Security awareness

Phishing Awareness Training: How to Protect Your Business

A practical, UK-focused guide to phishing — what it is, how attacks work, how your people can spot them, and the controls that stop them reaching the inbox in the first place.

What is phishing?

Phishing is a form of social engineering where attackers impersonate a trusted person, brand or service to trick someone into giving up credentials, transferring money, opening a malicious attachment or visiting a fraudulent website. It is the most common cyber attack affecting UK businesses and the leading cause of data breaches.

Phishing comes in several forms:

  • Email phishing — fraudulent emails imitating trusted senders.
  • Smishing — phishing via SMS or messaging apps.
  • Vishing — phishing via voice calls, often impersonating IT, banks or HMRC.
  • Fake websites — convincing clones of real login portals designed to harvest credentials.

Unlike technical exploits, phishing targets people. It bypasses firewalls and antivirus by manipulating human trust, urgency or curiosity.

Why phishing is a critical business risk

Phishing is consistently the most common cyber attack reported in the UK Government's Cyber Security Breaches Survey, and the leading entry point into data breaches and ransomware incidents. For UK businesses, a single successful phishing email can result in:

  • Financial loss — fraudulent transfers, ransomware payments and recovery costs that frequently exceed annual security budgets.
  • Data breaches — unauthorised access to client, patient or employee data.
  • Business disruption — system outages, halted operations and customer impact lasting days or weeks.
  • Regulatory fines — ICO enforcement under UK GDPR, plus sector penalties for healthcare, legal and financial firms.
  • Loss of trust — long-term reputational damage with clients, partners and insurers.

Real-world phishing attack examples

CEO fraud at a UK professional services firm

What happened
A finance manager received an urgent email appearing to come from the managing partner requesting a same-day £74,000 transfer to a 'new' client account.

How it worked
The attacker had registered a lookalike domain swapping a lowercase 'l' for an uppercase 'I'. The email was sent at 4:45pm on a Friday with instructions to bypass the usual approval process.

Business impact
The transfer was made and the funds moved through three mule accounts within two hours. Only £9,000 was recovered. The firm faced an ICO notification and a six-figure rise in cyber insurance premiums.

Supply chain phishing via a compromised supplier

What happened
A construction SME received a routine invoice from a long-standing subcontractor with updated bank details in the PDF.

How it worked
The subcontractor's Microsoft 365 account had been compromised weeks earlier. The attacker monitored real invoice threads and intercepted a genuine email, replacing the attachment with a tampered version.

Business impact
£28,000 was paid to the attacker's account. The breach was only identified when the real subcontractor chased payment three weeks later.

Credential harvesting leads to a data breach

What happened
An employee at a healthcare provider entered their Microsoft 365 credentials into a fake 'shared document' login page.

How it worked
The phishing email mimicked an internal SharePoint notification. The fake page captured the password and prompted for the MFA code, which the attacker replayed in real time.

Business impact
The attacker accessed the mailbox for nine days, exfiltrating patient correspondence. The organisation reported a personal data breach to the ICO within 72 hours and notified affected patients.

Ransomware following a phishing entry point

What happened
A logistics company suffered a five-day operational outage after an employee opened a malicious attachment disguised as a delivery manifest.

How it worked
The attachment dropped a loader that established persistence, harvested administrator credentials and deployed ransomware across the file server and backup network.

Business impact
Customer deliveries were halted, recovery cost over £400,000, and the incident was reportable under UK GDPR. The root cause was a single click on a phishing email.

Types of phishing attacks

Email phishing

Mass-distributed emails impersonating banks, couriers, HMRC, Microsoft 365 or Google to harvest credentials or deliver malware.

Spear phishing

Targeted emails crafted for a specific person using public information from LinkedIn, Companies House or breach data.

CEO fraud (BEC)

Business Email Compromise where attackers impersonate an executive or supplier to trigger urgent payments or data disclosure.

Smishing

Phishing via SMS or messaging apps — fake delivery notifications, bank alerts and one-time-code requests.

Vishing

Voice phishing calls impersonating IT support, banks or HMRC, often combined with caller ID spoofing.

AI-driven phishing

Generative AI produces flawless UK English, deepfake voice notes and personalised lures at scale, eroding traditional 'spot the typo' advice.

How to identify a phishing email

Train every employee to pause and check the following before clicking, replying or downloading:

  • Suspicious or unfamiliar sender, or a display name that doesn't match the email domain.
  • Urgency, pressure or threats — 'act now', 'your account will be closed', 'final notice'.
  • Unexpected attachments or links, especially .zip, .htm, .iso or macro-enabled documents.
  • Requests for passwords, MFA codes, bank details or payment changes.
  • Subtle domain misspellings (micros0ft.com, securechain-group.com, .co instead of .co.uk).
  • Generic greetings or unusual tone and formatting compared to genuine messages.
  • Anything that simply feels unusual — trust that instinct and verify.

What to do if you receive a suspicious email

  1. 1Do not click any links, open attachments or scan embedded QR codes.
  2. 2Do not reply to the message or forward it to colleagues outside a secure reporting process.
  3. 3Report it internally using your organisation's phishing report button or agreed mailbox.
  4. 4Verify any request by contacting the sender on a known phone number or through a separate trusted channel.
  5. 5Once reported, delete the message from your inbox and deleted items folder.
Free resource

Downloadable Phishing Awareness Checklist

Print this checklist, pin it near your team's desks or include it in your onboarding pack. It distills the most important phishing checks into a single page anyone can use, regardless of technical background.

  • 01The sender's email address matches the organisation it claims to be from (check the full domain, not just the display name).
  • 02The domain is spelled correctly — no swapped letters, added hyphens or unusual top-level domains (.co vs .co.uk).
  • 03I was expecting this message, or it relates to a known piece of work.
  • 04The greeting uses my name correctly, not a generic 'Dear customer' or 'Dear user'.
  • 05The message does not pressure me to act immediately or threaten consequences for inaction.
  • 06Links point to the real domain — hover (or long-press on mobile) to preview the URL before clicking.
  • 07Attachments are expected and from a trusted sender; I am cautious of .zip, .htm, .iso and macro-enabled Office files.
  • 08I am not being asked to enter my password, MFA code or payment details via a link.
  • 09Requests to change bank details, payroll or supplier accounts are verified by phone using a known number — never the number in the email.
  • 10The email's tone, signature and formatting match previous genuine messages from the sender.
  • 11Internal requests from senior staff are verified directly, especially anything urgent, confidential or financial.
  • 12Embedded QR codes are treated with the same suspicion as links — 'quishing' is a growing tactic.
  • 13Replies to suspicious messages are avoided; the original sender is contacted through a separate, trusted channel.
  • 14Suspicious messages are reported to IT or the security team using the agreed reporting process or button.
  • 15Once reported, the email is deleted from the inbox and the deleted items folder.
Download checklist (PDF)

Download this checklist as a PDF for your team.

Advanced

How phishing attacks evade detection

For IT and security teams, understanding the techniques attackers use to bypass perimeter controls is essential for designing layered defences.

  • Email filtering bypass — attackers abuse legitimate cloud services (SharePoint, Dropbox, Google Drive, DocuSign) to host malicious content, route payloads through trusted infrastructure and avoid reputation-based blocking.
  • AI-generated phishing — large language models produce grammatically perfect, contextually relevant lures in seconds, eliminating the spelling and tone cues that once gave attackers away.
  • Domain spoofing and lookalikes — internationalised domain names, homoglyph characters and freshly registered lookalike domains slip past keyword filters and visual inspection.
  • Credential harvesting kits — Adversary-in-the-Middle (AiTM) toolkits such as Evilginx proxy the real Microsoft 365 login page, capturing usernames, passwords and session cookies that bypass MFA.
  • MFA fatigue attacks — attackers with valid credentials bombard a user with push notifications until they approve one out of habit or annoyance.
  • Supply chain risks — compromised supplier mailboxes are used to send malicious content from genuine, trusted domains, defeating SPF, DKIM and DMARC checks.
  • QR code phishing ('quishing') — QR codes embedded in PDFs or images move the malicious URL off the email body and onto a personal mobile device outside corporate controls.

Preventing phishing attacks: business-level controls

No single control stops every phishing attempt. A defensible posture combines people, process and technology:

  • Ongoing security awareness training — short, frequent training paired with realistic simulated phishing campaigns.
  • Phishing-resistant MFA — number matching, FIDO2 security keys or passkeys for administrators and high-risk roles.
  • Email authentication — SPF, DKIM and DMARC in enforcement mode, with regular monitoring of aggregate reports.
  • Advanced email security — sandboxing, URL rewriting, lookalike domain detection and AiTM-aware controls.
  • Patch and vulnerability management — close the windows attackers use once a phishing email succeeds.
  • Access controls and least privilege — limit blast radius if a single account is compromised.
  • Tested incident response — documented playbooks, a one-click reporting channel and rehearsed containment for credential compromise and BEC.
How Secure Chain can help

A partner for phishing defence

Secure Chain Technology Group works with UK businesses to build measurable resilience against phishing — from end-user awareness through to email security hardening and incident response. Our services include:

  • Phishing awareness training programmes tailored to your sector and risk profile.
  • Simulated phishing campaigns with reporting, trend analysis and targeted remediation.
  • Email security hardening — Microsoft 365 and Google Workspace configuration, SPF, DKIM, DMARC and advanced threat protection.
  • Vulnerability Management as a Service (VMaaS) to close the technical gaps attackers exploit after a click.
  • Compliance support for Cyber Essentials, Cyber Essentials Plus, ISO 27001 and DSPT.
  • Incident response for Business Email Compromise, credential theft and ransomware.

Phishing awareness FAQ

What is phishing in simple terms?

Phishing is a type of cyber attack where criminals impersonate a trusted person, brand or service to trick someone into handing over information, credentials or money. It usually arrives by email, but also by text message (smishing), phone call (vishing) or fake website. The goal is to exploit human trust, not break technical defences.

How do phishing attacks work?

Attackers send a message that looks legitimate and creates urgency — a fake invoice, an HR notice, a delivery alert or a request from the CEO. The message either contains a malicious link to a fake login page, an attachment that installs malware, or instructions to transfer money or change bank details. Once the victim acts, the attacker harvests credentials, deploys ransomware or commits fraud.

How can employees identify phishing emails?

Look for unexpected senders, mismatched or misspelled domains, urgent or threatening language, requests for credentials or payment changes, generic greetings, and links that do not match the displayed text. If anything feels unusual, verify with the sender through a known channel — never reply to the suspicious message itself.

Why is phishing awareness training important?

Over 90% of cyber breaches start with a phishing email. Technical controls block most attacks, but the ones that get through rely entirely on a human decision. Regular, realistic training reduces click rates significantly, supports compliance with Cyber Essentials, ISO 27001 and UK GDPR, and lowers cyber insurance premiums.

Can phishing bypass security systems?

Yes. Modern phishing uses AI-generated content, lookalike domains, compromised supplier accounts and MFA fatigue attacks to bypass spam filters and multi-factor authentication. No single control stops every phishing attempt, which is why awareness training and layered email security are both essential.

How often should we run phishing simulations?

Run simulated phishing campaigns at least quarterly, with shorter targeted exercises for higher-risk roles such as finance, HR and executives. Pair each simulation with bite-sized training for anyone who clicks. Continuous, varied exercises outperform a single annual training session by a wide margin.

Is phishing training a Cyber Essentials requirement?

Cyber Essentials focuses on five technical controls, but UK GDPR, ISO 27001 and most cyber insurance providers expect documented, ongoing security awareness training. Phishing simulations are the most widely accepted way to evidence this and demonstrate measurable improvement to auditors and insurers.

Train your team
Book a phishing awareness consultation
More reading
Back to all resources