How to Prevent Phishing Attacks in Your Business

The FBI's 2023 Internet Crime Report logged $2.9 billion in losses from business email compromise (BEC) alone — a category of phishing that targets executives, finance staff, and anyone with authority to move money or approve vendor payments. That number doesn't include the ransomware attacks that started with a phishing email, the credential harvesting campaigns that led to data breaches, or the countless incidents that never got reported.

Phishing persists because it's cheap to execute and expensive to defend against at scale. You can patch a software vulnerability. You can't patch a person who receives a convincing email impersonating their CEO at 8:45 AM on a Monday.

What You're Actually Up Against

Spear phishing is targeted. The attacker knows your company, your org chart, and often your email format. The email arrives appearing to be from a known person — a supplier, a colleague, a bank contact — with context specific enough to seem legitimate. Generic mass phishing is easy to filter. Spear phishing is not.

Whaling targets C-suite executives. The premise is that a convincing email to a CEO or CFO has a much higher payout than a generic attack. These emails often spoof board members, auditors, or lawyers and request urgent wire transfers or sensitive document disclosures.

Smishing (SMS phishing) and vishing (voice phishing) have grown significantly as email filtering has improved. A text message from what appears to be a delivery service, a bank, or an IT department asking you to click a link or confirm credentials bypasses your email security stack entirely. AI-generated voice calls impersonating executives — using cloned voices from publicly available audio — are increasingly reported in BEC investigations.

The Technical Defenses

Email authentication: SPF, DKIM, DMARC. These three DNS records form the baseline of email sender verification. SPF defines which servers are authorized to send email on your domain's behalf. DKIM adds a cryptographic signature to each outbound message. DMARC tells receiving servers what to do when a message fails SPF or DKIM — quarantine it, reject it, or deliver it with a report. Without DMARC enforcement (policy set to reject or quarantine), attackers can send email that appears to come from your domain with no technical barrier.

Setting up DMARC correctly takes about an hour if your email infrastructure is straightforward. Getting it wrong can silently break your outbound email delivery. Start in monitoring mode (p=none) and review the aggregate reports before enforcing.

Email filtering beyond the default. Microsoft Defender for Office 365 Plan 1 (~$2/user/month, often included in Microsoft 365 Business Premium) adds link-time scanning — URLs in emails are checked at the moment you click them, not just at delivery. Proofpoint and Mimecast offer similar sandboxing and impersonation protection at higher price points. For most SMBs, Defender Plan 1 is sufficient.

Multi-factor authentication. MFA won't stop a phishing email from landing, but it stops the attacker from using credentials that were stolen by one. If an employee enters their password into a fake login page, MFA means the attacker still can't access the account without the second factor. Hardware security keys (YubiKey, for example) are phishing-resistant in a way that TOTP codes and SMS are not — a key will refuse to authenticate against a domain it wasn't registered to. For high-value accounts (executives, finance, IT administrators), hardware keys are worth the $50-70 per user cost.

Conditional access policies. In Microsoft 365, conditional access lets you require MFA from any unrecognized device or location before allowing email or SharePoint access. Combined with Intune device compliance, you can block access entirely from devices that aren't enrolled and managed. This dramatically shrinks the attack surface if credentials are compromised.

Training That Actually Works

Annual security awareness training doesn't work. A one-hour video once a year doesn't change behavior in the moment — and phishing attacks land every day, not once a year.

What works is simulated phishing campaigns run monthly or quarterly. Send your team fake phishing emails that mimic current attack patterns. When someone clicks, they see an immediate training message — not punitive, educational. Track click rates over time. Most organizations see a significant drop in click rates after three to four simulated campaigns.

Services like KnowBe4, Proofpoint Security Awareness, and Microsoft Attack Simulator (included in Microsoft 365 Defender Plan 2) automate this. The goal is building reflexes — people who pause and verify before clicking, rather than people who know phishing is bad in the abstract.

Train specifically on: recognizing sender spoofing (the display name can say anything — always check the actual email address), hover-before-clicking on links, and the pattern of "urgency + unusual request" that defines most social engineering attacks. A message that asks you to act immediately, bypass normal processes, or keep something confidential is a red flag regardless of who it appears to be from.

When Someone Clicks Anyway

Someone will click. Plan for it.

The response window matters. The faster an IT team is notified that credentials may be compromised, the faster they can reset passwords, revoke active sessions, and audit what the attacker may have accessed. A reporting culture — where clicking a bad link is something you report immediately rather than hide in embarrassment — dramatically reduces damage.

Have an incident response checklist ready before you need it. Minimum: how to isolate an affected device, how to reset credentials across all systems, how to check email forwarding rules (attackers commonly set up silent forwarding rules after gaining access), and who to notify (IT, management, affected vendors or clients, potentially law enforcement or cyber insurance).

Check for email forwarding rules immediately after any suspected credential compromise. It's one of the first things attackers configure and one of the last things businesses think to look for.

The Realistic Standard

No technical control eliminates phishing risk entirely. The goal is layered defense: email authentication stops domain spoofing, filtering catches known malicious links and attachments, MFA limits the damage from stolen credentials, trained staff catches what the technical stack misses, and a clear incident response process handles what gets through.

Each layer reduces your exposure. Together, they make your business a harder target than the one that hasn't done any of this — which, for most attackers, is enough reason to move on.