What is the most important anti-phishing control to implement first?

MFA on all cloud accounts, followed by DMARC enforcement for your domain. MFA prevents account compromise even when credentials are stolen via phishing. DMARC with a reject policy prevents attackers from impersonating your domain in emails to your clients, suppliers or partners. Both are high-impact, relatively quick to implement and should precede investment in more advanced anti-phishing tooling. Security Management is the fastest-growing MDM segment, driven by mobile ransomware and phishing threats (Yahoo Finance MDM report, 2025). (Uk)

Can phishing emails bypass Microsoft Defender?

Yes, no filtering system catches 100% of phishing attempts. Newly registered domains and novel phishing techniques can temporarily evade reputation-based filters. This is why defence in depth matters: DMARC authentication, AI behavioural filtering, Safe Links time-of-click checking and staff training together create multiple layers that a phishing email must bypass. No single control is sufficient alone. Cybercrime cost (non-phishing): Average £990 per victim business (£1,970 excluding £0 responses). (UK Government)

What is spear phishing and how is it different from generic phishing?

Spear phishing is targeted at a specific individual or organisation, using personalised information to make the attack more convincing. Generic phishing sends identical emails to thousands of recipients hoping a percentage will click. Spear phishing researches the target's role, colleagues, current projects and industry context to craft a lure that appears legitimately relevant. AI tools have made personalised spear phishing cheaper and more scalable for attackers. Phishing is the #1 attack type: 85% of businesses and 86% of charities that experienced a breach identified phishing as the cause (2025 survey). (UK Government)

How often should phishing simulation tests be run?

Monthly phishing simulations provide good baseline data and maintain staff vigilance without desensitising employees. Simulations should vary in technique — impersonation of internal colleagues, parcel delivery notifications, IT support requests, urgent financial requests — to reflect the range of lures used in real attacks. Results should be reviewed at department level to identify teams that may need additional focused training. Phishing was the most disruptive breach for 65% of businesses and 63% of charities. (UK Government)

Does MFA protect against all phishing attacks?

Standard MFA (TOTP codes, push notifications) protects against credential-only phishing but can be bypassed by adversary-in-the-middle (AiTM) attacks that capture session tokens in real time. Phishing-resistant MFA (FIDO2 hardware keys, passkeys) is not susceptible to AiTM attacks because authentication is domain-bound. For high-value accounts — executives, finance staff, IT administrators — phishing-resistant MFA should be prioritised. 93% of cyber crimes against businesses and 95% against charities were phishing-based. (UK Government)

Cybersecurity

Phishing Protection for UK Businesses: Controls That Actually Work

Phishing is the most common initial attack vector in UK cyber incidents, responsible for the majority of ransomware deployments, account compromises and data breaches. This guide covers the technical controls — email authentication, AI filtering, URL scanning — alongside the training approaches that reduce susceptibility without creating security fatigue.

NH

Nathan Hill-Haimes

Technical Director

9 min read·Mar 2026

The Phishing Threat in 2025

Phishing has evolved significantly from the obviously fraudulent emails of the early 2000s. Modern phishing campaigns are personalised, visually convincing and increasingly generated with AI assistance. The NCSC's 2024 Cyber Security Breaches Survey found that phishing was the most common type of attack among UK businesses that identified a cyber incident, cited by 84% of affected organisations.

The consequences of a successful phishing attack range from account compromise (often leading to business email compromise or data exfiltration) to ransomware deployment, with an average UK data breach cost of £3.4 million in 2024 inclusive of recovery, notification and business interruption costs. For SMEs, a single significant phishing incident can be existential.

Email Authentication: SPF, DKIM and DMARC

Email authentication protocols prevent attackers from sending emails that impersonate your domain. They are the foundational technical control against phishing and should be in place before any other anti-phishing measure is added.

SPF (Sender Policy Framework)

SPF is a DNS record that specifies which mail servers are authorised to send email from your domain. When a recipient's mail server receives an email claiming to be from your domain, it checks the SPF record to verify whether the sending server is authorised. Unauthorised senders fail the SPF check.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to emails sent from your domain, allowing recipients to verify that the message was not altered in transit and that it genuinely came from an authorised sender. The DKIM signature is verified against a public key published in your DNS.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC builds on SPF and DKIM by specifying what to do with emails that fail authentication checks — quarantine them, reject them or pass them through — and generates reports allowing you to monitor your domain's email authentication health. A DMARC policy of p=reject instructs receiving mail servers to reject emails that fail SPF and DKIM checks, effectively blocking domain spoofing.

NCSC's Mail Check tool provides a free assessment of your domain's email security configuration including DMARC, SPF and DKIM status.

Anti-Phishing Email Filtering

Beyond authentication, inbound email filtering provides several layers of protection:

Link scanning: URLs in emails are checked against reputation databases and in some cases detonated in a sandbox before the email reaches the inbox. Safe Links (Microsoft Defender for Office 365) rewrites URLs and checks them at click-time, providing protection even when phishing URLs are not yet in reputation databases at delivery time.
Attachment sandboxing: Email attachments are opened in an isolated sandbox environment to detect malicious behaviour before delivery. Microsoft Defender's Safe Attachments and similar third-party tools fulfil this role.
AI-based impersonation detection: Machine learning models analyse email metadata, content and sender behaviour patterns to identify impersonation attacks — even when the sender has a legitimate-looking address that passes SPF/DKIM/DMARC checks.
Lookalike domain detection: Filters identify emails from domains visually similar to your trusted partners (amv1a.co.uk vs amvia.co.uk) that attackers register to impersonate correspondents.

Microsoft 365 Anti-Phishing Controls

For businesses using Microsoft 365, Defender for Office 365 (Plan 1, included in Business Premium) provides:

Safe Links — time-of-click URL checking
Safe Attachments — sandboxed attachment detonation
Anti-impersonation policies — protection against spoofed sender display names
Anti-spoofing — blocks emails that fail authentication checks
Phishing simulation capability — for staff training (covered below)

The anti-phishing policies in Defender for Office 365 require configuration — the defaults are not the most protective settings. AMVIA includes Microsoft 365 security hardening in all its managed service packages, ensuring these policies are correctly configured and monitored.

Security Awareness Training and Phishing Simulation

Technical controls significantly reduce phishing exposure but cannot eliminate it entirely — particularly against sophisticated targeted attacks. Security awareness training remains important, with some important caveats about how it is delivered:

Regular short sessions work better than annual compliance exercises: Monthly 5-minute microlearning modules embed awareness more effectively than a 45-minute annual training video that employees click through to get the completion badge.
Phishing simulation testing identifies vulnerability without blame: Sending simulated phishing emails to staff and tracking click rates provides objective data on susceptibility. Employees who click should receive immediate, constructive education — not punishment.
Train on current threat patterns: Training that shows 2010-era phishing indicators trains staff to spot outdated attack patterns. Simulations and training should reflect current techniques including AI-personalised lures, QR code phishing and voice phishing (vishing).
Create a reporting culture: Staff who believe they may have clicked on a phishing link or submitted credentials somewhere suspicious should feel safe reporting it immediately. Early reporting enables rapid response. Punitive cultures suppress reporting.

Incident Response for Phishing

If a phishing attack succeeds — an employee clicks a link, enters credentials or opens a malicious attachment — your response speed determines the damage:

Reset the compromised account password and revoke active sessions immediately
Enable MFA if not already active (and review why it was not)
Review Microsoft 365 audit logs or your SIEM for any actions taken under the compromised account
Check for email forwarding rules created by the attacker
Notify other staff if the compromised account was used to send further phishing emails internally or to contacts
Assess whether any personal data was accessed — UK GDPR breach assessment required

Is Your Email Authentication Configured Correctly?

Many businesses have SPF records but lack DMARC enforcement, leaving their domain open to impersonation. AMVIA can assess and fix your email authentication configuration in a single engagement.

Free Cybersecurity Health Check