The vast majority of successful cyber attacks start with a single email. Phishing - tricking someone into clicking a malicious link, opening a dodgy attachment or handing over a password - remains the number one way businesses get breached. The good news: it's also one of the most preventable.
What is phishing?
Phishing is a social engineering attack. Rather than hacking your systems directly, criminals trick your people. A convincing email pretends to be from a bank, a supplier, Microsoft, or even your own CEO, and pressures the recipient into acting quickly.
Common variants include:
- Spear phishing - a targeted attack using details about you or your company.
- Business Email Compromise (BEC) - impersonating a senior person to authorise a payment or data transfer.
- Smishing and vishing - the same tricks via text message or phone call.
How to spot a phishing email
Train your team to pause and check for these red flags:
- Urgency or threats - "Act now or your account will be closed."
- Unexpected attachments or links - especially invoices or "documents to review".
- Mismatched sender addresses - the display name says one thing, the actual email another.
- Requests for credentials or payment - legitimate organisations rarely ask this way.
- Generic greetings and odd language - "Dear customer", spelling slips, unusual phrasing.
The golden rule: if an email creates pressure to act quickly, slow down and verify it through a separate channel.
The technical defences
Awareness alone isn't enough - layer it with technology:
- Email filtering to catch malicious messages before they reach inboxes.
- Multi-factor authentication (MFA) so a stolen password isn't enough to get in.
- Endpoint protection to stop malicious attachments - see endpoint protection vs antivirus.
- DNS and link protection that blocks known malicious sites.
The human defences
- Regular staff training and simulated phishing tests.
- Clear reporting - make it easy and blame-free for staff to report suspicious emails.
- Payment verification processes - always confirm bank detail changes by phone.
These habits are central to our wider small business security checklist and a key reason phishing so often leads to ransomware.
The bottom line
Phishing succeeds by targeting people, so your defence must combine smart technology with a well-trained, confident team. Get both right and you shut down the most common route into your business. Want help putting these protections in place? Request a callback or explore our IT support service.
Frequently asked questions
What is the best way to protect against phishing?
Combine technical defences - email filtering, anti-spoofing records and multi-factor authentication - with regular staff training, because most phishing relies on tricking a person rather than beating software.
What should staff do if they click a phishing link?
Report it immediately, disconnect if asked, and change any entered passwords. Fast reporting lets IT contain the issue before it spreads, so encourage a no-blame culture.
Does multi-factor authentication stop phishing?
MFA dramatically reduces the damage, because a stolen password alone is not enough to log in. It is one of the single most effective controls you can enable.
