A phishing attack is a deceptive attempt by a cyber criminal to trick individuals into revealing sensitive information - such as login credentials, financial details, or personal data - or into taking an action that compromises their organisation's security. The term covers a spectrum of techniques, from mass-sent generic emails to highly targeted attacks against specific individuals. Phishing is responsible for more than 80% of reported cyber incidents in the UK, according to the National Cyber Security Centre, making it by far the most significant threat facing British businesses of every size.
Softomate Solutions advises London and UK businesses on building practical defences against phishing. The challenge is not technical complexity - many of the best defences are straightforward to implement. The challenge is that phishing attacks exploit human psychology rather than software vulnerabilities, making purely technical solutions insufficient. Effective defence requires a combination of technical controls and a workforce that knows how to recognise and report suspicious activity.
The term "phishing" covers several distinct attack techniques, each requiring slightly different defences. Understanding the variants helps you train your team to recognise them and helps you prioritise the technical controls that matter most.
The classic form: a mass-sent email designed to appear legitimate, asking recipients to click a link or open an attachment. The email may impersonate a well-known brand (HMRC, Microsoft, a delivery company, a bank) or simply claim there is a problem with an account that requires immediate attention. Volume is the strategy - even a 0.1% click rate across a million emails yields a thousand compromised accounts.
Spear phishing is targeted. Attackers research a specific individual - reviewing their LinkedIn profile, company website, social media presence - and craft a personalised email that appears to come from a known contact or references specific, accurate details about the target's role or projects. Spear phishing emails are far more convincing than generic phishing and are used in higher-value attacks such as Business Email Compromise (BEC) fraud.
Whaling is spear phishing targeting executives - the "big fish." A whaling attack might impersonate the CEO to instruct the finance team to make an urgent bank transfer, or impersonate a board member to extract sensitive corporate information. These attacks exploit the authority dynamics within organisations; employees receiving an urgent request from the apparent CEO are psychologically more likely to comply without verification.
Phishing is not limited to email. Smishing (SMS phishing) sends malicious links via text message. Vishing (voice phishing) uses phone calls, often with spoofed caller ID, to extract information directly. Vishing attacks impersonating banks, HMRC, and IT support are common in the UK. The NCSC runs the 7726 short code service, which allows UK mobile users to forward suspected smishing messages for investigation.
In clone phishing, attackers intercept or reconstruct a legitimate email that the target has previously received - for example, a supplier invoice or a notification from a cloud service - and replace the links or attachments with malicious versions. The email appears almost identical to the genuine one, making it particularly convincing.
Training your team to spot phishing emails is the highest-impact awareness activity you can run. The following indicators, while not infallible, cover the most common phishing tells. Attackers are increasingly sophisticated, and some phishing emails are nearly indistinguishable from genuine ones - which is why technical controls are needed alongside human vigilance.
Human vigilance alone is insufficient. Technical controls add layers of protection that catch phishing attempts before they reach your team's inboxes and limit the damage when someone does click a malicious link.
SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are email authentication standards that make it significantly harder for attackers to send emails that impersonate your domain. Configuring these records correctly prevents your domain from being spoofed, reducing the risk that your customers or suppliers receive phishing emails that appear to come from you. The NCSC provides free guidance and tools for checking and implementing these records. All three should be configured in your DNS settings - this is a technical task but a one-time one.
Modern email platforms (Microsoft 365, Google Workspace) include sophisticated anti-phishing filters that use machine learning to identify and quarantine suspicious emails before they reach users. These should be configured and updated regularly. Additional third-party email security tools can provide enhanced scanning of attachments (sandboxing - executing files in a safe environment to detect malicious behaviour) and link checking (following links to verify the destination is not malicious at the time the email is clicked, not just when it was sent).
MFA does not prevent phishing but limits its impact. Even if an attacker steals your employee's email credentials through a phishing attack, MFA prevents them from using those credentials to access your systems. Every UK business should require MFA on email accounts, cloud services, and any system that holds sensitive data. The NCSC's updated Cyber Essentials standard now mandates MFA for all internet-accessible accounts.
Web filtering services block access to known malicious websites, including phishing sites. DNS-level filtering (such as Cloudflare Gateway, Cisco Umbrella, or the NCSC's free Protective DNS service) blocks connections to malicious domains at the network level, meaning even if a user clicks a phishing link, their browser is prevented from reaching the malicious site. The NCSC's Protective DNS service is available free to UK public sector organisations and is increasingly accessible to UK businesses.
Security awareness training that actually changes behaviour requires more than a once-a-year video and a quiz. The most effective programmes combine regular, varied training with simulated phishing exercises that give employees realistic practice.
Simulated phishing exercises send realistic-looking (but harmless) phishing emails to your team. Employees who click the simulated link are immediately redirected to brief, non-blaming training about what the phishing indicators were and how to avoid them in future. These exercises are far more effective at changing behaviour than classroom training, because they provide a relevant experience at the moment of greatest learning - when someone has just made the mistake the training is trying to prevent.
Track click rates over time. A well-run programme should see click rates fall from an industry-average 30-40% on the first test to under 5% within 12 months. Report these metrics to senior leadership - visible accountability drives continued engagement with the programme.
Create a simple, non-punitive reporting mechanism. Employees who suspect they have received a phishing email - or who have already clicked a link - must feel comfortable reporting immediately. Delayed reporting dramatically increases the damage from a successful attack. A "Report Phishing" button in your email client, linked to your IT team or security provider, makes reporting a single click rather than a bureaucratic process.
Our cyber security consultancy in London designs and delivers phishing awareness programmes tailored to the specific risk profile of your business, including simulated phishing exercises and board-level reporting on training outcomes.
Business Email Compromise (BEC) is a sophisticated form of phishing that targets financial transactions. In a typical BEC attack, criminals either compromise a legitimate business email account or create a convincing lookalike domain, then use it to instruct finance teams to redirect payments, change supplier bank details, or disclose sensitive financial information.
BEC fraud cost UK businesses over ยฃ1 billion in 2022, according to the NCA. The attacks are particularly devastating because they often succeed in convincing businesses to make payments they believe are entirely legitimate - to suppliers, to their own bank accounts, or to payroll systems. Once a payment is made, recovering the funds is extremely difficult. Banks and law enforcement agencies have limited ability to reverse international transfers once funds have left UK banking systems.
Defending against BEC requires process controls alongside technical ones. Always verify payment instruction changes out-of-band (call the supplier or colleague using a known phone number, not the one in the email). Implement dual authorisation for large payments. Train finance teams specifically on BEC patterns - they are targeted more than any other function.
Speed matters. The faster you respond to a successful phishing click, the less damage results. Train your team to report immediately rather than waiting to see if anything happens or, worse, hoping no one notices.
When a phishing click is reported: disconnect the device from the network (prevent lateral spread), change the credentials of any accounts that may have been compromised (starting with the account used on that device and any accounts for which the same password is used elsewhere), check for any suspicious email forwarding rules or inbox access from unusual locations, and scan the device for malware. If the phishing email requested financial action, contact your bank immediately to freeze any pending transfers.
Our endpoint protection services include monitoring that flags the indicators of compromise associated with post-phishing malware installation, giving your team the earliest possible warning when a device has been affected.
A phishing attack that results in unauthorised access to personal data is a data breach under UK GDPR. If the breached data relates to customers, employees, or other individuals whose data you process, you may have a legal obligation to notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. You may also need to notify the affected individuals if the breach is likely to result in risk to their rights and freedoms.
The ICO's guidance on personal data breaches is clear: organisations that have not implemented appropriate security measures - including staff training on phishing - will be considered to have failed to take appropriate technical and organisational measures as required by UK GDPR. This can result in enforcement action, including fines. Demonstrating that you have a structured phishing awareness programme is evidence of good faith compliance.
Artificial intelligence tools have significantly lowered the bar for creating convincing phishing content. Attackers now use large language models to generate grammatically perfect, contextually relevant phishing emails at scale - without the telltale signs of poor English that previously helped people identify phishing attempts. AI can also be used to clone the writing style of specific individuals, generating emails that convincingly impersonate your CEO or a trusted colleague based on their publicly available communications.
Deepfake audio and video are extending this threat further. Vishing attacks now sometimes use AI-generated voice clones of senior executives to instruct finance teams to make urgent payments. In several well-documented cases, UK finance professionals have been deceived into transferring large sums by calls that appeared - and sounded - to come from their CFO or a senior partner.
The countermeasures are the same as for traditional phishing - MFA, email authentication, process controls for financial transactions - but the urgency of implementing them has increased. Organisations that previously relied on "it looked obviously fake" as a filter can no longer do so. Out-of-band verification (calling back on a known number for any urgent financial request, regardless of how convincing the email or call seems) is now essential, not optional.
HMRC is one of the most frequently impersonated organisations in UK phishing campaigns, because most UK businesses have an ongoing relationship with HMRC and are conditioned to respond promptly to apparent communications from them. Common HMRC phishing scenarios include fake tax refund notifications ("You are owed a refund of ยฃX - click to claim"), fake self-assessment reminders with malicious attachments, fake VAT investigation notices designed to create urgency and fear, and fake requests to update bank details for tax credit payments.
HMRC publishes a list of genuine HMRC communications on its website, which is useful when in doubt. HMRC states clearly that it will never ask you to click a link in an email to claim a refund, will never ask for your bank details by email, and will never threaten immediate arrest or legal action in an automated call. Any communication claiming to be from HMRC that does any of these things is fraudulent. Forward suspected HMRC phishing emails to phishing@hmrc.gov.uk.
Staff who deal with financial or tax matters are the highest-risk group for HMRC phishing. Include specific HMRC phishing scenarios in your staff awareness training, not just generic phishing indicators.
Forward suspicious emails to the NCSC's Suspicious Email Reporting Service at report@phishing.gov.uk. For suspicious text messages, forward them to 7726 (which spells SPAM on most phone keypads). For phishing attacks that have resulted in financial loss, report to Action Fraud at actionfraud.police.uk or by calling 0300 123 2040. These reports help the NCSC and law enforcement identify and disrupt phishing campaigns targeting UK organisations.
Yes. Social media phishing (sometimes called "angling") involves sending malicious messages or links through platforms like LinkedIn, WhatsApp, Instagram, and Facebook. LinkedIn is particularly targeted for business-focused attacks because it provides attackers with detailed information about their targets' roles and colleagues. Business WhatsApp groups are increasingly used to distribute phishing links under the cover of legitimate-looking colleague communications. The same vigilance that applies to email should apply to unexpected messages on any platform.
No technical control eliminates phishing entirely. The goal is to reduce the likelihood that a phishing email reaches your team's inbox, reduce the likelihood that someone acts on it if it does, and minimise the damage if someone does act on it. A combination of email authentication, advanced filtering, web filtering, MFA, and regular training achieves this layered defence. Organisations with mature phishing defences still occasionally have someone click a malicious link - the difference is they detect it quickly and limit the damage.
The NCSC provides a free "Check Your Cyber Security" service at ncsc.gov.uk that includes a domain spoofing check. Alternatively, tools like MXToolbox and dmarcian allow you to check whether your domain has SPF, DKIM, and DMARC records configured correctly. A domain with no DMARC record set to enforcement policy (p=quarantine or p=reject) can be spoofed by anyone. This is a simple technical fix with significant security impact.
Act immediately. Change the compromised password and any other accounts that use the same password. Check whether MFA is enabled on the compromised account - if not, enable it now. Review the account's login history for any access from unfamiliar locations or devices. Check whether any forwarding rules, permissions, or settings have been changed. Contact your IT team or cyber security provider immediately - time is critical in limiting the damage from credential theft.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
