of Netflix emails are very hard to tell from the original. Its important to remember that email is only one method, there are numerous cases of adverts on websites that have been compromised, even just for a few hours, and there is always good only snail mail and the fake invoices.
Have a good read at this article by Norton and have some staff training on the issue.