Home
About Us Leadership Team Our Green Impact Careers
Managed IT Support Cloud Solutions Cyber Security Network Infrastructure Data Backup & Recovery IT Consultancy AI Solutions Software Development
Unreliable IT Cyber Security Concerns Lack of Strategic IT Direction IT for Growth Compliance & Audits AI Strategy
Blog Knowledge Base Case Studies
Contact Us Live Chat Create Ticket
0118 384 2175 hello@coffeecupsolutions.com
Get Support
Blog Security

Understanding Phishing Attacks: How UK Businesses Can Stay Protected

Tom Beech 15 May 2025
Understanding Phishing Attacks: How UK Businesses Can Stay Protected

Phishing Is Still the Number One Cyber Threat in the UK

Phishing attacks remain the single most common cyber threat facing UK businesses. According to the Cyber Security Breaches Survey 2024, 84% of businesses that identified a cyber security breach or attack in the past 12 months said phishing was the most common attack vector. That figure has remained consistently high for several years, and there is no sign of it declining. Phishing is cheap, scalable, and devastatingly effective - which is exactly why criminals continue to rely on it.

The National Cyber Security Centre (NCSC) regularly warns that phishing is the primary method criminals use to gain initial access to business systems. Once an attacker has a valid set of credentials or has tricked someone into running malicious software, the door is wide open for data theft, ransomware deployment, or business email compromise. The financial impact can be severe. The Cyber Security Breaches Survey reported that the average cost of a breach for medium and large businesses was in the tens of thousands of pounds, with some incidents running into six figures when you factor in remediation, lost business, and regulatory fines.

Despite widespread awareness that phishing exists, many UK organisations still lack the combination of technical defences and staff training needed to mount an effective defence. This guide explains how phishing attacks work, the different types you need to be aware of, and the practical steps you can take to protect your business.

Types of Phishing Attacks

Phishing is not a single type of attack. It is a broad category that encompasses several distinct techniques, each targeting different people in different ways. Understanding these variations is important because the defences that stop one type may not be effective against another.

Email Phishing

This is the most recognisable form of phishing and still the most prevalent. Attackers send emails that impersonate trusted entities - banks, software providers, delivery companies, government agencies, or even colleagues - in an attempt to trick recipients into clicking a malicious link, downloading an infected attachment, or entering credentials on a fake login page. Mass email phishing campaigns typically cast a wide net, sending the same message to thousands of recipients. While the hit rate per email is relatively low, the sheer volume means that even a fraction of a percent success rate translates into a meaningful number of compromised accounts.

Spear Phishing

Spear phishing is the targeted version of email phishing. Rather than sending a generic message to thousands of people, the attacker researches a specific individual and crafts a personalised email designed to be highly convincing. They might reference a real project the target is working on, impersonate a known colleague or supplier, and use language that matches the organisation's internal style. Spear phishing emails are significantly harder to detect because they lack the generic red flags that most people have been trained to spot. These attacks are often used as the entry point for more sophisticated campaigns, including ransomware deployment and business email compromise.

Whaling

Whaling is spear phishing specifically directed at senior executives - the "big fish" in an organisation. These attacks are particularly dangerous because senior leaders typically have access to sensitive information, financial systems, and the authority to approve large transactions. A whaling email might impersonate a board member, a legal adviser, or a regulatory body, and it will often create a sense of urgency to bypass the target's normal decision-making process. The financial impact of a successful whaling attack can be enormous, with some UK businesses losing hundreds of thousands of pounds to fraudulent payment requests authorised by compromised or impersonated executives.

Smishing (SMS Phishing)

Smishing uses text messages rather than emails to deliver the phishing payload. These messages typically contain a link to a fake website and create urgency - for example, claiming that a delivery requires rescheduling, a bank account has been suspended, or a tax refund is available. Smishing has become increasingly prevalent in the UK, with HMRC tax refund scams and Royal Mail delivery fee messages being particularly common. Many people are more trusting of text messages than emails, and the small screen size of mobile devices makes it harder to inspect URLs before clicking. This combination makes smishing surprisingly effective.

Vishing (Voice Phishing)

Vishing uses phone calls instead of written messages. The attacker calls the target, impersonating a bank, IT helpdesk, government agency, or trusted supplier, and attempts to extract sensitive information or persuade the target to take a specific action. Vishing attacks have become more sophisticated with the availability of AI voice cloning technology, which allows criminals to create convincing replicas of known voices. A call from someone who sounds exactly like your IT director asking you to reset a password or verify your login credentials is extraordinarily difficult to identify as fraudulent in real time.

How Phishing Attacks Work

Understanding the mechanics of a phishing attack helps you recognise why certain defences are effective and where vulnerabilities exist. Most phishing attacks follow a predictable sequence, even if the specific techniques vary.

Step 1 - Reconnaissance. The attacker gathers information about the target organisation and individuals. This might involve scraping LinkedIn for employee names and job titles, reviewing the company website for organisational structure, checking Companies House for director details, or analysing social media for personal information. For targeted attacks (spear phishing and whaling), this research phase can be extensive.

Step 2 - Crafting the message. Using the gathered intelligence, the attacker creates a message designed to trigger a specific response. Effective phishing messages exploit psychological principles - urgency (act now or face consequences), authority (this is from your CEO), familiarity (this looks like a message from a known supplier), and curiosity (you have received a document). The message directs the target towards a specific action: clicking a link, opening an attachment, or providing information.

Step 3 - Delivery and exploitation. The phishing message is delivered via email, text, phone call, or even social media. If the target takes the intended action - entering credentials on a fake login page, enabling macros in an attached document, or providing information over the phone - the attacker gains what they need. This might be login credentials, access to a system, or enough information to escalate the attack further.

Step 4 - Post-compromise activity. Once inside, the attacker acts quickly. They may harvest additional credentials, establish persistent access, move laterally through the network, exfiltrate data, or deploy ransomware. In business email compromise scenarios, they may sit quietly in a compromised mailbox for weeks, monitoring conversations and waiting for the right moment to intercept a payment or redirect a financial transaction.

Common Phishing Indicators

While sophisticated phishing attacks can be very difficult to detect, many phishing messages still contain telltale signs that should raise suspicion. Training your staff to recognise these indicators is a critical layer of defence.

  • Sender address discrepancies - The display name might say "Microsoft Support" but the actual email address is from a random domain. Always check the full sender address, not just the display name.

  • Urgency and pressure - Phishing emails frequently create artificial urgency: "Your account will be suspended in 24 hours," "Immediate action required," or "This invoice is overdue." This pressure is designed to make you act before you think.

  • Suspicious links - Hover over any link before clicking it. The displayed text might say "Sign in to Microsoft 365" but the actual URL points to a completely different domain. Look for subtle misspellings in domain names (microsof-t.com, mircosoft.com) and unfamiliar domains.

  • Generic greetings - Messages that begin with "Dear Customer" or "Dear User" rather than your actual name are often mass-distributed phishing attempts, though be aware that targeted attacks will use your real name.

  • Unexpected attachments - If you receive an attachment you were not expecting, especially file types like .zip, .exe, .docm, or .xlsm (macro-enabled Office files), treat it with extreme caution. Verify with the sender through a separate channel before opening it.

  • Requests for credentials or sensitive information - Legitimate organisations will not ask you to provide passwords, financial details, or other sensitive information via email. Any such request should be treated as suspicious by default.

  • Grammar and formatting issues - While AI-generated phishing emails are increasingly polished, many phishing messages still contain awkward phrasing, spelling mistakes, or formatting inconsistencies that differ from genuine communications.

Technical Defences Against Phishing

Relying solely on staff vigilance to catch phishing attacks is a recipe for failure. People make mistakes, especially when they are busy, stressed, or distracted. A robust anti-phishing strategy requires multiple layers of technical controls that reduce the number of phishing messages reaching inboxes and limit the damage if someone does fall victim. Here are the key technical defences every UK business should have in place.

Email Filtering and Anti-Phishing Solutions

Modern email security solutions go far beyond basic spam filtering. Microsoft Defender for Office 365, for example, provides advanced anti-phishing capabilities including machine learning-based detection of impersonation attempts, safe links (which scan URLs at the point of click rather than just at delivery), and safe attachments (which detonate attachments in a sandbox environment to detect malicious behaviour). These features should be enabled and properly configured in every Microsoft 365 environment. Many organisations have Microsoft Defender for Office 365 included in their licensing but have not configured the anti-phishing policies, leaving significant protection on the table.

DMARC, DKIM, and SPF

These three email authentication standards work together to prevent attackers from spoofing your domain - that is, sending emails that appear to come from your organisation when they do not.

  • SPF (Sender Policy Framework) - A DNS record that specifies which mail servers are authorised to send email on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks the SPF record to verify whether the sending server is legitimate.

  • DKIM (DomainKeys Identified Mail) - Adds a digital signature to outgoing emails that the receiving server can verify. This confirms that the email has not been tampered with in transit and genuinely originated from your domain.

  • DMARC (Domain-based Message Authentication, Reporting, and Conformance) - Builds on SPF and DKIM by telling receiving servers what to do when an email fails authentication checks. A properly configured DMARC policy set to "reject" will ensure that spoofed emails impersonating your domain are blocked rather than delivered. DMARC also provides reporting that gives you visibility into who is attempting to send email using your domain.

Implementing all three of these standards is essential. They protect your organisation from being impersonated in phishing campaigns targeting your customers, suppliers, and partners. The NCSC provides free tools and guidance to help UK organisations implement DMARC correctly.

Multi-Factor Authentication

Multi-factor authentication (MFA) is one of the most effective defences against credential theft via phishing. Even if an employee enters their password on a fake login page, MFA adds a second verification step - typically a code from an authenticator app or a push notification to a registered device - that the attacker cannot easily bypass. Microsoft reports that MFA blocks over 99.9% of automated account compromise attacks. It is arguably the single highest-impact security control available, yet a surprising number of UK businesses still have not enabled it across all user accounts. Every business should enforce MFA on all cloud accounts, remote access solutions, and administrative interfaces. If you use Microsoft 365, Conditional Access policies allow you to require MFA based on risk factors such as unfamiliar locations or devices.

Endpoint Protection

Even with strong email filtering and MFA in place, some phishing payloads will inevitably reach endpoints. Modern endpoint protection solutions go beyond traditional antivirus to provide behaviour-based detection, real-time threat intelligence, and automated response capabilities. Microsoft Defender for Endpoint, SentinelOne, and CrowdStrike are examples of endpoint detection and response (EDR) platforms that can detect and contain malicious activity even when it originates from a phishing attack that bypasses other controls. EDR solutions monitor for suspicious behaviours - such as a Word document spawning a PowerShell process - and can automatically isolate a compromised device to prevent lateral movement.

The Human Layer - Security Awareness Training

Technical controls are essential, but they are not sufficient on their own. Your staff are both your greatest vulnerability and your strongest potential defence against phishing. The difference depends entirely on whether they have received effective security awareness training.

Effective phishing awareness training should include the following components:

  • Regular, engaging training sessions - Annual tick-box compliance training is not enough. Staff need regular, short, engaging training modules that keep phishing awareness front of mind throughout the year. Platforms that deliver monthly micro-learning modules are far more effective than a single annual presentation.

  • Simulated phishing campaigns - Regular simulated phishing emails test whether staff can apply their training in practice. These campaigns provide measurable data on your organisation's susceptibility and identify individuals or departments that need additional support. The goal is not to catch people out - it is to create a continuous learning cycle.

  • Clear reporting procedures - Staff need to know exactly what to do when they suspect a phishing message. Most organisations benefit from a "report phishing" button integrated directly into their email client, which makes reporting quick and easy. Critically, there should be no blame culture - you want people to report suspicious messages and admit to mistakes, not hide them.

  • Role-specific training - Finance teams, senior executives, and IT administrators face different types of phishing attacks and should receive training that addresses their specific risk profile. The finance team should be trained on invoice fraud and payment redirection scams, while executives should understand whaling tactics.

When security awareness training is done well, it transforms your workforce from a liability into a genuine detection layer. Trained employees who actively report suspicious messages give your security team early warning of targeted campaigns, allowing you to strengthen defences before an attack succeeds.

What to Do If You Fall Victim to a Phishing Attack

Despite the best defences, phishing attacks can and do succeed. What you do in the first minutes and hours after a compromise is discovered can make the difference between a contained incident and a catastrophic breach. Every organisation should have a documented incident response plan that includes the following steps.

Immediate Containment

If a user has entered credentials on a phishing site, immediately reset the compromised password and revoke all active sessions for that account. If MFA was not enabled, this is even more urgent. Check whether the attacker has created mail forwarding rules, modified mailbox permissions, or registered additional MFA devices on the compromised account. If a device has been infected with malware, isolate it from the network immediately to prevent lateral movement - disconnect it from Wi-Fi and wired networks, but do not power it off, as forensic investigators may need to examine the running state.

Assess the Scope

Determine what the attacker may have accessed. Review sign-in logs, audit logs, and email activity for the compromised account. Check whether the attacker used the compromised account to send phishing emails to other users (internal or external), which would expand the scope of the incident significantly. If business data has been accessed or exfiltrated, you will need to assess whether personal data was involved, which has implications for your UK GDPR obligations.

Notify and Report

Under UK GDPR, if the phishing attack resulted in a personal data breach that poses a risk to individuals' rights and freedoms, you must report it to the Information Commissioner's Office (ICO) within 72 hours. Your incident response plan should include clear criteria for determining whether a reportable breach has occurred and a process for making the notification. You should also consider whether customers, suppliers, or other parties need to be informed, particularly if the compromised account was used to send fraudulent messages to external contacts.

Remediate and Learn

Once the immediate incident is contained, conduct a thorough post-incident review. Understand how the phishing message bypassed your technical controls, why the user fell for it, and what changes are needed to prevent a recurrence. This might involve strengthening email filtering rules, enabling MFA on accounts that were not previously protected, deploying additional cyber security controls, or providing targeted training to the affected user and their team. Every phishing incident is a learning opportunity - make sure you capture and act on the lessons.

Building a Comprehensive Anti-Phishing Strategy

No single technology or training programme will eliminate the phishing threat. Effective protection requires a layered approach that combines technical controls, staff awareness, and robust incident response procedures. Here is a summary of the key elements.

  • Email security - Deploy and properly configure advanced email filtering with anti-phishing, safe links, and safe attachments capabilities.

  • Email authentication - Implement SPF, DKIM, and DMARC to prevent domain spoofing and gain visibility into email authentication failures.

  • Multi-factor authentication - Enforce MFA on all accounts, prioritising cloud services, email, remote access, and administrative accounts.

  • Endpoint protection - Deploy EDR solutions that can detect and contain threats that bypass email security controls.

  • Staff training - Run continuous security awareness training with regular simulated phishing campaigns and clear reporting procedures.

  • Incident response - Maintain a documented, tested incident response plan that covers phishing-specific scenarios including credential compromise, malware infection, and business email compromise.

  • Proactive monitoring - Monitor sign-in logs, email audit trails, and security alerts to detect compromises early, ideally before the attacker achieves their objective.

Each layer compensates for the limitations of the others. Email filtering will catch most phishing messages, but not all. Training will help staff spot those that get through, but not every time. MFA will block most credential theft, but determined attackers will attempt to bypass it. Endpoint protection will catch malware that users accidentally execute. Together, these layers create a defence-in-depth approach that makes a successful phishing attack significantly less likely and limits the damage if one does succeed.

Protect Your Business from Phishing Attacks

Coffee Cup Solutions helps UK businesses build comprehensive defences against phishing and other cyber threats. From deploying and configuring endpoint protection and email security controls to running ongoing security awareness training programmes with simulated phishing campaigns, we provide the layered protection your organisation needs.

Our managed IT support includes proactive security monitoring, incident response, and continuous improvement of your security posture. Whether you need a full cyber security overhaul or want to strengthen a specific area like email security or staff training, we can help. Get in touch to discuss how we can protect your business from the threats that matter most.

Need IT help?

Our team of experts is ready to help your business with any IT challenge.

Get in touch Call 0118 384 2175
Back to blog

Stay in the loop

Get the latest IT insights, tips, and news delivered straight to your inbox.

Subscribe to our newsletter

We use cookies to enhance your experience on our site. By continuing to browse, you agree to our Cookie Policy.