How to protect against email phishing scams

Blogs 30 Oct 2023

Unexpected email landed in your inbox? Our guide to email phishing scams explains what you need to know about the tactics cyber criminals use and how to stay alert.

Two employees looking at a laptop in a cafe

Scams come in all shapes and sizes, from dodgy emails to fake sites, SMS or WhatsApp, there are lots of attacks and these are growing with frequency. Phishing attacks are the most common method used to breach organisations today and count for over 80% of successful attacks. All businesses, regardless of their size, will store information that is of value to cyber criminals, such as customer details or payment information.

What is a phishing scam?

Email phishing is a method used by cyber criminals to access valuable information, such as usernames and passwords or account details. The emails are often sent at random to thousands of people at a time.

The email claims to come from a reputable company such as your bank or credit card company. The most commonly imitated brands include Apple, Netflix, HMRC and WhatsApp.

However, the scams can be more targeted, too. Spear phishing is where someone acts as a trusted sender, like one of your clients or suppliers, in order to get you to divulge confidential information or transfer funds and invoice fraud is seen with increasing regularity. Whilst this requires more research on their part, you and your employees are far more likely to send such information, or process payments, to someone that you trust.

How phishing scams work

The emails try to trick people into panicking and visiting a bogus website, usually by claiming they need to “verify” or “update” your details, or “reactivate” an account.

Senders will typically ask users to click a link to a website designed to harvest credentials, or open an attachment – usually malware – that can infect devices.

Sometimes a phishing email doesn’t include a link, but could come in the form of an unexpected invoice, perhaps threatening legal action if you don’t pay up immediately or alternatively more positive emails with the promise that you are due a tax rebate.

How to avoid phishing scams

Sensitive information can often be compromised in an attack, including personal data, bank details and passwords. Staying UK GDPR compliant means it’s important to be aware of how you can protect data.

Unfortunately, you can’t stop phishing emails from landing in your inbox, but you can learn how to spot suspicious activity and be prepared to deal with a spam email safely.

The most important question to ask yourself is: was I expecting this email? If the answer is no, then think before you click.

Be wary of emails that:

  • are unsolicited and supposedly come from a reputable organisation, such as a bank or credit card company.
  • don’t use your proper name, but instead have a vague greeting such as “Dear customer” or “Dear Sir/Madam”.
  • request your personal information such as username, password or bank details – recognised brands will never do this.
  • have addresses which doesn’t match the actual website of the organisation – hover over the sender’s display name to see what the address actually is.
  • use words like ‘urgent’, ‘important’ and ‘attention’ – a popular tactic is to create a sense of urgency or panic.
  • are poorly written. Emails from official organisations are usually proofread several times before they are sent and rarely contain typos or grammatical errors. If you see any errors, it’s likely that you’re being phished.
  • ask you to log in through a link - reputable organisations will also never send links to their login pages.

While phishing attacks are now more prevalent than ever, there are plenty of ways you can reduce your organisation’s risk and potential exposure to attack.

Staff training

User education is vital. Teach your team how to spot fake emails and make sure they’re aware of the processes that are in place in your cyber security policy.

Employees who don’t know how to spot a phishing attempt could put your organisation at serious risk.


If your business employs multiple staff it may be worth investing in an email monitoring service to scan all inbound links and attachments and quarantine suspicious emails before they reach their intended target.

Virus protection

Install and regularly update anti-virus protection across all of your organisation’s devices, including computers, tablets and mobile phones.

Patch it up

Always patch software when new updates become available. Ideally, all software across all devices should be set to update automatically.

Micro-manage your passwords

Using the same or similar passwords across a range of services can make it easy for hackers to access all of your accounts following a single breach. Use a password manager and create strong and varied passwords (using a mixture of letters, numbers and symbols) for each individual account.

How to report phishing scams

If you’re unfortunate enough to have been fooled by a phishing attempt, remember, you’re not the only one. You can contact Action Fraud, the national fraud and cyber crime reporting centre.

t’s important that you identify what information has been stolen or if a virus has been installed as soon as possible. If you’ve given out personal information, such as banking information or credit card details, contact the relevant companies immediately and let them know what has happened.

Free small business resources

Learn new skills with the Federation of Small Businesses. Explore hundreds of jargon-free articles, guides, webinars, training opportunities and more, all designed for small businesses and the self-employed.

Find out more