Phishing is the most common cyber threat facing UK businesses. The government’s 2024 Cyber Security Breaches Survey found that 84% of companies that identified a cyberattack reported phishing attempts.
Yet, a significant perception gap exists. SMEs that have not yet suffered a breach often underestimate the potential financial damage by nearly £85,000.
Adequate protection goes beyond simply telling staff to ‘be careful’. True resilience is a multi-layered defence of technology, robust processes, and an empowered workforce.
This guide provides a blueprint for protecting your business from phishing attacks, informed by expert guidance.
Understanding the Phishing Playbook
Phishing is, at its core, a social engineering attack.
Because really, it’s not about exploiting software. It’s about exploiting people.
Attackers pose as trusted contacts. Their aim? To trick victims into handing over sensitive data, installing malware, or approving fraudulent payments.
Types of Phishing Attacks
- Bulk Phishing: These are the run-of-the-mill “wide-net” emails sent to a mass audience, often masquerading as popular, well-known brands, such as HMRC, DPD, or high-street banks.
- Spear Phishing: Spear phishing is a type of phishing attack where a hacker or group of hackers specifically targets a single person or department. The attacker will research their target on platforms such as LinkedIn and use this information to tailor the message, making it as specific and plausible as possible to entice that individual to part with sensitive data. 91% of data breaches begin with a spear phishing attack.
- Whaling: A type of spear phishing that targets explicitly senior company executives (also known as “the whales”), such as CEOs, CFOs, and Finance Directors. These individuals are often the ones with the authority to approve high-value financial transfers.
- Business Email Compromise (BEC): A more advanced scam often, but not exclusively, resulting from a whaling attack. In this instance, the attacker spoofs the CEO and targets a junior or mid-level employee, asking them to transfer money to an account they control.
- Vishing and Smishing: The same types of attacks as above, however, this time delivered over the phone (vishing) or via an SMS text message (smishing). Most of us place more trust in telephony over standard email.
The Psychology of Deception
Phishing attacks succeed by manipulating predictable human behaviours.
Attackers play on standard psychological buttons to force victims to bypass their rational brain, for example:
- Urgency and Fear: Messages using phrases like “Immediate action required” or “Your account will be suspended”. This creates a sense of panic. Which, in turn, pushes victims to react quickly, without thinking.
- Authority: When the sender appears to be a CEO, IT support, or even a government agency. This makes the request feel more legitimate, making users more likely to follow instructions.
- Curiosity and Greed: The thought of winning a contest, surprise bonus, or gift card provokes a click before the logical brain can catch up.
Building Your Human Firewall
Phishing targets humans.
That’s why your employees are your first line of defence. Of course, technology is critical. But it should be part of a culture that values and embraces security awareness.
Training Your Team to Spot the Signs
Help your staff to practice the right reflexes.
Practical and effective security training should teach your employees the red flags of a phishing attack.
Phishing Red Flags Checklist
- Sender Scrutiny: Confirm that the sender’s email address corresponds with their displayed name, and scan for slight misspellings (such as micros0ft.com).
- Generic Greetings: Most reputable entities will not address you as “Dear Valued Customer”.
- Urgent or Threatening Tone: Some messages demand immediate action or use threats. These should be treated as suspicious.
- Suspicious Links: Hover your mouse over a link before clicking. The preview shows where it actually leads.
- Unusual Requests: Be wary of sudden requests for personal details. Or anything that strays from normal business practices.
Cultivating a Security-First Culture
A single training session isn’t enough. Lasting security comes from continual reinforcement and a no-blame approach.
The NCSC recommends against penalising employees who click on phishing simulations, as this “will cause employees to be fearful about making mistakes and being penalised and less likely to report incidents to their organisation.”
The goal is education, not entrapment.
Instead, focus on the reporting rate, not the click rate.
A high reporting rate shows that employees are engaged and vigilant. Make it easy for staff to report suspicious messages with a simple “report phish” button and use free resources like the NCSC’s ‘Top Tips For Staff’ e-learning module to reinforce good habits.
For more on this, read our post: Don’t get hooked by the Phishermen.
Implementing Layered Technical Defences
Your human firewall needs to be backed up by a strong, layered, technical strategy.
The “defence in depth” approach provides an extra layer of security, so that if one fails, another is in place to block the attack.
1. Foundational Email Authentication
The following three protocols should work in unison. They’ll help to prevent attackers from spoofing your domain and are the core building blocks of a secure email environment.
- SPF (Sender Policy Framework): This lists the servers allowed to send mail for your domain. Nothing else should get through.
- DKIM (DomainKeys Identified Mail): Every message is stamped with a unique digital key. That key travels with the email. Its purpose is to let the recipient verify that nothing was altered along the way.
- DMARC (Domain-based Message Authentication, Reporting & Conformance): Think of this as the rule-setter. It takes the results of SPF and DKIM checks and tells the receiving server what to do next. Whether that’s to block the message, send it to quarantine, or deliver it.
Correctly configuring all these protocols can be technically challenging and is often a task handed over to a managed IT partner to ensure that valid emails are not disrupted.
2. Intelligent Filtering and Microsoft 365 Hardening
Microsoft 365 has security built in by default. However, to protect against today’s attacks, it will often need to be hardened. Key configurations include:
- Advanced Threat Protection: In Defender for Office 365, enable features such as Safe Links and Safe Attachments. Safe Links doesn’t just check once – it scans the URL again every time a user clicks it. Safe Attachments runs files in a sandbox first, scanning for hidden malware.
- Mail Flow Rules: In Exchange Online, set up rules that tag inbound messages. Adding a warning banner makes it clear to users that the email came from outside the organisation. Our guide, “8 Ways to Keep Your Email Secure,” offers additional tips.
3. Hardening Accounts with Multi-Factor Authentication (MFA)
MFA is one of the strongest security controls available. By requiring a second form of verification, it makes an account 99% less likely to be compromised. Even if a password is stolen, it’s useless without that extra factor.
Learn more about what Multi-factor authentication (MFA) is – and why it’s so critical.
4. Endpoint and Network Security
Sometimes, a user does click a malicious link. But these extra layers form a valuable safety net:
- Endpoint Detection and Response (EDR): Installed on laptops, servers, and other devices, EDR tools spot, block, and respond to advanced threats like ransomware – even if a phishing attack gets through.
- Protective DNS (PDNS): Services such as Cisco Umbrella stop connections to known malicious sites. This happens before they ever reach the user’s browser.
5. Continuous Monitoring and Global Support
Cybercriminals don’t sleep. That’s why protecting your business effectively requires 24/7 monitoring as part of a managed IT partnership, to identify and react to threats when they occur, rather than on a 9-5 schedule.
Strategic Planning, Response, and Compliance
You must be prepared for the possibility that an attack will succeed. A clear plan is the difference between a managed incident and extended downtime.
Develop an Incident Response Plan (IRP)
An IRP outlines the exact steps to take when an incident is detected. Business continuity is essential.
This is especially true with UK GDPR. These guidelines set a strict 72-hour deadline for reporting breaches to the ICO.
You should define roles and responsibilities. Set up secure out-of-band communication channels (in case the standard system is compromised). And regularly test them through tabletop exercises.
Secure Financial Processes
To defend against BEC, eliminate it as a trusted method for authorising payments. Make a pre-arranged independent verification by phone to a known, trusted number mandatory to confirm any request to change bank details or make an unscheduled transfer.
Remind your staff about the importance of being vigilant online.
Meet UK Compliance Standards
Fines from ICO for data breaches: up to £17.5 million or 4% of global turnover. Action taken to protect yourself by following the guidance of the National Cyber Security Centre (NCSC) is a defence to show you have been diligent.
Getting your Cyber Essentials certification (endorsed by the government) is an excellent place to start for UK SMEs. MFA is also now a compliance requirement, with the vast majority of cyber insurance providers mandating it.
Why This Matters for SMEs
For most SMEs, maintaining this level of layered security in-house simply isn’t the most practical of options.
There’s the cost. The time. And even the specialist knowledge that’s required. All of this combined put it very much out of reach.
That’s why partnering with an MSP can be a real game-changer.
Working with a provider like Microbyte gives SMEs access to complex, often expensive defences – delivered in a more cost-effective way.
You gain access to enterprise technology and expertise without having to hire and maintain an entire internal security team.
A managed service includes 24/7 monitoring, as well as support with staff training and disaster recovery planning to create true resilience against phishing and all types of cyberattacks.
Don’t wait for a phishing email to lead to extended downtime and financial losses.
Book your consultation with Microbyte’s cybersecurity experts today and secure your business with 24/7 protection.
