Most successful cyber attacks on UK businesses do not begin with a genius hacker breaking through a firewall. They begin with an ordinary email, a convincing message, and one busy person clicking before they think. That is phishing, and it remains the single most common way organisations get breached precisely because it targets people, not technology. The good news is that the same human focus that makes phishing effective also makes it beatable: a workforce that knows what to look for is one of the strongest defences a business has. Here is how phishing works and how to train for it.
What phishing actually is
Phishing is a fraudulent message designed to trick someone into doing something harmful: clicking a malicious link, opening a booby-trapped attachment, entering a password into a fake login page, or paying a fake invoice. It usually arrives by email, but the same trick works by text message (smishing), by phone call (vishing), and increasingly through collaboration tools and social media. The medium varies; the goal is always to get a human to act against their own interest.
What makes it effective is impersonation plus pressure. The message pretends to be someone you trust, a supplier, a bank, a colleague, a well-known brand, and then manufactures urgency so you respond before you scrutinise. Your account will be closed, the invoice is overdue, the boss needs this paid now. The attacker is not really attacking your computer; they are attacking your attention, your habits and your willingness to be helpful under time pressure.
The flavours worth knowing by name
Not all phishing is the same, and a few variants do disproportionate damage. Bulk phishing is the spray-and-pray email sent to thousands hoping a few bite. Spear phishing is targeted: the attacker researches a specific person and tailors the message, which makes it far more convincing. Whaling aims at executives. And business email compromise (BEC) is the costly one for SMEs, where an attacker impersonates a director or supplier to redirect a real payment.
BEC deserves special attention because it often involves no malware at all, just a credible message asking finance to change bank details or pay an urgent invoice. There is nothing for antivirus to catch; the entire attack lives in the conversation. That is why the defences against phishing are as much about process, who can authorise a payment change and how, as about technology, and why finance teams need specific awareness rather than generic advice.
- •Bulk phishing - mass emails hoping a small fraction click
- •Spear phishing - researched and tailored to a specific person
- •Whaling - aimed at executives and senior staff
- •Business email compromise - impersonating a director or supplier to redirect payments
The tells: what to teach people to notice
Good phishing training replaces a vague sense of be careful with a concrete set of checks. Teach people to slow down on any message that creates urgency or fear, to hover over a link and read the real destination before clicking, and to be suspicious of unexpected attachments. Teach them that a sender's display name is trivially faked, so the actual email address and the link domain matter far more than the name shown.
Above all, teach the rule that beats business email compromise: verify any request to move money or change payment details through a separate, known channel. If an email asks finance to change a supplier's bank account, someone phones the supplier on the number already on file, not the number in the email. None of these checks require technical skill; they require a culture where slowing down to verify is normal and never punished.
How to actually train staff (so it sticks)
One-off training does not work, because phishing evolves and human attention drifts. Effective programmes are short, regular and practical. Run brief refreshers through the year rather than a single annual lecture. Use realistic simulated phishing emails to give people safe practice at spotting the real thing, and treat a click as a coaching moment, not a disciplinary one, because punishment just teaches people to hide mistakes.
Reporting is the metric that matters most. The goal is not zero clicks, which is unrealistic; it is a workforce that reports suspicious messages quickly, because fast reporting lets you contain an attack that gets through. Make reporting a single obvious button, thank people for using it even when the message turns out to be genuine, and you build an early-warning system out of your whole team. This kind of structured programme is what security awareness training is for.
Backstop it with technology
Training is essential but it should never stand alone, because everyone has a bad day and some fakes are genuinely excellent. Layer technical controls underneath the human ones. Email filtering catches a large share of phishing before anyone sees it. Email authentication, SPF, DKIM and DMARC, makes it harder for attackers to impersonate your own domain. And multi-factor authentication means that even a phished password often does not grant access.
Think of it as defence in depth: filters reduce what reaches people, training improves how people handle what gets through, MFA limits the damage when something still slips, and fast reporting plus a tested response plan contains the rest. No single layer is perfect, which is exactly why you use several. Phishing targets people, but a business that combines aware staff with the right email security makes that target very hard to hit.