Phishing Defence, Email Security and Social Engineering Awareness

Phishing in Brief

NCSC advice on phishing-resistant authentication
Email gateway filtering and DMARC, SPF, DKIM in place
Worker training and easy reporting routes for suspect messages

Phishing, Email and Social Engineering

Phishing is the most common way attackers get into UK businesses, and the messages have become harder to spot than they used to be. The early phishing emails of the 2000s were full of obvious typos and bizarre claims. Modern phishing uses well-crafted English, copies the visual style of legitimate senders, references real names and roles taken from LinkedIn, and increasingly arrives by text message, voice call or messaging app rather than only by email. The defenders have had to evolve as well, and the controls now sit across email systems, browsers, identity systems and the people receiving the messages.

Social engineering is the broader category that phishing sits inside - the use of psychology rather than technical exploits to get someone to do something they should not. The attacker bypasses the technical controls by persuading a human to act for them. The defence is the same combination of technology and training that handles phishing.

How Phishing Attacks Work

The classic phishing email asks the recipient to click a link, enter credentials on a fake login page and unwittingly hand over their username and password. The credentials are then used directly or sold on. Variants include emails that ask for a payment to be made urgently to a new account, emails that get someone to open an attachment containing malware, and emails that simply gather information for a later attack.

Targeted phishing - sometimes called spear phishing - is aimed at a specific individual or role. The most expensive variant is business email compromise (BEC) where an attacker poses as a senior executive or supplier and asks finance to make a large payment. UK businesses lose substantial sums to BEC every year, and the controls that work against bulk phishing - filters, training - are less effective against the targeted version.

Vishing (voice phishing) and smishing (SMS phishing) extend the same techniques to phone calls and text messages. A call from "the bank" or "IT support" asking for credentials, a text message claiming a parcel cannot be delivered without a small payment, a WhatsApp message from a colleague's number asking for an urgent transfer. The medium changes; the technique does not.

Technical Controls Against Phishing

The first line of defence is the email system. Modern email services include phishing filters that catch a high proportion of bulk attacks, and most allow administrators to apply additional rules - quarantining external emails that impersonate internal senders, flagging emails from outside the organisation, blocking attachments of certain types. SPF, DKIM and DMARC are the email authentication standards that make it harder to spoof the company's own domain.

Multi-factor authentication is the control that limits the damage when a phishing attempt succeeds. Even if a worker enters their password into a fake site, the attacker still needs the second factor to log in. Phishing-resistant multi-factor methods - hardware security keys, passkeys, certain authenticator apps - are stronger than SMS codes which can themselves be phished.

Web filtering and browser security catch some phishing sites at the point of access. Many corporate browsers and security products warn users when they reach a known phishing page or a domain that has been registered too recently to be trusted. Endpoint security catches the malware payload if a phishing email gets through and an attachment is opened.

Behavioural Controls and Phishing Awareness

The technical controls do not catch every phishing attempt, particularly the targeted ones. Awareness is the part of the defence that handles what gets through. The practical objective is for workers to recognise a suspicious message, know what to do with it (typically: do not click, do not reply, report it through a defined channel) and not feel embarrassed about reporting one that turns out to be legitimate.

Phishing simulations are the most effective way of building this awareness. The organisation sends test phishing emails on a regular schedule and measures who clicks, who reports and who does neither. The first round usually finds the workforce at much higher click rates than expected. Subsequent rounds, paired with focused training for the people who clicked, drive the click rate down considerably.

The cultural piece matters more than people sometimes acknowledge. A culture where workers are punished for clicking a phishing email is a culture where they hide the clicks and the incidents are not discovered until something else goes wrong. A culture where reporting is encouraged and acted on - including reporting near-misses where someone almost clicked - is one where threats are spotted faster.

Business Email Compromise and Wire Fraud

Business email compromise deserves separate attention because the financial losses are large and the controls are different from bulk phishing. BEC typically involves the attacker either taking over a real email account or registering a similar-looking domain, and using it to send a believable instruction to finance, often referencing a current project or transaction.

The defence is procedural. Bank details for any new payment or any change of bank details for an existing supplier are confirmed by an independent channel - a phone call to a known number, not the number in the email. Large payments require a second authoriser. Anything urgent is treated with extra suspicion, because urgency is a standard pressure tactic in BEC. The finance team should know that being asked to bypass the normal controls is itself a warning sign.

Phishing protection comes down to four things. Filters that catch the obvious stuff. Multi-factor authentication so a stolen password is not enough on its own. Training so people know what to do when something gets through. And a procedure for confirming bank details and payment instructions that does not rely on email. Get those four right and most of the threat is gone, including the targeted version that the bulk filters tend to miss.

When I audit phishing controls I look at the email security configuration, the multi-factor authentication coverage, and the training records. The most common gap is multi-factor authentication that has been turned on for some users but not others, often because senior staff have asked to be exempted for convenience. Senior staff are exactly the ones who should not be exempt - they are the targets in business email compromise.

I also ask whether the organisation has run phishing simulations and what the click rate was. The answer tells me how mature the awareness side of the programme is.

A finance person of ours nearly fell for a CEO impersonation last year. What stopped it was the procedure - we require a phone call to a known number to confirm any new bank details, no exceptions. It became the case study for the next round of training.

Practical Compliance Guidance

The IMS1 manual covers phishing and social engineering as part of the wider information security and incident management approach. The same incident process that handles ransomware and lost devices also captures phishing reports, with an emphasis on encouraging reporting rather than penalising the people who almost clicked.

The following alphaZ documents support a practical approach to phishing, email and social engineering controls.

alphaZ document	How to use it
ISO 27001 Toolkit	Full document set for setting up an information security management system, including the email and communications policies and the awareness training course.
P-33 Internet and Email Policy	Top-level policy covering the acceptable use of email and internet services, including the rules workers are expected to follow.
PP-8-05 Internet and Electronic Messaging Policy Procedure	Detailed procedure covering email security, attachment handling, link checking, and the controls applied to inbound and outbound messages.
P-114 Cyber Security Policy	Cybersecurity policy covering the technical defences against phishing including filters, multi-factor authentication and endpoint protection.
ISO 27001 Awareness Training Course	Training course covering the basics of information security including phishing recognition, password security and reporting incidents.
P-88 Information Security Incident Management Policy	Policy covering how phishing reports and successful attacks are handled, including the incident response sequence and reporting obligations.
PP-8-100 Information Security Policy Procedure	The master policy that sets out the email, communications and awareness sections referenced from the standalone policies above.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

How can workers tell if an email is phishing?

The classic indicators are unexpected messages, urgency or pressure to act quickly, requests for credentials or payments, mismatched sender addresses (the display name says one thing, the actual address says another), links that go somewhere different from where they appear to go, and unusual phrasing from a known sender. Modern phishing is harder to spot than it used to be, so the practical advice is that any email asking for credentials, a payment or unusual action should be checked through an independent channel before the action is taken. When in doubt, report it.

What should we do if someone clicks a phishing link?

Treat it as an incident immediately. Disconnect the affected device from the network. Change the credentials for any system the person was logged into. Check whether multi-factor authentication caught the attempt or whether the attacker may have a working session. If credentials were entered on a fake site, assume the password is compromised and change it everywhere it has been reused. Capture the details for the incident log and feed back into training. Speed matters - the longer between the click and the response, the more time the attacker has.

Are phishing simulations actually useful?

Yes, when run well. The best programmes use realistic scenarios, vary the messages, target the people whose role makes them more likely to be attacked (finance, executive assistants, senior leaders), and pair the simulations with focused training for the people who clicked. The metric that matters is the trend in click rate over time. The simulations work less well when they are obviously fake or when they are used punitively - if the people who click are publicly named, reporting goes down and the programme stops working.

How do we protect against business email compromise?

The technical controls are the same as for general phishing - email authentication, multi-factor authentication, anti-impersonation rules. The procedural controls are what makes the difference for business email compromise specifically. Bank details for any new supplier or any change of bank details for an existing supplier confirmed by phone to a known number, never the number in the email. Large payments authorised by a second person. A standing instruction that no payment instruction received only by email is acted on without independent confirmation. These procedural controls cost nothing and stop most BEC attempts in their tracks.

UK Legislation

The following UK legislation is directly relevant to phishing, email and social engineering. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.

Further Resources