Phishing remains one of the most common and damaging cyber threats facing businesses today. In 2025, phishing campaigns have become more sophisticated, using AI-generated emails, realistic branding, and even voice and video (“vishing” and “deepfake phishing”). That makes it harder than ever to tell the difference between a genuine message and a scam.
For UK small and medium-sized businesses, this means that phishing is not just an annoyance, it’s a critical risk to finances, data, and reputation. The good news is that there are practical steps you can take to protect your organisation.
What is Phishing?
Phishing is when a cybercriminal attempts to get malware and exploits into a network, and credentials and sensitive data out.
To do this a cybercriminal dresses up a malicious link to look legitimate – often appearing as a financial institution or popular service i.e. post office.
For business specific scams the email will often look as though it comes from inside the company. These emails often have an urgent tone or include the name of a colleague to entice you to click without thinking. The content often suggests your account has been compromised, your order cannot be filled, or someone you trust is trying to send you a file.
Sound familiar?
Spotting phishing emails can be difficult, but there are ways to protect you, and your organisation, from them.
Here’s 5 steps to help keep you secure:
1.
Check the sender and delivery.
A genuine email from your company will be more than likely to reach recipients’ inboxes than get filtered into spam. So, if you find something that looks to be from a colleague in the spam box, it’s best to check with the sender directly before you click any links or reply with sensitive information.
2. Keep systems updated.
Are you up to date? Many people can be guilty of putting off updates. Whether that’s at home or at work. However, the first line of defence against attacks is the anti-malware software on your network or device. It takes seconds and can be the difference between a phishing email slipping through or being filtered out.
3.
Inspect links before clicking.
Check the URL of any embedded links. To do this just hover over the links in the email. But do not click on them. Does the destination URL match the site you would expect? Is anything going to be downloaded? Are they using a link shortening service? When in doubt use this method instead of immediately clicking.
4.
Strengthen password practices.
A lot of business phishing content will be looking for an ‘in’ to your company systems and data, you can make that a lot harder by looking at your password practices.
- Don’t email passwords, or other such sensitive information, between colleagues. And make sure everyone is aware this isn’t the company norm. If passwords require sharing consider using a password manager, such as MYKI that allows for secure sharing.
- Further to this, some can recognise real websites and will refuse to autofill on fake websites.
- A single sign-on method works similarly – the device recognises and signs into the real website automatically.
- Any damage an attacker causes will be proportionate to the privileges of the credentials have compromised. Regularly review and revoke privileges when they’re no longer required, so employees only have access to what they need for their roles.
There’s workshops, course and talks, as well as plenty of free educational material out there to help businesses train staff, or for an individual to teach themselves, to recognise phishing. When delivering training or holding discussion around cybersecurity ensure you:
- Make it clear that phishing can be difficult to spot. Do not expect people to be able to identify them 100% of the time. And never punish users who are struggling to recognise phishing emails, those who fear reprisals will not report mistakes promptly, if at all.
- Training should encourage reporting of future incidents and re-assure that it is OK to ask for further support when something looks suspicious. Messages should be inclusive of all departments including HR, support and senior management.
Remember:
If you’re suspicious at all, always forward on the email or contact your IT department / provider, they can take it from there. It’s better to take preventative action where possible.
What next?
If you are uncertain or have questions about cybersecurity, then speak with SupportWise. Why not give us call, send us an email – wealwaysreply@supportwise.co.uk or fill in the form on our contact page.
Frequently Asked Questions
Attackers now use AI to generate realistic emails, invoice scams, parcel delivery scams, and deepfake videos to impersonate executives.
Disconnect from the network, change your passwords immediately, and contact your IT support team so they can assess and contain any compromise.
Yes. Regular simulated phishing campaigns help train employees to recognise scams and provide valuable data on where extra awareness is needed.
Yes. Even if credentials are stolen, MFA provides an extra barrier, making it much harder for attackers to gain access.