Phishing Attacks Explained: How to Spot and Stop Them

Phishing is the most common form of cyber attack facing UK businesses, and it works because it targets human behaviour rather than software vulnerabilities. No firewall stops someone from clicking a malicious link in an email that appears to be from their bank. No antivirus prevents an employee from handing over their login credentials to a convincing fake website. Understanding how phishing works — and how to build defences against it — is one of the most valuable things a business can do.

What Phishing Is and How It Works

Phishing is the practice of sending deceptive communications designed to trick the recipient into taking a specific action — clicking a link, opening an attachment, transferring money, or handing over login credentials. The term comes from “fishing”: attackers cast a wide net and wait for someone to take the bait.

The deception usually relies on impersonation. Attackers pretend to be a trusted entity — a bank, HMRC, Microsoft, a supplier, or even a colleague. They construct messages that look convincing and add pressure to stop the recipient thinking clearly.

The Different Types

Email phishing is the most common form. Millions of malicious emails are sent every day, often using templates that mimic legitimate companies down to their branding, fonts, and email formatting.

Spear phishing is a targeted variant. Rather than sending a generic message to thousands of people, the attacker researches a specific individual and crafts a personalised message. They might reference your company name, a recent project, or the name of a colleague. These attacks are significantly more convincing and more dangerous.

Whaling is spear phishing aimed at senior executives or business owners — high-value targets whose credentials or authority can be exploited for financial gain or privileged system access.

Smishing is phishing via SMS. Messages claiming to be from delivery companies, banks, or government departments are common. The trend increased sharply during the pandemic and has remained elevated.

Vishing (voice phishing) involves phone calls. Attackers impersonate bank fraud teams, HMRC, or IT support staff and talk victims through disclosing sensitive information or installing software.

How Attackers Make Messages Convincing

Modern phishing messages are often professionally crafted. Attackers study their targets, use real company names and logos, and mimic the tone and style of genuine communications. They register domains that look similar to legitimate ones — “paypa1.com” instead of “paypal.com”, or “support-hmrc.gov.uk” instead of the genuine “gov.uk” domain.

They also exploit psychology. A message that says “your account will be suspended in 24 hours” creates urgency that overrides careful thinking. A request that appears to come from a senior colleague asking for an urgent bank transfer applies social pressure that’s hard to push back against.

A Real-World Scenario

Consider this: an employee receives an email appearing to come from their CEO, sent while the CEO is away at a conference (information the attacker found on LinkedIn). The email says a supplier payment has been held up, asks the employee to process a transfer to a new account urgently, and requests they keep it quiet until the CEO returns. The email domain is “companynam3.co.uk” — close enough to the real one to pass a quick glance. The employee, not wanting to let the CEO down, transfers the funds. This is called Business Email Compromise, and it costs UK businesses millions every year.

Red Flags to Look For

Certain signals should always trigger caution: unexpected urgency, requests for sensitive information via email, instructions to bypass normal processes, mismatched or slightly wrong email addresses, URLs that don’t match the organisation they claim to represent, and requests for payment to new or unverified accounts. If something feels off, it usually is.

Technical Defences

A layered technical approach significantly reduces phishing risk. Email filtering — using tools that scan incoming messages for known malicious content, suspicious links, and spoofed senders — blocks a large proportion of phishing attempts before they reach an inbox.

DMARC, SPF, and DKIM are email authentication standards that make it much harder for attackers to spoof your domain and send phishing emails that appear to come from your business. Configuring these records correctly is a technical task but one with clear, lasting benefit.

Multi-factor authentication (MFA) means that even if an attacker obtains a password via phishing, they still can’t access the account without the second factor. It’s one of the single most effective defences available.

Human Defences

Technology alone is not sufficient. The most important defence is a workforce that knows what phishing looks like and feels comfortable reporting it. Staff should be trained regularly — not with long compliance videos, but with practical, relevant examples. Phishing simulations — where staff receive fake phishing emails and are shown the result if they click — are a highly effective training tool.

Critically, businesses must create a culture where reporting a suspected phishing attempt is encouraged, not embarrassing. If staff fear being blamed for clicking a link, they’ll stay silent — and that silence is far more damaging than the click itself.

DreamThieves provides email security configuration and phishing simulations as part of a practical, small-business-focused security programme.