How to protect against phishing: 7 tips for protecting your organisation

  • Guides

When people think of cyber security, they tend to think of hacking, but phishing is potentially a far greater threat. That’s because, rather than attempting to hack past security structures, phishers instead focus on a far easier target: tricking members of your organisation into letting them in. Find out more about phishing and how to protect your organisation from this kind of attack.

What is phishing?

Phishing is an attempt to trick someone into taking an action that makes it possible to steal sensitive information from them.

Phishing usually takes the form of an email that pretends to be from someone the recipient might trust. This email will encourage the user to share their information, such as directing them to enter their login details on a fraudulent webpage that looks like it belongs to a company the user trusts.

Phishing is just one tool amongst a cyber criminal’s “social engineering” toolkit, but the use of this tool is on the rise. Tricking one of your employees into divulging their login is easier than trying to hack into your customer database. This means that you need to take steps to protect against phishing attacks as part of your information security processes.

Phishing prevention best practices

This isn’t an exhaustive list of measures you can take to prevent your team falling foul of a phishing attack, and there’s no way to guarantee that a phishing attack won’t succeed. Nevertheless, these measures can greatly reduce the risk that a phisher can successfully gain access to the sensitive information held by your organisation.

Implement multi-factor authentication

Also known as two-factor authentication (2FA), this security feature adds an extra step to a login process by requiring the user to provide extra proof of their identity. This proof can take many forms, from providing a code sent to them via text message to inserting a physical security key into their device.

This extra layer of authentication means that a phishing attack that successfully gains access to an employee’s login details still can’t access your files unless they also have access to the second method of authentication.

Update devices regularly

Some phishing attacks make use of security flaws discovered in the software running on your device. Software developers issue regular updates to fix these flaws, so make sure that your organisation regularly updates its devices to keep them as protected as possible.

Of course, there is concern about maintaining compatibility with other software, so you might not want to install updates as soon as they are available. Part of your risk analyses will account for the risk to your business should a piece of software stop working versus the risk of security vulnerabilities. You may decide to examine the details of each update as they are made available and install them as and when it is appropriate.

Draw a clear line between personal and business devices

Some of your employees may access their work email on their personal devices. While this might seem convenient and cost-effective, a compromised personal device could help a phisher gain access to your organisation’s information.

It is best practice to issue employees with dedicated equipment for their work. If this is not practical, ensure that your employees are following your organisation’s information security processes even when using their personal devices. If they are not, you may need to consider restricting remote access while they are on such devices.

Don’t click links in emails

While most of us think of the foreign prince trying to move money out of his country when we think of phishing emails, the truth is that these kinds of attacks have become much more sophisticated. Many phishing emails are indistinguishable from the real thing, copying the design, layout, even the language used by a company in an attempt to get you to visit their fraudulent site.

The safest course of action is to avoid clicking links in any emails. Type the company’s URL into your Internet browser manually or finding for them via a search engine. If the message is legitimate, you will often be able to find the page by navigating to it via the website’s homepage.

Watch out for these warning signs

Most phishing attacks will attempt to elicit an emotional response that overrides your rational reaction. If you receive an unexpected email that you find alarming, frightening, or exciting, pause and look past the messages for these warning signs.

  • The message asks for personal information
  • Poor spelling or confusing language
  • Low-quality images or logos
  • Hovering over a link reveals a URL that doesn’t match the sender’s web address
  • The sending email address doesn’t match the company’s web address
  • The message doesn’t follow action you took (e.g. lottery win when you didn’t buy a ticket, order confirmation when you didn’t place an order, etc.)
  • The message is a threat (e.g. a recording was made of you, your bank account will be closed, etc.)

The most common phishing messages are:

  • A bill
  • Email delivery failure
  • Parcel delivery
  • Legal/law enforcement
  • Scanned document

Watch out too for order confirmations, requests or offers of money, etc. For some real-life examples, take a look at this interactive quiz from Google which can help you learn how to identify phishing attacks.

If you’re still not sure if the email is legitimate, visit the company’s website by searching for them (do not click any links in the email), and contact them directly. They’ll be able to confirm whether or not the message is the real thing.

Don’t put all your trust in HTTPS

Much has been made about looking for “https” in web addresses and the padlock icon to confirm the security of a website. But the presence of this security doesn’t rule out a phishing attack.

The presence of “https” in a web address means that the owner of the site has an SSL certificate, which in turn means that any information submitted on that page enjoys extra layers of security. But there’s nothing stopping phishers from getting an SSL certificate for their fraudulent website; your information will be transmitted securely, but it will still be transmitted to the phisher.

While you should never submit sensitive information to a website that doesn’t have HTTPS in its web address, you should also make sure you can trust the website itself. Take a close look at the URL for easy-to-miss differences ( instead of, for instance), and if in doubt, contact someone at the company.

Implement an Information Security Management System

These prevention techniques can help prevent a phishing attack on your organisation from being successful, but your approach to information security needs to suit your organisation; there may be measures in this article that aren’t appropriate to your organisation, or solutions that are unique to your organisation. This is why implementing an Information Security Management System (ISMS) is so beneficial.

An ISMS can help you identify the particular information security risks that your organisation is facing and establish clear, defined processes to help mitigate those risks. By following these processes, your employees are less likely to fall prey to a phishing attack and your information will be safer.

To find out more about how an ISMS can help your organisation, take this free online course about Information Security Management Systems.

profile image of Mark Nutburn
Written by Mark Nutburn

CTO - technology professional with over 20 years of IT experience building bespoke CRM systems and designing customised software solutions. A key part of the management team at The British Assessment Bureau for many years and a part of AMTIVO’s management team.