Phishing remains among the most common cyberattacks used by threat actors. Most businesses have seen it in action: emails requesting an ‘urgent task’ be completed or an ‘overdue payment’ made, sometimes even imitating a CEO or senior exec. In fact, the UK Government’s 2025 Cyber Security Breaches Survey found that, of businesses or charities that had experienced a break or attack in the last 12 months, 85% of businesses and 86% of charities had experienced phishing attacks.

In this blog, we dive into the murky world of phishing: what it is, how to identify potential phishing attempts, and how organisations can protect themselves against it.

Common Phishing Attacks Targeting Businesses

Email Phishing

In email phishing attacks, threat actors send their targets scam emails, often pretending to be well-known companies or suppliers. The aim? To trick victims into visiting a fraudulent website, opening an attachment containing a virus or malware, sharing sensitive information like bank details or corporate account passwords.

Examples to look out for include:

  • Unexpected invoices
  • Emails from unknown senders with attachments
  • Unusual activity alerts with links to external websites.

Spear Phishing

Spear phishing is a more targeted approach to email phishing, using easily available information about a business, such as employee names, to impersonate internal communications and trusted sources. It’s vital to verify the identity of the sender through a different method of communication, such as Teams or via a phone call with a verified phone number.

Examples to look out for include:

  • Unexpected ‘urgent’ emails purporting to be from your HR or IT departments
  • Unusual requests, supposedly from someone within your company.

Business Email Compromise

Business email compromise (BEC) attacks are another targeted and sinister approach to phishing, sometimes using spoof email addresses or even compromising actual employee email accounts to carry out an attack. They’ll often target trusted individuals or budget holders, attempting to trick them into making fraudulent financial transactions or revealing sensitive information. Criminals may even compromise a supplier or vendor, sending invoices that appear to be legitimate. BEC is so prevalent that the FBI claimed that BEC attacks cost US and global organisations nearly $55.5 billion between October 2013 and December 2023.

Examples of BEC attempts include:

  • CEO fraud: ‘Urgent’ emails, supposedly from a senior executive’s email address, but actually controlled by the threat actor
  • Invoice scams: Fake or altered invoices that redirect payments to an attacker’s account
  • Third-party fraud: Unexpected invoices or requests to change bank details from your existing suppliers, indicating potential compromise.

Clone Phishing

Attackers using clone phishing will take a real email and copy it near-identically, re-sending to the intended victim with a new, malicious attachment or link. Threat actors often use fake emails with a similar spelling to the email they’re impersonating, however, they may use sophisticated email spoofing to make it appear as though the email was sent by the legitimate sender.

Examples to look out for include:

  • Duplicate emails, particularly those with new or altered links.

How to Identify Phishing Emails

While tackling phishing can seem like an overwhelming task, there are multiple ways to identify phishing emails.

Mismatched email domains: Is the email domain the same as that of the business the sender claims to represent? E.g. an official email from ISMS.online would be: firstname.lastname@ISMS.online, support@isms.online, etc.

Urgent calls to action: Emails pushing for urgent or immediate action could be potential phishing attempts; a false sense of urgency is intended to panic the recipient. Consider contacting the sender via official means e.g. by looking up the phone number on a company’s official website.

Spelling and grammar: Spelling and grammar mistakes could indicate a phishing attempt, as many businesses have spell-checking tools in their email software.

Links: By hovering your mouse over a link, you can view the URL the link will direct you to. In phishing emails, this is often different from the text displayed in the email.

Requests to send personal or financial information: Login credentials, payment information and other sensitive data should not be shared over email. Similarly, if an email contains a link to an external website for inputting that information, be sure to verify that the website is legitimate.

Protecting Your Organisation Against Phishing Attacks with ISO 27001

Establishing cybersecurity best practices, such as those outlined in the information security standard ISO 27001, enables your business to reduce risk, bolster security and limit the impact of phishing attacks.

Employee Training and Awareness

Your employees are your first line of defence when it comes to cybersecurity. Implementing a cybersecurity training and awareness programme can empower your team to identify and report potential phishing attempts, as well as other cyberattacks.

Your training and awareness programme should also outline processes that must be followed, such as the process employees should follow to report suspected phishing attempts. Training your staff to recognise signs of a phishing attack and ensuring your business has stringent reporting and response processes forms part of a robust security posture.

Access Control

Limit employees’ rights and privileges on a ‘least privilege’ basis. For example, limit a typical user’s access to only the resources needed for them to do their job. This helps to reduce the impact of a phishing attempt on your organisation should an account be compromised.

Additionally, requiring controls such as multi-factor authentication on staff accounts can provide a key defence against unauthorised access and compromised credentials.

Incident Response

ISO 27001-compliant businesses must establish processes for incident response. This includes evidence collection, information security forensics analysis, escalation with customers and relevant supervisory authorities, incident response activity logging, internal incident communication, incident resolution, and post-incident analysis. Effective response to incidents helps to ensure faster resolution and mitigate the impact of successful attacks.

Secure Configuration

The standard requires businesses to build security into their operations from the outset, rather than as an afterthought. This approach reduces potential entry points for threat actors, for example via insecure email gateway solutions.

Third-Party Supplier Management

Our State of Information Security Report 2024 revealed that nearly four in five (79%) of respondents had been impacted because of a cyber or information security incident caused by a third-party vendor or supply chain partner. Taking a risk-based approach to supplier relationships can help limit the impact of such incidents.

For example, your business may choose to strongly prefer working with suppliers with ISO 27001 certification, limit supplier access to information based on information classification levels, and track supplier risk if onboarding a supplier has potential to affect the confidentiality, integrity and availability of your organisation’s information or processes.

Final Thought

Phishing is a pervasive form of cyberattack; luckily for organisations, many of the signs are easy to spot. Ongoing employee education, implementing security best practices, and taking a robust approach to information security can reduce the likelihood – and impact – of successful phishing attacks and data breaches.

As cyber threats continue to evolve, proactive businesses that implement a multi-layered approach to information security and empower employees to act as their first and most important line of defence will undoubtedly reap the benefits.