Essentials explained
Phishing: how to protect your business from attacks
Phishing is one of the most common and damaging forms of cyber crime, and small businesses are prime targets.
This guide breaks down what phishing is, how it works, and how to spot and report a phishing attack before it harms your business. With practical tips and expert advice, we'll help you build strong protection against email phishing scams and other types of phishing.
September 18, 2025
5 minutes
Phishing is a type of cyber crime where an attacker uses deceptive messages to get access to important information. They often use email, but a phishing attack might also be a text message, a social media direct message or a phone call.
Keep an eye out for emails or messages that look suspicious. Threatening or urgent language, suspicious links, incorrect email addresses, poor spelling or unusual requests are some telltale signs.
Your employees are your first line of defence against phishing attacks, so it’s important that they understand the risks, what to look out for and what to do if they suspect something. To ensure your team is up to date with the latest information, give them regular training provided by a trusted source.
What is phishing?
Phishing is an internet scam. It’s a type of cyber crime where an attacker uses deceptive messages to steal sensitive information. This could be a password, bank details, customer data or anything else that’s valuable to you or them.
Scammers are highly skilled at fooling their victims. For example, they might pick a time when you’re likely to be distracted or say something that plays to your vulnerabilities.
Small businesses are common targets, as they tend to have fewer cyber security resources and less robust IT systems than large corporations.
Phishing could take the form of:
- Phishing emails.
- Smishing, or SMS phishing, via text message or WhatsApp.
- Vishing, or voice phishing, via phone calls.
- Social media phishing, where criminals set up fake profiles, or hijack legitimate accounts to send malicious links.
- Spear phishing, which is highly targeted to a specific individual or company.
How does phishing work?
Imagine this scenario. It’s Friday afternoon. You are working with your team to finish some important tasks to fulfil a customer order before you all leave for the weekend.
An email that looks like it’s from your IT support supplier lands in your inbox. It’s telling you to urgently reset your system password. You click on the link and the first thing it asks for is your existing password. Without thinking, you type it in and hit return. You enter a new password.
Job done. You go home for the weekend.
When you return to work on Monday, you and your employees are locked out of your systems and there’s an email asking for a huge amount of money to restore access.
In other words, you’ve been scammed by a phishing attack.
How to spot a phishing attack?
Attackers use several techniques to convince you to act without thinking. Here are some ways to tell if a message is legitimate or not:
- Urgent or threatening language: e.g. ‘Your account will be suspended’ or ‘Payment needed urgently’.
- Generic greetings: e.g. ‘Dear customer’, instead of a personalised message.
- Suspicious links: to find out if a link is legitimate, hover your cursor over it to see the real URL.
- False sender’s email address: check the address and make sure the domain name is real.
- Poor spelling and grammar.
- Unusual requests: such as asking for sensitive information.
Attackers try to get you to act without thinking, but if you spend at least 10 seconds to read an email before taking any action, your chance of clicking on a malicious link decrease drastically.
What to do if you fall for a phishing attack
- Disconnect from the Wi-Fi network you’re on and turn off your device.
- If you have any IT support for your small business, let them know so they can monitor your account and advise you on what to do.
- Report the incident to Action Fraud on 0300 123 2040. Check out the National Cyber Security Centre’s guidance for small businesses.
Key takeaways
If you only remember three things:
- Train your team. Build knowledge and alertness through regular, up-to-date security awareness training with phishing simulations.
- Pause. These cyber attacks rely on you being time-poor and distracted. Take a moment to check for signs that something could be a phishing attempt.
- Report if you suspect something’s wrong. Action Fraud and the NCSC have guidance for small businesses.
Protecting against phishing is a constant process. But if everyone is armed with the right knowledge, it’s possible to spot the red flags and make sure your business doesn’t become the criminals’ next victim.
You may also be interested in
ESSENTIALS EXPLAINED
September 03, 2025
ESSENTIALS EXPLAINED
September 03, 2025