Email is still the number one way cyber criminals get into businesses. It's not because email itself is insecure. It's because people are busy, and a well-crafted phishing email can look almost identical to a genuine one. A moment of inattention, one quick click, and suddenly you're dealing with stolen credentials, ransomware, or a data breach. The good news is that a few simple habits can dramatically reduce the risk.
Why Phishing Emails Work So Well
Phishing emails are designed to exploit trust and urgency. They often look like they've come from Royal Mail, HMRC, your bank, a supplier, or even a colleague. The wording is usually crafted to make you act quickly: "Your account has been suspended", "Invoice overdue", "Click here to verify your details". Attackers know that if they can get you to react without thinking, they've won.
Once a malicious link is clicked or an infected attachment is opened, malware can install itself in seconds. Login details can be harvested, files encrypted, or backdoors opened for later access. The damage from a single phishing email can cost a UK business thousands of pounds in downtime, recovery, and reputational damage.
Step 1: Check the Sender Properly
Before you do anything else, look at the actual email address, not just the display name. It's easy to set a display name as "HMRC" or "Microsoft Support" while the email address behind it is something completely different. Watch for subtle tricks like swapped letters, extra characters or unusual domains. If the address doesn't look right, treat the email with suspicion.
Red Flags to Watch For
- Spelling mistakes or odd grammar in the email body
- Unexpected requests for payment or personal information
- Urgency or pressure to act immediately
- Generic greetings like "Dear Customer" instead of your name
- The sender's domain doesn't match the organisation they claim to be from
Step 2: Hover Over Links Before Clicking
One of the simplest and most effective checks is to hover your mouse over a link without clicking it. This shows the actual URL the link will take you to. If the destination doesn't match the sender or the context of the email, don't click it. Be especially wary of shortened URLs (like bit.ly links) as these hide the real destination. On a mobile device, you can press and hold on a link to preview the URL without opening it.
What a Safe Link Looks Like
- The domain matches the company (e.g. microsoft.com, not micr0soft-login.com)
- The URL uses HTTPS (though this alone doesn't guarantee safety)
- The link goes where you'd expect based on the email content
Step 3: Use VirusTotal to Check Links and Files
If you're unsure about a link or an attachment, there's a brilliant free tool called VirusTotal. It scans URLs and files against dozens of security engines simultaneously, giving you a clear picture of whether something is likely to be malicious.
To check a link: Copy the URL (without clicking it), paste it into VirusTotal, and hit search. It'll tell you within seconds if any security engines flag it as dangerous.
To check a file: Save the attachment without opening it, then upload it to VirusTotal for scanning. This is far safer than opening it and hoping for the best.
No tool is perfect, and a clean result doesn't guarantee something is 100% safe, especially if the threat is brand new. But it adds a valuable extra layer of confidence. If VirusTotal flags something, don't touch it.
Step 4: Keep Everything Up to Date
Many phishing attacks exploit known vulnerabilities in outdated software. Keeping your operating system, email client, browser, and antivirus up to date closes off these gaps. It's one of the simplest things you can do, yet it's surprising how many businesses fall behind on updates. Set them to install automatically wherever possible.
Step 5: When in Doubt, Verify Separately
If you receive an email that looks legitimate but feels slightly off, don't reply to it or click any links within it. Instead, contact the sender through a completely separate channel. Ring them on their known phone number, or navigate to their website directly by typing the address into your browser. This simple step catches the vast majority of phishing attempts.
Building Good Habits Across Your Team
These checks take seconds, but they can prevent incidents that cost thousands. The challenge is making sure everyone in your organisation follows them consistently, not just the IT-savvy people. That's where regular awareness training comes in.
We recommend running short, practical training sessions at least twice a year. Simulated phishing tests can be particularly effective. They give staff a safe way to practise spotting threats without any real risk. New starters should receive security awareness training as part of their induction, as research shows they're the most likely to fall for phishing attacks in their first few months.
Technical Defences That Help
Staff awareness is vital, but it shouldn't be your only line of defence. We recommend layering technical measures alongside good habits:
- Email filtering to catch known threats before they reach inboxes
- Multi-factor authentication to protect accounts even if credentials are compromised
- Endpoint protection that goes beyond basic antivirus
- DNS filtering to block access to known malicious websites
- Regular backups stored securely in UK data centres, so you can recover quickly if the worst happens
None of these measures is foolproof on its own, but together they create a much stronger defence. It's the same layered approach that the National Cyber Security Centre (NCSC) recommends for UK businesses.
Want to Protect Your Team From Phishing?
We help UK businesses set up proper email security, run phishing awareness training, and put the technical safeguards in place to reduce risk. Get in touch for a free chat about your current setup.
Talk to Us About Email Security