How to protect your business from phishing

Phishing is when an attacker tricks someone into handing over a password, clicking a malicious link, or paying a fake invoice — usually through a convincing email, text or message. It's the most common way businesses get breached, precisely because it targets people rather than technology. The good news: a handful of practical measures stop the vast majority of it.

Turn on multi-factor authentication

MFA — a second step beyond the password, like a code on your phone — is the single most effective thing you can do. Even if an attacker gets a password, they can't get in without the second factor. Switch it on across email and key systems and you've closed off most account-takeover attacks in one move.

Train your team to spot the traps

Your people are your first line of defence, not your weak point — once they know what to look for. Practical training on the actual scams doing the rounds, what they look like, and what to do beats tick-box e-learning. The aim is a team that pauses on a suspicious request and feels confident flagging it rather than quietly clicking.

Verify money and detail changes out of band

A favourite trick is an email asking to change bank details on an invoice, or an urgent payment 'from the boss'. Make it a rule: any change to payment details or unexpected payment request gets verified by a separate channel — a phone call to a known number — before anyone acts. That one habit defends against some of the costliest scams.

Keep the technical basics in place

Spam and malware filtering, up-to-date software, and tested backups mean that even if something slips through, the damage is contained and recoverable. Cyber Essentials packages these fundamentals up — it's designed to block around 80% of common attacks, phishing very much included.