How to Protect Your Business from Phishing Attacks

Protecting Your Business from Phishing: A Layered Approach

Phishing remains the single most common method by which cybercriminals attack UK businesses. As part of a comprehensive cybersecurity strategy, protecting your organisation against phishing requires overlapping layers of technical, process, and human controls working together. No single control is sufficient on its own. When one layer fails — and eventually, one will — the others catch what gets through. This guide sets out the key controls that UK SMEs should have in place to defend against phishing in all its forms.

The scale of the phishing threat is stark. According to the DSIT Cyber Security Breaches Survey 2025, 85% of breaches involved phishing and 93% of cyber crimes were phishing-based (DSIT Cyber Security Breaches Survey 2025). Overall, 43% of UK businesses experienced a cybersecurity breach or attack in the past twelve months, with 67% of medium businesses and 74% of large businesses reporting breaches (DSIT Cyber Security Breaches Survey 2025). Phishing is not a niche threat — it is the primary attack vector that UK businesses of all sizes must address.

Understanding the Types of Phishing

Mass Phishing

Mass phishing involves sending large volumes of generic emails designed to trick recipients into clicking a malicious link or entering credentials on a fake login page. These emails typically impersonate well-known brands such as Royal Mail, HMRC, Microsoft, or major banks. They rely on volume — if one in a thousand recipients clicks, the campaign is profitable for the attacker.

Spear Phishing

Spear phishing targets specific individuals within an organisation, using personalised information to make the email more convincing. The attacker may reference the recipient's job title, recent projects, or colleagues by name. Spear phishing is significantly more effective than mass phishing because it is tailored to bypass the recipient's suspicion.

Business Email Compromise (BEC)

BEC is the most targeted and financially damaging form of phishing. The attacker impersonates a senior executive, supplier, or solicitor and requests a payment or sensitive data transfer. Impersonation was reported by 35% of businesses experiencing breaches (DSIT Cyber Security Breaches Survey 2025), and BEC sits at the heart of this category. BEC emails often contain no malicious links or attachments, making them particularly difficult for technical controls to detect.

Smishing and Vishing

Smishing (SMS phishing) and vishing (voice phishing) extend phishing beyond email. Attackers send fraudulent text messages or make telephone calls impersonating banks, delivery companies, or government agencies. These channels are increasingly used alongside email phishing as part of multi-channel attack campaigns.

Quishing

Quishing uses QR codes to direct victims to malicious websites. Attackers embed QR codes in emails, printed materials, or even physical locations. Because QR codes are opaque — the user cannot see the destination URL before scanning — they bypass the instinct to check link addresses that many users have developed for email-based phishing.

Technical Controls

DMARC, DKIM, and SPF

These three email authentication standards work together to prevent criminals from spoofing your domain. SPF (Sender Policy Framework) specifies which mail servers are permitted to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to outbound emails, allowing receiving servers to verify the message has not been tampered with. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving mail servers what to do when an email fails authentication checks — either monitor, quarantine, or reject it.

Publishing a DMARC record at p=reject is the gold standard. It prevents criminals from sending emails that appear to come from your domain, protecting your customers, partners, and suppliers from phishing attacks that impersonate your organisation. The NCSC recommends DMARC for all UK organisations, and it is a requirement for many government contracts. AMVIA configures and monitors DMARC as part of its managed email security service.

Email Filtering and Gateway Security

Email filtering inspects inbound messages before they reach user inboxes, blocking known malicious senders, scanning attachments for malware, and identifying suspicious content patterns. Modern email filtering uses machine learning to detect phishing emails that signature-based tools would miss, adapting to new attack techniques as they emerge. Effective filtering is the first line of defence — if a phishing email never reaches the inbox, the user never has the opportunity to click it.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 provides anti-phishing policies, safe links (which check URLs at the point of click rather than at delivery, catching time-delayed threats), safe attachments (which detonate suspicious files in a sandbox before delivery), and anti-impersonation protection that flags emails appearing to come from your executive team but originating from external senders. Plan 1 covers the essential protections for most SMEs; Plan 2 adds advanced threat hunting and automated investigation and response tools.

Multi-Factor Authentication

If a phishing attack does successfully steal a user's credentials, MFA prevents the attacker from using them to access company systems. Enabling MFA on Microsoft 365, cloud applications, and VPN access is one of the most effective technical controls available and should be treated as non-negotiable for all UK businesses. The NCSC lists MFA as one of its top recommendations for organisations of all sizes.

Process Controls

Payment and Supplier Change Verification

Establish a clear written policy requiring that any change to supplier bank account details, or any payment request received by email, must be verbally confirmed with the requester using a telephone number held in your own records — not any number provided in the email. This single procedure prevents the majority of business email compromise and invoice fraud attacks that reach the final stage. The policy should be documented, communicated to all relevant staff, and enforced without exception.

Suspicious Email Reporting

Staff who spot a suspicious email need a simple, frictionless way to report it. In Microsoft 365, the Report Message add-in enables one-click reporting directly to your security team or to Microsoft for analysis. A clear internal reporting process — and a culture where reporting is encouraged rather than penalised — significantly improves your ability to detect and respond to phishing campaigns early. Every reported email is an intelligence opportunity: if one employee received a phishing email, others in the organisation may have received it too.

Incident Response Planning

The DSIT Cyber Security Breaches Survey 2025 found that only 14% of UK businesses have a formal incident response plan (DSIT Cyber Security Breaches Survey 2025). Without a plan, a successful phishing attack can escalate unchecked whilst staff debate who is responsible and what to do. A basic incident response plan should define who to contact, how to contain the compromise (resetting passwords, revoking sessions, isolating affected devices), and how to communicate with affected parties. AMVIA helps clients develop and test incident response procedures as part of its managed security service.

Human Controls

Phishing Simulation Training

Regular simulated phishing campaigns send realistic but safe phishing emails to staff and measure who clicks, who enters credentials, and who reports the email correctly. Employees who interact with the simulation receive immediate, targeted training that reinforces the right behaviours. Over time, this measurably reduces phishing susceptibility rates across the organisation. AMVIA delivers managed phishing simulation programmes as part of its security awareness training service, providing monthly campaigns with detailed reporting on organisational progress.

Security Awareness Training

All staff — not just IT — should receive regular security awareness training covering how to recognise phishing in all its forms (email, SMS, voice, QR code), what to do if they receive a suspicious message, and how to report incidents. Training should be refreshed at least annually and supplemented with brief topical updates when new attack techniques emerge. Effective training changes behaviour, not just knowledge — staff should feel confident and empowered to challenge suspicious requests, even when they appear to come from senior leadership.

Phishing Prevention Checklist for UK SMEs

The following checklist summarises the key controls every UK SME should have in place to protect against phishing attacks:

• DMARC published at p=reject for all company domains
• SPF and DKIM correctly configured for all sending sources
• Microsoft Defender for Office 365 (or equivalent) with anti-phishing policies enabled
• Safe links and safe attachments activated
• Multi-factor authentication enforced on all user accounts
• Written payment verification policy requiring verbal confirmation for bank detail changes
• Suspicious email reporting process in place with one-click reporting enabled
• Regular phishing simulation campaigns (monthly recommended)
• Annual security awareness training for all staff
• Documented incident response plan covering phishing compromise scenarios
• Regular review of email authentication reports and filtering effectiveness

AMVIA's Managed Email Security Service

AMVIA provides a fully managed email security service for UK SMEs, combining Microsoft Defender for Office 365, DMARC configuration and monitoring, phishing simulation training, and ongoing threat intelligence. Our Sheffield-based team monitors your email environment around the clock and responds to emerging threats — so your staff are protected without needing to manage complex email security tooling themselves. With the average cost of the single most disruptive breach at approximately £1,205 for micro and small businesses (DSIT Cyber Security Breaches Survey 2025), and significantly higher for medium and large organisations, investing in layered phishing protection is one of the most cost-effective security decisions a UK business can make.