Ask almost any small business owner whether they would fall for a scam, and you will get some version of the same confident answer: “I’d catch it. I’m careful. I know what to look for.” It is a comforting belief, and most owners genuinely hold it. It is also the single most dangerous assumption in small business security — because the people running today’s attacks are counting on exactly that confidence. They design their traps specifically for the careful, busy, capable person who is sure they would never be fooled.
So we built a short, free quiz to put that belief to an honest test. It takes a few minutes, it costs nothing, and it asks one simple question in a dozen different ways: when a real attack is in front of you, would you actually spot it? Not the obvious, clumsy scams everyone laughs at — the convincing ones, built to look exactly like the normal, everyday messages and requests that move through your business. Most people are surprised by how they do. The confident ones especially.
Why “I’d know” is the wrong instinct to trust
The scams most people picture in their heads are the old ones. The misspelled email from a foreign prince. The obviously fake link. The clumsy text full of typos. And it is true — almost everyone would catch those. The problem is that those are not the attacks that are actually hurting small businesses anymore. The attacks that work today are the ones that do not look like attacks at all.
They look like an invoice from a vendor you really use, in the format you are used to seeing. They look like an email from your bank arriving at a moment when you actually were expecting one. They look like a message from an employee, or a customer, or a delivery service, written in normal language, referencing real details, arriving at a believable time. The whole craft of a modern attack is making the dangerous thing indistinguishable from the routine thing. And against that, “I’m careful” is not a defense — because carefulness assumes there will be a warning sign to catch, and the entire point of these attacks is that there isn’t one. The quiz exists to show you, gently and privately, the gap between the scams you imagine and the ones actually being used.
What the quiz actually measures
This is not a test of whether you are technical. It does not ask you to know what any acronym stands for or how anything works under the hood. It measures something far more useful: your instincts. The split-second judgment you make when something lands in your inbox and you decide, almost without thinking, whether to trust it, click it, reply to it, or act on it. That instinct is the thing standing between your business and most of the attacks aimed at it, and almost no one has ever actually tested theirs.
You will get a score and an honest read on where your instincts are sharp and where they have a blind spot. Maybe you will ace it — some people do, and if you are the kind of person who tends to catch things at work that everyone else misses, you might be one of them. Maybe one or two will catch you off guard, which is its own kind of valuable, because the questions that fool you in a quiz are precisely the ones that would fool you in real life, where the cost is not a wrong answer but a drained account. Either way, you walk away knowing something true about yourself that you did not know five minutes earlier.
Here’s the part that should keep an owner up at night
Let us say you take it and you score perfectly. Sharp instincts, no blind spots, the works. That is genuinely good news — and it also quietly raises the real question, the one that matters far more than your own score. Because it is not your inbox that is most likely to bring an attack into your business. It is your team’s.
Think about everyone who can act on your behalf. The employee who pays the invoices. The person at the front desk who clicks the shipping notification. The bookkeeper who updates a vendor’s payment details. The part-time helper who installs an app to get a task done. An attacker does not need to fool you — they only need to fool the least-prepared person who can touch money, data, or a company device. Your business is only as secure as the weakest instinct on your team, and most owners have no idea where that is. You cannot see it, because the people who would fall for a convincing attack are, by definition, the ones who do not realize they would. The quiz is a way to find out — for yourself first, and then for the people whose split-second decisions your business quietly depends on.
From a quiz score to a protected business
A quiz can reveal the gap. It cannot close it — and we are not going to pretend a few questions make anyone attack-proof. What actually closes the gap is training: not a boring compliance video that everyone clicks through and forgets by lunch, but focused, plain-language sessions built around the specific ways your business handles money, communicates, and gets work done. The goal is not to turn your team into security experts. It is to give every person who can act on your behalf the one instinct the quiz tests for — the reflex to pause at exactly the right moment, when a request looks perfectly normal but something is quietly off.
That instinct, spread across your whole team, is the cheapest and most powerful security investment a small business can make. Every expensive, sophisticated attack we write about still comes down, in the end, to one human being deciding whether to trust what is in front of them. Train that decision, and you have hardened the one part of your defenses that no software can fix and that attackers are working hardest to exploit.
So start with the quiz. Find out where your own instincts stand — it takes a few minutes and it is genuinely a little fun, in a “wait, would I have caught that?” sort of way. Then, when you are ready to give your whole team the same edge, let’s talk about training that fits the way your business actually works. The owners who get ahead of this do it before there is a reason to. The ones who wait usually learn the hard way which member of their team had the blind spot.
