Phishing is the number one gateway to cybercrime. It’s thought that up to 95% of cyber-attacks and data breaches start with a phishing attack. And that three quarters of phishing attacks start with a deceptive email.
Cybercriminals use them because they’re effective, easy to deploy, and allow them to exploit the personal data of all kinds of businesses for their financial gain.
Here, we’ll tell you everything you need to know about how to protect your business from phishing attacks: what they are, how they work, and how to spot them. So, you can feel confident about sending any sneaky attempts to steal your data straight to ‘spam’.
What are phishing attacks?
By ‘phishing attacks’, we mean the many different techniques cybercriminals can use to trick you into revealing your private info (like passwords and bank details). For example, by using fraudulent emails, websites, social media posts, text messages or even voicemail messages.
Phishing is essentially a form of social engineering. Which is where cybercriminals use strong psychological triggers – like trust, urgency, or fear – to manipulate people into doing something for them.
It’s used to target both individuals and businesses with startling efficacy: over 85% of UK businesses identified having had a phishing attack in 2025.
What do phishing attacks look like?
Classic examples include those dodgy-looking emails from ‘your bank’ or ‘HMRC’ asking you to log into your account and update your personal details. Or claiming you’ve won a competition and need to give a few basic details to claim your prize.
We’ve all laughed at those fake emails from Nigerian princes that urge you to transfer large amounts of money over in exchange for a lavish reward. Although hackers have now wised up to the fact that they’re more likely to catch you out by pretending to be someone familiar – like a parcel shipment company or someone on your team.
What’s more, today’s rapid-fire technological advances mean phishing attempts are more and more convincing. And while the psychological element hasn’t changed any, hackers can also now use generative AI to help them create increasingly sophisticated phishing attacks…
Like a fake social media post prompting people to click on a fraudulent link. Or a voice note from a ‘colleague’ asking you to pay a late invoice for them. Hackers have even been known to create QR codes that can quickly release a torrent of malevolent code when scanned by someone’s phone.
Why are small businesses vulnerable to phishing attacks?
Cybercriminals may bank on the fact that because you’re a small business, your cyber defences will be weaker. Then there are creepy techniques like spearphishing, where hackers gather information about you to help them create a targeted phishing attack.
If you’re a small business that’s had their systems hacked and their website shut down, you might indeed not have the time, money, or resources to deal with it as quickly or effectively as a larger company.
However, the truth is that most criminals who devise phishing attacks don’t discriminate. They can send out masses of fraudulent emails to all kinds of businesses with just one click. Then sit back and wait to see who bites.
And seeing how even the most vigilant small businesses can be caught out, that might just be someone who’s busy and doesn’t have the time or know-how to vet each and every ‘urgent’ email they receive.
Like you.
6 ways to spot phishing emails
With that in mind, here are our top tips for how to use viligance to protect your business from phishing attacks. They should help you identify some major red flags next time you’re scanning your inbox:
- Is it urgent? If an unsolicited email asks you to do something NOW, it might well be a phishing email. Tell-tale phrases include, ‘immediate action required’, ‘account suspension warning’, etc.
- Is it asking for your private info? Stay well clear of any that do. Real companies won’t ever ask you to send any information that would allow them to identify you personally via email. (It’s illegal for them to do so, in fact.)
- Be critical. Ask yourself: Who’s the sender? Are they addressing me personally or in a generic way? What is the email asking me to do? Was I expecting it? Can I verify the sender personally? Is it offering something that’s too good to be true?
- Scan for errors. Tell-tale indicators you might be looking at a phishing email include subtle changes in domain names, dodgy logos, strange formatting, awkward phrasing, or spelling and grammar mistakes lurking in the subject line or body text.
- Verify all links and attachments. As a rule, never open up any links or PDFs, Word docs, Excel files, etc. without first checking the file name/URL by hovering over it with your mouse. Treat any file names with extensions such as .zip, .exe or .scr with suspicion.
- Trust your instincts. If something doesn’t feel or look right, it’s worth asking someone for a second opinion. Or erring on the side of caution and simply sending it straight to spam.
How do phishing attacks work?
Assuming cybercriminals persuade you to click on a dodgy link or open up a corrupt email attachment…what then?
Some phishing attacks infect your servers with ransomware to extort you for money. Others sneakily install spyware on your computer to harvest your credentials and sell on to other cybercriminals.
If that happens, it’s not just your business’s data that’s at risk…your clients’ data is fair game too. Another reason to know what you can do to protect your small business from all different kinds of phishing attacks…
How to protect your small business from phishing attacks
When it comes to protecting your small business from social engineering crimes like phishing, knowing how to spot a phishing attack should be your first line of defence.
Reporting phishing attempts to the National Cyber Security Centre (NCSC) means attacks can be stopped at source. The NCSC also have a bunch of resources to help you spot scam emails, texts, websites, and calls.
Staying on top of the latest techniques for phishing attacks by using an online training programme like CybSafe will certainly help you protect your business too. They’ll send out regular reminders to refresh your training and keep your cybersecurity skills sharpened.
However, as modern phishing attacks increasingly use AI and sophisticated impersonation techniques, relying on basic spam filters to protect yourself in-house won’t be enough.
You should have multi-factor authentication (MFA) for all your online accounts and use a password manager to generate strong passwords. And, crucially, keep your security systems and software updated to close up vulnerabilities quickly and stop any sneaky phishing attacks from slipping through your cybersecurity defences.
How cyber insurance protects small businesses
While cyber insurance can’t stop you from falling victim to a phishing attack in the first place, it provides you with the technical support you’d need to shut down a cyber-attack or data breach quickly. As well as hiring a whole team of experts to help you deal with the financial and reputational fallout of potentially losing your data to cybercriminals.
Specifically, it:
- Pays the legal costs and compensation associated with most data breaches
- Hires a PR to help you manage your reputation
- Provides technical expertise to help you recover.
Ultimately, the quicker you act after any phishing attacks, the better you’ll be able to protect your business and mitigate any serious damage to your systems. Cyber insurance, with extra financial cybercrime cover added on for protection against social engineering attacks, will do just that.
Defences up
If you’d like more info about cyber insurance, you can call us on 0345 222 5391. Or browse through our blogs on cyber insurance.
Image created using assets from iStock.
business advicecyber insurancecyber liability insuranceIT and technology