Protect your business online

Phishing is one of the most common types of cyber crime in the UK. It targets businesses regardless of their size or sector.

What is phishing?

Phishing is a cyber attack that often starts with email. Criminals send fake messages that try to get people to:

• provide sensitive information, such as passwords and bank details
• send money to individuals or organisations
• download malware onto a device

These emails often contain malicious attachments or link to fake websites designed to steal data.

Phishing can also happen by:

• phone, known as vishing
• text message, known as smishing
• social media

Social media phishing usually involves:

• fake social media accounts that impersonate known or trusted people
• fake customer support accounts to impersonate brands
• click-bait posts that include malicious links
• fake surveys, promotions or contests to get personal information

See Get Safe Online tips to help you avoid social media phishing.

Targeted phishing attacks

Phishing emails are not always random. Standard phishing uses mass emails sent to many people indiscriminately, often with generic content to catch a few victims. However, some phishing attacks - like spear phishing and whale phishing - can target specific people or organisations by creating convincing, personalised messages. 

Spear phishing

These emails pretend to come from a trusted or familiar source, like a colleague or a supplier. Attackers research their target to make messages look legitimate. This method is known as social engineering - it increases the chances of tricking the target into sharing sensitive information or clicking harmful links.

Whale phishing (also known as whaling)

These emails use the same personalised tricks but target high-profile individuals, such as celebrities, politicians or C-level executives. Attackers use highly personalised emails that mimic trusted contacts, often referencing private details gathered from social media or public records to build credibility.

Evolving threats: AI and Deepfakes

Attackers now use artificial intelligence (AI) to make phishing more convincing. AI tools create:

• highly personalised emails or messages that mimic real colleagues or suppliers
• deepfake videos or audio impersonating executives (eg a fake video call from your CEO requesting urgent payment)

Deepfakes use AI to swap faces or voices, making scams harder to spot. Look for unnatural eye movements, inconsistent lighting, lip-sync issues, or robotic voice tones in video/audio calls. If in doubt, test with simple questions only the real person would know.

While not yet common against small businesses, cheap AI tools mean these threats are likely to grow. It is important to train staff to verify unusual requests ( eg for payment or data sharing) using multiple channels - for example, using a known phone number or in-person check, instead of a reply-all or provided contacts.

Read the National Cyber Security Centre’s (NCSC) blog to find out more about targeted forms of phishing.

How to spot fake websites

Fraudulent websites can be difficult to identify. They often copy real brands, banks, government services, email provides, IT service providers, online marketplaces, money transfer websites and social networks. Once you enter information into fake sites, criminals can steal it and use it to commit identity or financial fraud.

Common warning signs that you are on a fake website include:

• a different URL address from the one you expected or clicked on
• urgent language or pressure to act quickly
• requests for personal or financial information, such as account or social security numbers
• spelling errors, unusual navigation or poor design
• suspicious ads or pop-ups
• a mix of legitimate links with fake links
• incorrect company name
• missing or fake contact details

Keep in mind that an HTTPS site (where the padlock symbol next to the URL address claims a secure connection) can also be malicious.

How to prevent phishing

Treat all unexpected messages with caution. Especially watch out for:

• Generic greetings like 'Dear Sir/Madam' or 'Dear customer'. Legitimate companies and individuals will generally call you by your name, eg 'Dear [FIRST NAME]'.
• Mismatched sender addresses or links to web pages. Make sure that they match legitimate sources, including when you hover your cursor above them.
• Unsolicited emails carrying attachments or directing you to download documents or files from unknown websites. A good email filter will block many of these types of messages.
• Emails that appear to come from a bank or similar institution, and request sensitive information. If in doubt, contact your bank directly using trusted contact details and do not use the contact details or links provided in the email.
• Emails demanding urgent action or making offers that are too good to be true.

If in doubt, avoid clicking links in emails. Instead, contact the sender using known details from their official website or a trusted phone number - never use details from the email itself. Use email filters to block many threats automatically.

Read the NCSC's guidance on phishing and how to defend against it.

Report suspicious messages

Train your staff to recognise scam and act appropriately. If they receive a suspicious email, they can report it to the NCSC Suspicious Email Reporting Service: report@phishing.gov.uk. If you need help training your staff, use the NCSC's Top Tips for Staff tool.