How to Protect Your Business from Phishing Attacks

Protecting Your Business from Phishing: A Layered Approach

No single control is sufficient to stop phishing. Effective protection requires overlapping layers of technical, process, and human controls working together. When one layer fails — and eventually, one will — the others catch what gets through. This guide sets out the key controls that UK SMEs should have in place.

Technical Controls

DMARC, DKIM, and SPF

These three email authentication standards work together to prevent criminals from spoofing your domain. SPF (Sender Policy Framework) specifies which mail servers are permitted to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to outbound emails. DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do when an email fails SPF or DKIM checks — either monitor, quarantine, or reject it.

Publishing a DMARC record at p=reject is the gold standard. The NCSC recommends DMARC for all UK organisations and it is a requirement for many government contracts. AMVIA configures and monitors DMARC as part of its managed email security service.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 provides anti-phishing policies, safe links (which check URLs at the point of click), safe attachments (which detonate suspicious files in a sandbox before delivery), and anti-impersonation protection that flags emails that appear to come from your executive team but originate from external senders. Plan 1 covers the essential protections for most SMEs; Plan 2 adds advanced threat hunting and investigation tools.

Multi-Factor Authentication

If a phishing attack does successfully steal a user's credentials, MFA prevents the attacker from using them. Enabling MFA on Microsoft 365, cloud applications, and VPN access is one of the most effective technical controls available and should be treated as non-negotiable for all UK businesses.

Process Controls

Payment and Supplier Change Verification

Establish a clear written policy requiring that any change to supplier bank account details, or any payment request received by email, must be verbally confirmed with the requester using a telephone number held in your own records — not any number provided in the email. This single procedure prevents the majority of business email compromise and invoice fraud attacks that reach the final stage.

Suspicious Email Reporting

Staff who spot a suspicious email need a simple, frictionless way to report it. In Microsoft 365, the Report Message add-in enables one-click reporting directly to your security team or to Microsoft. A clear internal reporting process — and a culture where reporting is encouraged rather than penalised — significantly improves your ability to detect and respond to phishing campaigns early.

Human Controls

Phishing Simulation Training

Regular simulated phishing campaigns send realistic (but safe) phishing emails to staff and measure who clicks, who enters credentials, and who reports the email. Employees who interact with the simulation receive immediate, targeted training. Over time, this reduces phishing susceptibility rates significantly. AMVIA delivers managed phishing simulation programmes as part of its security awareness training service.

Security Awareness Training

All staff — not just IT — should receive regular security awareness training covering how to recognise phishing, what to do if they receive a suspicious email, and how to report incidents. Training should be refreshed at least annually and supplemented with brief topical updates when new attack techniques emerge.

AMVIA's Managed Email Security Service

AMVIA provides a fully managed email security service for UK SMEs, combining Microsoft Defender for Office 365, DMARC configuration and monitoring, phishing simulation training, and ongoing threat intelligence. Our Sheffield-based team monitors your email environment and responds to emerging threats — so your staff are protected without needing to manage complex email security tooling themselves.