Email Phishing: Keeping Your Business Safe

What is phishing and why is it so effective?

Phishing is the practice of sending fraudulent emails designed to trick recipients into revealing credentials, transferring money, or installing malware. The term covers a broad range of tactics — from mass-sent impersonations of HMRC or parcel delivery companies, to highly targeted attacks on specific individuals using personal and professional context gathered from social media and public records.

Its effectiveness lies in exploiting human behaviour rather than technical vulnerabilities. Even technically literate employees are susceptible to a well-crafted phishing email that arrives at the right moment — when they are busy, distracted, or genuinely expecting a communication from the impersonated organisation. The National Cyber Security Centre (NCSC) identifies phishing as the most common cause of significant cyber incidents affecting UK organisations.

Recognising phishing emails

Training staff to recognise phishing is a foundational element of any security awareness programme. Key indicators include:

• Urgent or threatening language: "Your account will be suspended", "Immediate action required", "You have been selected for a HMRC rebate" — urgency is designed to override careful judgement
• Mismatched sender addresses: The display name may read "HSBC Security" but the actual sending address is a random domain with no connection to HSBC
• Suspicious links: Hovering over a link (without clicking) reveals the actual destination URL, which often differs from the displayed text or includes slight misspellings of legitimate domains
• Unexpected attachments: Macro-enabled Word documents, compressed archive files and PDF documents with embedded links are common phishing vehicles
• Requests that bypass normal processes: Any email asking for credentials, payment authority or sensitive data outside of normal channels deserves verification

Types of phishing attacks

Standard phishing

Bulk phishing campaigns impersonating well-known brands — Microsoft, Amazon, banks, HMRC — and targeting many recipients simultaneously. Less sophisticated but still effective, particularly against users without security awareness training.

Spear phishing

Targeted attacks using specific information about the recipient, their role, colleagues and current business activities. A spear phishing email might reference an ongoing project, name a real colleague, or appear to come from a known supplier. These require more effort from the attacker but achieve significantly higher success rates.

Whaling

Phishing attacks specifically targeting senior executives. The goal is typically to compromise a high-value email account, intercept communications, or authorise fraudulent payments. Whaling attacks are often combined with business email compromise tactics.

Smishing and vishing

SMS phishing (smishing) and voice phishing (vishing) are increasingly used alongside email, particularly to deliver verification codes to complete account takeovers. Staff should be aware that attackers may follow a phishing email with a follow-up SMS or phone call to reinforce the deception.

Technical controls that reduce phishing risk

No technical control eliminates phishing entirely, but a layered defence significantly reduces the probability and impact:

• Email authentication (SPF, DKIM, DMARC): Prevents criminals from spoofing your domain to send phishing emails that appear to come from your organisation, and improves detection of spoofed emails arriving at your staff
• Email security gateway: Scans inbound email for known malicious URLs, suspicious attachments and phishing indicators before delivery to the inbox
• Safe links and safe attachments: Available in Microsoft Defender for Office 365, these rewrite URLs and detonate attachments in a sandboxed environment before allowing access
• Multi-factor authentication: If credentials are stolen through phishing, MFA prevents the attacker from using them to access accounts without also compromising the second factor

Building a phishing-aware culture

Technology controls are necessary but not sufficient. Staff awareness training — conducted regularly, not as a one-off annual presentation — is what builds the habitual scepticism needed to catch attacks that get through technical filters.

Simulated phishing exercises, where controlled phishing emails are sent to staff to test their response, are the most effective training mechanism. Staff who click on a simulated phishing link should receive immediate, contextual education rather than punitive consequences. The goal is learning, not blame allocation.

An organisation where staff feel comfortable reporting suspicious emails — without fear of embarrassment — will catch real phishing attempts far earlier than one where employees quietly delete suspicious messages without telling anyone.

What to do if you receive a phishing email

If a suspicious email arrives: do not click any links or open attachments, do not reply, do not forward it to colleagues. Report it using your organisation's designated reporting process — in Microsoft 365 this can be done directly from Outlook using the Phish Alert button. If you believe you have already clicked a link or entered credentials, report it to your IT team immediately so that credentials can be changed and any access logs reviewed.

AMVIA helps UK businesses implement email security controls and delivers security awareness training programmes that measurably improve staff response to phishing attempts.