How you protect against phishing attacks for your business isn’t about finding a single silver bullet. It’s about building a layered defence—a series of barriers that combine smart technology, sharp-eyed employees, and a solid plan for when things go wrong. Simply put, you need to make it as difficult as possible for attackers to get through. This means going far beyond basic antivirus and creating a proper strategy that covers both technical gaps and the reality of human error.
The Hidden Threat Targeting UK Businesses
Phishing isn’t just an IT headache; it’s a direct assault on your company’s bank account and reputation. Let’s forget the technical jargon for a moment and think about a real-world scenario.
An email lands in your finance manager’s inbox. It looks like a completely legitimate invoice from a regular supplier—the branding is spot on, the language is familiar, and there’s a sense of urgency. But one click on that “View Invoice” link is all it takes to compromise your entire network. This could lead to a devastating data breach, direct financial theft, or a ransomware attack that grinds your operations to a halt.
This isn’t a hypothetical situation. It’s happening to businesses across the East Midlands and the wider UK every single day, and the attackers are getting scarily good at it.
The Scale of the Phishing Problem
The numbers are staggering. Phishing is, by a wide margin, the most common type of cybercrime hitting UK organisations. A shocking 93% of businesses and 95% of charities that have suffered a cyber attack fell victim to phishing.
The bigger you are, the bigger the target you become, with these attacks impacting 67% of medium-sized businesses and 74% of large ones. With an estimated 3.4 billion phishing emails flooding inboxes around the globe daily, it’s not a question of if you’ll be targeted, but when. You can find more details on these phishing statistics if you want to dig deeper.
The real danger with modern phishing is its subtlety. We’re long past the days of poorly worded emails from foreign princes. Today’s attackers use sophisticated social engineering, perfectly mimicking trusted brands and even senior colleagues to lull your team into a false sense of security.
Why a Layered Defence Is Non-Negotiable
A single line of defence just won’t cut it anymore. Relying on a basic spam filter is like locking your front door but leaving every window in the house wide open. A truly effective anti-phishing strategy has to be multi-faceted. This guide gives you the practical steps to build that defence and protect what you’ve worked so hard to build.
We’ll break it down into three critical areas:
- Robust Technology: Putting the right technical controls in place to block the vast majority of threats before a human ever sees them.
- Savvy Employees: Turning your staff into a vigilant “human firewall,” equipped to spot and report the clever attacks that slip through.
- A Clear Action Plan: Knowing exactly what to do when an attack succeeds, so you can contain the damage and recover quickly.
Building Your Technical Defences in Microsoft 365
Your Microsoft 365 subscription is so much more than just Word and Excel; it’s the bedrock of your company’s digital security. The trouble is, many businesses only use the out-of-the-box settings, leaving the door wide open to attackers. If you’re serious about stopping phishing, you have to get under the bonnet and actively configure your technical defences.
This isn’t just about ticking boxes. It’s about taking practical, concrete steps to make it incredibly difficult for a cybercriminal’s phishing attempt to land. By properly hardening your Microsoft 365 environment, you can filter out the vast majority of threats before they ever tempt an employee to click.
Start with the Absolute Non-Negotiable: Multi-Factor Authentication
If you do only one thing on this list, make it this: turn on Multi-Factor Authentication (MFA) for everyone. MFA simply asks for a second piece of proof—usually a code from a mobile app—before granting access. It’s a stunningly simple step that blocks over 99.9% of account compromise attacks.
Think about it. Even if a scammer tricks an employee and steals their password, it’s useless. Without the employee’s phone in their hand, the attacker is stopped cold. It’s a powerful barrier that shuts down the most common way criminals get in.
For businesses that want to take it a step further, Conditional Access policies are the way to go. These are intelligent rules you can create to add another layer of security.
- Location-Based Rules: Why allow logins from countries you don’t operate in? You can set a policy to block them automatically.
- Device Health: You can insist that access is only granted from company-managed, healthy devices, stopping someone from logging in on a compromised personal laptop.
- Risk-Based Prompts: Microsoft’s systems are smart enough to spot unusual sign-in behaviour (like someone logging in from Derby and then five minutes later from another continent). When it sees this, it can force an MFA challenge, just in case.
Demystifying Email Authentication: SPF, DKIM, and DMARC
One of the oldest tricks in the phishing playbook is domain spoofing, where a crook sends an email that looks like it came from your own company. It’s how they craft believable fake invoices from your “finance team” or urgent requests from the “CEO.” You can slam the door on this tactic with three critical email authentication records.
Sender Policy Framework (SPF): This is essentially a public list of all the servers that are officially allowed to send email for your domain. If an email arrives claiming to be from you but from a server not on the list, it gets flagged.
DomainKeys Identified Mail (DKIM): This adds a unique, tamper-proof digital signature to your outgoing emails. The recipient’s email server checks the signature to confirm the email is genuinely from you and hasn’t been altered along the way.
Domain-based Message Authentication, Reporting, and Conformance (DMARC): This is the final piece of the puzzle. DMARC tells other email servers what to do if an email fails the SPF or DKIM check. You can tell them to quarantine it or reject it outright, effectively stopping spoofed emails in their tracks.
Implementing SPF, DKIM, and DMARC is like putting an official, unforgeable wax seal on all your company’s outgoing mail. It stops attackers from hijacking your trusted brand name to deceive your partners, customers, and even your own staff.
Putting Microsoft Defender for Office 365 to Work
Beyond the standard email filtering, Microsoft gives you some seriously powerful tools designed to fight modern, sophisticated threats. If you have a licence like Business Premium, you have access to Microsoft Defender for Office 365, which works like an automated security analyst.
Safe Links: This feature rewrites every single web link in an email. When someone clicks it, the link is first opened by Microsoft in a safe environment to check the destination. If it leads to a known malicious site, the user is blocked and shown a warning. It’s a lifesaver for those links that look legitimate at first glance.
Safe Attachments: Instead of just scanning for known viruses, Safe Attachments takes every file and opens it in a secure virtual “sandbox.” It watches what the file does. If it tries to do anything dodgy, like encrypting files, it’s instantly neutralised before it can ever reach the user’s computer.
These tools are a cornerstone of effective security risk management, automating threat hunting in a way that is impossible to replicate manually. Configuring them properly transforms your email from a point of weakness into a hardened line of defence.
This combination of locking down identities with MFA, authenticating your domain with DMARC, and using Defender’s advanced threat analysis creates a formidable barrier. It’s the technical foundation every East Midlands business needs to withstand the relentless wave of modern phishing attacks.
Ready to secure your Microsoft 365 environment? Phone 0845 855 0000 today or Send us a message to discuss how we can help.
Turning Your Team into a Human Firewall
Technical controls are fantastic at catching the low-hanging fruit—the obvious spam and mass-market phishing attempts. But what about the cleverly crafted email that slips past? The one that looks like it’s from a genuine supplier or even your own CEO?
That’s where your people come in. They are your last, and arguably most important, line of defence. The goal isn’t to make everyone paranoid about their inbox. It’s about building a healthy sense of scepticism and empowering them with the confidence to spot and report something that just doesn’t feel right.
This isn’t about a tick-box, once-a-year PowerPoint presentation. Real resilience comes from continuous education and practical, hands-on experience that turns your staff from potential victims into a vigilant human firewall.
Going Deeper Than “Spot the Spelling Mistake”
Telling your team to “watch out for bad grammar” is outdated advice. Attackers now use AI to generate flawless, persuasive emails, so we have to go deeper. Modern awareness training needs to focus on the psychological tricks they use to bypass our natural caution.
Training should be interactive and, crucially, relevant. The phishing lures aimed at your finance department (fake invoices, urgent payment requests) will be completely different from those targeting your sales team (bogus LinkedIn invites, fake CRM notifications). When the scenarios feel real, the lessons stick.
Instead of a long, dry lecture, think about short, regular bursts of training that focus on specific manipulation tactics:
- Creating False Urgency: “The CEO needs this invoice paid now before he boards a flight!” This kind of pressure makes people rush and skip their usual checks.
- Abusing Authority: Impersonating trusted organisations like HMRC, a major bank, or even Microsoft with a warning that an account will be suspended.
- Exploiting Curiosity & Greed: Emails about an unexpected “company bonus” or a “missed parcel delivery” are designed to make people click before they think.
When you teach your team to recognise the emotional manipulation at play, you give them a far more powerful tool than a simple checklist. For businesses in the East Midlands looking for a more structured approach, exploring professional cyber security training and employee awareness programmes can provide that tailored, expert-led guidance.
The real aim of training isn’t to turn your staff into cyber security experts. It’s to build a reflex—that split-second pause to ask, “Was I expecting this? Does this feel right?” before clicking any link or opening an attachment.
The Power of Practice: Phishing Simulations
Let’s be honest: the most effective way to learn is by doing. Controlled phishing simulations are the single best way to test and reinforce your team’s training in a safe environment.
These are essentially harmless, fake phishing emails that you send to your own staff. It’s a safe space for them to make a mistake and learn from it without any real-world consequences. The trick is to make them realistic. Use templates that mimic emails your people genuinely receive—fake invoices from your actual suppliers, password reset alerts for software you use every day, or links to shared documents.
When someone clicks, they aren’t met with malware. Instead, they land on a page that gently explains the red flags they missed. It’s a powerful “teachable moment” that resonates far more than any slide in a presentation.
To help your team get better at spotting these threats, it’s useful to have a quick-reference guide. We often share a table like this during our training sessions to summarise the most common giveaways.
Phishing Red Flags Your Team Must Know
| Red Flag Category | What to Look For | Example |
|---|---|---|
| Sender’s Details | The “from” name is recognisable, but the email address is wrong (e.g., microsft.co.uk). Hover over the name to check! |
Martin Lewis <info@moneysaving-deals.net> |
| Urgency or Threats | Language that pressures you to act immediately, like threats of account closure or fines. | “Your account will be suspended in 24 hours if you don’t verify your details now.” |
| Generic Greetings | Vague salutations like “Dear Customer” or “Valued Client” from a service that should know your name. | “Dear Sir/Madam, we have an important update about your account.” |
| Suspicious Links | The text of a link doesn’t match the actual web address. Always hover your mouse over a link before clicking to see the true destination. | The link says https://www.lloydsbank.com but the preview shows http://lloyds-update.ru |
| Unexpected Attachments | Receiving an invoice, PDF, or Zip file you weren’t expecting, especially from an unknown sender. | “Please find attached your invoice for last month’s services.” (when you haven’t bought anything) |
| Poor Grammar/Spelling | While attackers are getting better, many phishing emails still contain awkward phrasing or obvious spelling mistakes. | “You have winned a prize, click their to claime it.” |
Having a simple guide like this helps reinforce the key principles and gives your team a quick checklist to run through if they’re ever unsure about an email.
Using Simulation Results to Get Smarter
Running a phishing simulation isn’t about catching people out. It’s a diagnostic tool. The data you gather is invaluable for understanding exactly where your weak spots are.
Once a campaign is over, dig into the results:
- Did a specific department click more than others?
- Which type of email was most effective—the fake invoice or the parcel delivery notification?
- Crucially, how many people reported the email versus just deleting it or, worse, clicking it?
This is where the magic happens. If the sales team keeps falling for fake LinkedIn requests, you know exactly what to cover in your next quick training session with them. If very few people used the “Report Phishing” button, maybe it’s not visible enough in Outlook.
You can use this feedback loop to continuously sharpen both your technical filters and your training content. It creates a powerful cycle of improvement that helps your business stay one step ahead of the attackers.
Creating Your Incident Response Playbook
Let’s be realistic. Even with the best defences in the world, a well-crafted phishing email can sometimes find its way through. It happens. When it does, your response in those first few minutes is what separates a minor headache from a full-blown business disaster. Panic gets you nowhere; a clear, pre-written plan is everything.
This is exactly what an incident response playbook is for. Think of it as your fire drill for a cyber attack. It’s a simple, step-by-step guide that anyone in your East Midlands business, from the front desk to the director’s office, can follow to shut down a threat, limit the damage, and get things back on track. You don’t need a huge security team to build a good one.
The First Steps: Identification and Containment
The moment someone reports a suspicious click, or you spot unusual activity on an account, the clock is ticking. Your first job is to confirm if you have a breach and, if so, to stop it from spreading like wildfire.
You need to quickly pinpoint the compromised account. Look for the classic warning signs: unexpected password reset emails, login alerts from strange locations, or new rules in Outlook that automatically forward messages to an external address—that’s a huge red flag.
Once you’ve confirmed a breach, containment is your top priority. That means slamming the door on the attacker, and fast.
- Force a Password Reset: Your very first move. Immediately expire the user’s current password and make them create a new, strong, unique one.
- Sign Out Everywhere: Head straight to the Microsoft 365 or Google Workspace admin centre and hit the “Sign out of all sessions” button. This kicks the attacker out of any active session they might have on other devices.
- Check App Permissions: Take a look at any third-party apps connected to the user’s account. If you see anything you don’t recognise, revoke its access immediately.
These actions are your digital emergency brake, designed to cut off the attacker before they can burrow deeper into your systems.
Eradication and Safe Recovery
With the immediate threat contained, it’s time to methodically clean up and make absolutely sure the attacker is gone for good. This means digging a bit deeper to see what they did while they had access. Did they send emails from the compromised account? Did they poke around in sensitive files on your SharePoint or OneDrive?
The financial hit from these attacks in the UK can be staggering. In 2025, HM Revenue and Customs (HMRC) reported that phishing scams were used to steal an estimated £47 million in fraudulent tax repayments since 2024. For the average UK business, cybercrime costs around £1,970 per incident—and that doesn’t even touch on the hidden costs like reputational damage. These numbers alone show why a swift, effective recovery process is so important.
This is where the cycle of continuous improvement comes into play—the process of training your team, testing their skills with simulations, and analysing the results to get better.
This simple loop—train, simulate, analyse—is how you build a resilient security culture. It turns a reactive panic into a proactive defence.
After you’ve done a thorough sweep and are confident no backdoors have been left behind, you can start the recovery. This involves safely restoring the user’s access and clearly communicating what happened. Documenting every single step is vital for the post-incident review, which is where you’ll figure out how the attack succeeded and what you can change to stop it from happening again.
A well-rehearsed incident response plan does more than just fix a technical problem. It provides clarity and confidence in a chaotic situation, enabling your team to act decisively instead of freezing under pressure.
Remember, your playbook isn’t just about the technical side. Depending on the scale of the breach, you might need to communicate with clients or partners. Having an Effective Crisis PR Strategy ready to go is crucial for protecting your brand’s reputation. This whole process is a cornerstone of your wider business continuity and disaster recovery planning, making sure your organisation can weather any storm.
If you need a hand building a robust incident response plan for your business, phone us on 0845 855 0000 today or send us a message.
Keeping Your Phishing Defences Sharp
Getting your initial phishing defences in place is a great start, but it’s just that—a start. You can’t just set it and forget it. The people trying to trick their way into your business are constantly changing their game, cooking up new schemes and using new tech. What keeps you safe today could easily be obsolete tomorrow.
This means we have to treat security as a living, breathing part of the business. It’s about creating a constant feedback loop: test, measure, learn, and adjust. This proactive, cyclical approach is what really separates the businesses that bounce back from an attack from those that get knocked down by one.
Measuring What Matters
If you can’t measure it, you can’t improve it. Vague feelings about whether your team is getting “better” at spotting phishing won’t cut it. You need real numbers to see if your hard work is actually paying off.
Let’s put aside the idea of complicated security audits for a moment. Instead, focus on a handful of key indicators that give you a clear, honest picture of your organisation’s resilience.
- Phishing Simulation Click-Rate: This is the headline figure. What percentage of your team clicked the link in your latest phishing test? Tracking this over time is the clearest way to see if your awareness training is hitting the mark. A steady decline here is a big win.
- User-Reported Phishing Rate: Honestly, this is even more important than the click-rate. We want to know how many people are actively reporting suspicious emails using the proper channels, like the ‘Report Phishing’ button in Outlook. A high report rate is a sign of a fantastic security culture where your team feels confident and knows exactly what to do.
- Mean Time to Report (MTTR): How quickly does your team flag a suspicious message? The faster a real threat gets reported, the faster your IT team or partner can jump on it and shut it down. A short reporting time is a brilliant indicator of a switched-on, vigilant team.
Tracking these simple metrics transforms your strategy from guesswork into a data-driven operation. You can spot trends, identify departments that need a bit of extra help, and clearly demonstrate the value of your security efforts.
Cybersecurity isn’t a destination you arrive at. It’s a commitment to a process of continuous adaptation and improvement that keeps you ahead of the curve.
Running Regular Security Reviews
Once you’re gathering the data, you need to actually use it. A quarterly security review is the perfect rhythm for most small and mid-sized businesses in the East Midlands. This doesn’t need to be some stuffy, overly technical boardroom meeting.
The goal is simple: sit down with the numbers and ask some honest questions.
Key Questions for Your Review
- Are our click-rates actually going down? If they’ve plateaued, maybe the training has become stale or the simulations too predictable. It could be time to change tactics or focus on a different type of lure.
- Which teams are struggling? If the finance team keeps falling for fake invoice scams, that’s your cue to run a short, sharp training session specifically for them on that exact threat.
- Is anyone actually using the ‘Report Phishing’ button? If the reporting numbers are low, find out why. Is the button buried in Outlook? Do people not understand how vital it is?
- What new tricks are we seeing out in the wild? Are we ready for the next wave of AI-generated spear phishing or “quishing” (QR code attacks)? This review is the time to talk about emerging threats and adjust your defences accordingly.
This straightforward process stops your security from going stale. It helps you fine-tune your technical filters in Microsoft 365, tweak your training for maximum impact, and keep your response plan relevant to the real-world threats you face. This is how you build true, lasting resilience.
To discuss how a continuous improvement cycle can protect your business, phone 0845 855 0000 today or send us a message.
Common Phishing Protection Questions, Answered
When I talk to businesses across the East Midlands about cybersecurity, a few questions always come up. It’s completely understandable – navigating this stuff can feel complex. So, let’s tackle the most common queries I hear head-on.
“Isn’t proper security really expensive?”
This is, without a doubt, the number one concern. Business owners often assume that robust protection comes with a hefty price tag, but you’d be surprised how accessible it is.
For most small and mid-sized businesses, a Microsoft 365 Business Premium licence is the perfect starting point. It’s not just Word and Excel; it bundles in the serious security tools we’ve been talking about, like Microsoft Defender for Office 365. The cost? Around £18.60 per user, per month.
When you stop and think about it, that’s a small price to pay when a single successful cyber attack can easily cost a business thousands of pounds.
The monthly licence fee isn’t just an IT cost; it’s an investment in business continuity. When you weigh it against the potential fallout from a data breach—financial loss, reputational damage, and operational chaos—it’s one of the smartest decisions you can make.
“Can’t we just use a free email service for our business?”
I get why people ask this. Why pay for something when you can get it for free? But when it comes to your business email, free services like a personal Gmail or Outlook.com account just don’t cut it. They’re built for personal use, not for the security demands of a commercial operation.
The difference is night and day. Business-grade email platforms give you a whole layer of protection that free services simply don’t have:
- Proactive Threat Defence: You get tools like Safe Links and Safe Attachments that are constantly scanning for malware and dodgy links before they ever land in your team’s inboxes.
- Centralised Control: You can actually enforce security rules from one place, like making sure Multi-Factor Authentication is switched on for every single user.
- Domain Protection: This is a big one. You can properly set up SPF, DKIM, and DMARC, making it incredibly difficult for criminals to impersonate your company’s email address.
- Data Leak Prevention: You can put rules in place to stop sensitive company data, like customer lists or financial info, from being emailed out, whether by accident or on purpose.
Using a free email service for your business is like securing your office with a padlock you’d use on a garden shed. It’s just not the right tool for the job and leaves you wide open to attack.
“How can we possibly find the time to train our staff?”
This is a huge challenge, especially for busy teams in places like Nottingham and Lincoln. The idea of pulling everyone away from their desks for a full day of training is a non-starter. And honestly, it’s not even the best way to do it.
The solution is what I call high-impact micro-training.
Forget about those long, boring sessions that everyone forgets by the next day. The trick is to focus on short, sharp, and regular bursts of learning. Think a five-minute video at the start of a weekly team meeting, a “threat of the week” email showing a real-world phishing attempt, or a quick phishing simulation that takes just a few clicks.
It’s all about consistency and relevance. By feeding your team bite-sized, practical tips that relate to the real threats they’re facing, the knowledge actually sticks. This approach builds a strong, security-aware culture without disrupting your workflow, making it a realistic option for any business.
If you have more questions or need a hand putting these strategies into practice, we’re here to help.
Give us a call on 0845 855 0000 or Send us a message to chat with one of our experts.
Ready to Take the Next Step?
Putting these phishing defences in place is one of the most important investments you can make for your business. The playbook we’ve walked through gives you a strong starting point, but getting the implementation right—from the technical controls to the human element—is where the real work begins. To truly protect your organisation from the full spectrum of modern threats, it’s also crucial to have a solid grasp of the bigger picture and other foundational security principles.
If you’re an East Midlands business ready to build a phishing defence that genuinely fits your specific needs, our team is here to help you get it done properly. We’ve spent years in the trenches, helping companies just like yours.
We can assess where you’re most vulnerable, implement the robust technical controls we’ve discussed, and build an awareness program that actually changes behaviour. Don’t wait for an attack to expose a gap you didn’t know you had.
Phone 0845 855 0000 today or Send us a message.