How to Protect Your Business from Phishing

How to Protect Your Business from Phishing

Phishing is the most common form of cyberattack and one that can have a significant impact on businesses and consumers. Here, we’ll look at what phishing is and what experts, including the National Cyber Security Centre (NCSC), advise businesses to do to protect themselves and their customers.

What is a phishing attack?

Phishing is a form of cyberattack that is delivered via communications channels, like email, SMS, social media and telephone calls. The aim of an attack is to get people to click on malicious website links or visit unsafe websites where they can be tricked into giving away login credentials, business or personal information and money. Phishing messages often try to mimic those of real organisations, using their logos and email addresses, etc., to convince victims that they are genuine. This methodology is something that can plague businesses as it can have a serious impact on their reputations when scammers use their identity to defraud their customers.

How to defend against phishing

According to the NCSC, simply teaching staff and customers how to identify phishing messages is not enough. While badly written and obviously mocked-up or pasted logos make many easy to spot, not all of them are so amateur and people aren’t always on their guard. Instead, it’s best for businesses to adopt a multi-strand approach. Here are some of the things you can do.

Make it hard for phishers to attack your customers

To make it more difficult for scammers, one of the first things a company should do is to use anti-spoofing controls that make it harder for criminals to spoof your email addresses. Removing the email addresses of individual employees from the public domain can also help prevent those employee’s emails from being used in attacks. It’s not uncommon for finance department employees to get phishing emails pretending to be from an executive asking them to transfer money to the criminals’ accounts.

Stop phishing emails getting to inboxes

The majority of phishing scams are sent via email and companies can vastly reduce the risk by blocking as many of them as possible so they never end up in their employees’ inboxes. The easy way to do this is to make sure your email hosting comes with filtering tools, like SpamExperts, or advanced email protection, like Mimecast. These tools use up to the minute threat detection technology to identify and block inbound and outbound mail for phishing, malware and spam.

You can block and/or filter your email. Blocking stops email from getting through altogether, while filtering puts suspected phishing or spam into a junk folder.

Make it easy to spot and report phishing

Phishing can be hard to spot, so even with training, it’s unrealistic to expect staff or customers to be 100% accurate in weeding out attacks. Within businesses, it is important to accept this so that employees who make mistakes feel confident to report them rather than fearing a reprimand. However, everyone needs to understand what the potential threat of a phishing attack is and why it is important to report it. The advice here is to provide simple and effective channels for reporting so that the company can be quick to react to ongoing attacks against them.

When it comes to training to spot phishing, it is important for companies to look at the attacks that are pertinent to their organisation. If customers have user accounts, for example, a common threat is to send emails telling them there is an urgent problem with their account and asking them to log in via a malicious link. Knowing what the vulnerabilities are, will help identify the main threats.

Defend against phishing that gets through

Phishing and malware are often used in unison, so if someone clicks on a link or visits a spoof website, there is an additional risk of malware infecting the company’s system. Crucial here is the need to have solid endpoint security on individual devices and robust firewalls, with infection prevention tools built-in, to prevent malware from reaching the system.

The NCSC recommends limiting admin accounts to those who need those privileges in order to stop users mistakenly installing malware from phishing emails. Similarly, admin accounts should be blocked from browsing the internet or checking emails. Admin staff wishing to do these activities should log out of the admin account and use a different one.

Additionally, employers should ensure browsers will block access to known phishing and malware sites and back this up with a proxy service that provides the same protection.

Set up two-factor authentication

For many phishing criminals, the goal of an attack is to access a business’ systems. If they have stolen an employee’s login credentials, their ability to steal information, pose as that employee or carry out other malicious activity is vastly increased. You can protect against this by using two-factor authentication. This way, even if the attacker has someone’s username and password, they won’t be able to access the account. To do that, they’d also need to access the code sent to the user’s mobile phone.

Make use of email certificates

Email signing certificates, a form of SSL for emails, protect against phishing scams because they let employees and customers know that an email from your business has been verified as genuine. In this way, recipients will be better able to distinguish between real emails and fake ones. At the same time, they encrypt email content and attachments so that they cannot be stolen or tampered with.


The impact of a successful phishing scam can be significant. It can damage reputation, lead to important information being stolen, cause employees to transfer money to criminals’ accounts and enable attackers to access and cause havoc on business systems. Protecting against them is vital and hopefully, the information provided here will help safeguard your company and your customers from phishing.

For more information about our secure hosting solutions, as well as tools like advanced firewalls, SpamExperts, Mimecast and email signing certificates, visit our homepage.