Help Guide for Phishing and Email Scams and How to Spot Them and What to Do

7 min read

Phishing emails are the number one way criminals attack small businesses. This guide shows you how to spot fake emails, what to do if you've clicked something suspicious, and how to protect your business from increasingly sophisticated scams.

CTC
Written by CTC Editorial Editorial Team

What Is Phishing?

The Basics

Phishing is when criminals send fake messages pretending to be someone you trust—your bank, a supplier, Microsoft, the tax office—to trick you into:

  • Clicking malicious links (downloads malware or leads to fake websites)
  • Entering login credentials (on fake login pages that steal them)
  • Transferring money (to criminal accounts)
  • Sharing sensitive information (that enables further fraud)

Why It Works

Phishing exploits:

  • Trust (looks like it's from someone legitimate)
  • Urgency (act now or something bad happens)
  • Authority (from your boss, bank, government)
  • Curiosity (unexpected attachment, intriguing subject)
  • Fear (account suspended, legal action threatened)

81% of organisations experienced phishing attacks in 2024. It's the primary method criminals use to attack businesses.

Types of Phishing

Mass Phishing

Generic emails sent to millions of people.

Example: 'Your Amazon account has been suspended. Click here to verify your identity.'

Characteristics:

  • Generic greeting ('Dear Customer')
  • Sent to many people
  • Often poor quality (spelling errors, odd formatting)
  • Easy to spot if you're careful

Spear Phishing

Targeted emails using personal information to seem legitimate.

Example: 'Hi John, following our meeting yesterday, please review the attached proposal.'

Characteristics:

  • Uses your name
  • References real things (your company, colleagues, recent events)
  • Much harder to spot
  • Usually researched from LinkedIn, company website, etc.

Business Email Compromise (BEC)

Criminals impersonate executives or suppliers to request payments.

Example: 'This is [CEO name]. I need you to urgently process a wire transfer. I'm in a meeting so call my mobile if you have questions.'

Characteristics:

  • Appears to come from someone senior
  • Requests urgent payment or sensitive action
  • Often uses real executive names
  • May come from compromised real accounts

This is how businesses lose serious money—often £10,000s in a single attack.

Smishing (SMS Phishing)

Phishing via text message.

Example: 'HMRC: You are owed a tax refund of £847.50. Claim here: [link]'

Characteristics:

  • Appears to come from legitimate sender
  • Links to fake websites
  • Often exploits delivery notifications, bank alerts, government messages

Vishing (Voice Phishing)

Phishing via phone calls.

Example: 'This is Microsoft technical support. Your computer has been sending error reports and may be infected.'

Characteristics:

  • Claims to be from trusted organisation
  • Creates urgency or fear
  • Requests remote access, payment, or information
  • Caller ID can be spoofed to show legitimate numbers

How to Spot Phishing Emails

Red Flags

1. Sender Address Doesn't Match

Email claims to be from 'Barclays' but sender is: noreply@barclays-security-alert.com

Check the actual email address, not just the display name. Hover over or click to see the real address.

Real: support@barclays.co.uk

Fake: support@barc1ays.co.uk (note the '1' instead of 'l')

2. Generic Greeting

'Dear Customer', 'Dear User', 'Dear Account Holder'

Legitimate companies usually know your name.

3. Urgency and Threats

'Act within 24 hours or your account will be suspended'

'Immediate action required'

'Your account has been compromised'

Scammers create urgency to prevent you thinking carefully.

4. Suspicious Links

Hover over links (don't click) to see where they really go.

Display text: www.paypal.com/verify

Actual link: www.paypa1-secure.com/steal-your-details

5. Unexpected Attachments

Invoices you weren't expecting, documents from unknown senders, anything urging you to 'enable macros'.

6. Requests for Sensitive Information

Legitimate organisations don't ask for passwords, full card numbers, or PINs via email.

7. Poor Spelling and Grammar

Though sophisticated attacks are well-written, many phishing emails have obvious errors.

8. Too Good to Be True

Tax refunds, lottery wins, inheritance from unknown relatives—if it sounds too good, it is.

When It's Harder to Spot

Well-crafted phishing may:

  • Use your real name
  • Reference real recent transactions
  • Come from a compromised real account
  • Have perfect spelling and formatting
  • Use legitimate-looking domains

When in doubt:

  • Don't click links—go directly to the website
  • Don't call numbers in the email—look up the real number
  • Verify with the supposed sender through a different channel

What to Do If You Receive a Suspicious Email

Don't

  • Click any links
  • Open any attachments
  • Reply to the email
  • Call numbers provided in the email
  • Forward to colleagues (spreads the risk)

Do

1. Verify through another channel

If it claims to be from your bank:

  • Go directly to your bank's website (type the address, don't click)
  • Call the number on your card or statement
  • Check your account directly

2. Report it

  • Forward to report@phishing.gov.uk (UK National Cyber Security Centre)
  • Forward to the organisation being impersonated (most have dedicated addresses)
  • Report to your IT department/provider

3. Delete it

Once reported, delete the email.

What to Do If You Clicked/Responded

If You Clicked a Link

Immediately:

1. Disconnect from the internet (prevents malware communicating)

2. Run antivirus scan

3. Monitor for unusual computer behaviour

If you entered any credentials:

1. Change that password immediately (from a different device)

2. Change it anywhere else you used the same password

3. Enable two-factor authentication

4. Monitor for suspicious account activity

If You Entered Login Details

Urgently:

1. Change the password NOW (from a different device/network)

2. Check for unauthorised activity in the account

3. Enable two-factor authentication

4. If financial accounts, contact the institution

5. Consider credit monitoring if personal details exposed

If You Transferred Money

Immediately:

1. Contact your bank (fraud hotline, not general number)

2. Report to Action Fraud (0300 123 2040)

3. Gather evidence (emails, account details, timeline)

4. Contact police if significant amounts

Time matters. Banks can sometimes recall transfers if caught quickly.

If You Opened an Attachment

1. Disconnect from network

2. Run full antivirus scan

3. Consider professional malware removal

4. Change passwords (from a different device)

5. Monitor for unusual activity

See our malware guide for detailed steps.

Protecting Your Business

Technical Protections

Email filtering:

  • Use business email with good spam filtering (Google Workspace, Microsoft 365)
  • Consider advanced email security (Mimecast, Proofpoint, Microsoft Defender)
  • Block dangerous attachment types

Domain protection:

  • Set up SPF, DKIM, and DMARC records (prevents spoofing your domain)
  • Your email provider can help configure these

Web filtering:

  • Block known malicious websites
  • Many security products include this

Two-factor authentication:

  • Enable on all accounts, especially email
  • Use authenticator apps over SMS where possible

Process Protections

Payment verification:

  • Always verify payment requests through a different channel
  • Never change bank details based solely on an email
  • Have a callback procedure for large payments
  • Two-person approval for significant transfers

Reporting culture:

  • Make it easy to report suspicious emails
  • Never punish people for reporting (even if they clicked)
  • Share examples of attacks (anonymised if needed)

Staff Training

What everyone should know:

  • How to identify phishing
  • What to do if unsure
  • What to do if they clicked
  • That reporting is encouraged, not punished

Training options:

  • Free: NCSC guidance, Cyber Aware resources
  • Paid: KnowBe4, Proofpoint, Mimecast (£20-50/user/year)
  • Simulated phishing tests to identify gaps

Regular reminders:

  • Phishing techniques evolve
  • Annual training isn't enough
  • Share real examples that targeted your business

Special Threats: Business Email Compromise

The Danger

BEC is how businesses lose serious money:

  • Average loss: £120,000+ per incident
  • Often not covered by standard insurance
  • Targets people who can authorise payments
  • Usually well-researched and personalised

Common BEC Scenarios

CEO Fraud:

'Hi [Name], I need you to process an urgent payment. I'm in meetings all day, just do it and we'll discuss tomorrow.'

Invoice Fraud:

'Our bank details have changed. Please update your records and send future payments to [criminal account].'

Payroll Diversion:

'Please update my direct deposit details for this month's salary.' (from compromised or spoofed employee email)

Protection Against BEC

Verify payment changes:

  • Always confirm through a known phone number (not one in the email)
  • Require senior approval for bank detail changes
  • Question urgency—legitimate requests can wait for verification

Protect executive accounts:

  • Strong passwords and 2FA on all executive email accounts
  • Monitor for account compromise
  • Be aware that executive details are publicly available (LinkedIn, etc.)

Payment procedures:

  • Two-person authorisation for large payments
  • Mandatory verification call for payment changes
  • Written procedures that staff must follow regardless of 'urgency'

Reporting Phishing

Where to Report in the UK

NCSC: Forward suspicious emails to report@phishing.gov.uk

Action Fraud: Report scams at actionfraud.police.uk or 0300 123 2040

Your bank: If financial phishing, report to your bank's fraud team

The impersonated company: Most have phishing report addresses

Why Report?

  • Helps authorities track and block threats
  • May prevent others falling victim
  • Creates a record if you're later affected
  • Some reports lead to site takedowns

The Bottom Line

Phishing is the primary threat to small businesses because it exploits people, not technology.

Prevention:

  • Train staff to recognise and report
  • Use email filtering and security
  • Enable two-factor authentication
  • Have verification procedures for payments

Response:

  • If unsure, verify through another channel
  • If you clicked, act immediately
  • Report incidents
  • Learn from what happened

Remember:

  • Criminals are sophisticated—anyone can be fooled
  • When in doubt, verify
  • Speed matters if you've been caught
  • Reporting isn't shameful—it's responsible

Frequently Asked Questions

Frequently Asked Questions

How do phishers get my email address?

Sources include: data breaches (your email in leaked databases), public sources (company websites, LinkedIn), purchased lists (sold by data brokers), website scraping, guessing (common formats like firstname.lastname@company.com). You can check if your email is in known breaches at haveibeenpwned.com. Assume your business email is known to attackers.

Why does phishing email sometimes come from someone I know?

Two reasons: Their account was compromised (hackers using their real account), or their address was spoofed (faked to look like it came from them). If an email from a known contact seems odd—unexpected attachment, strange request, unusual tone—verify with them through another channel before acting. Their account may be compromised without them knowing.

Can spam filters stop all phishing?

No. Spam filters catch most phishing, especially obvious mass campaigns. But sophisticated phishing—especially targeted spear phishing and BEC—often bypasses filters because it doesn't trigger typical spam signals. Filters are essential but not sufficient. Human awareness is the final defence.

What if I gave away my password and use it elsewhere?

Change it everywhere immediately. Yes, everywhere. This is why password reuse is dangerous—one breach compromises all accounts using that password. Use a password manager to maintain unique passwords. After changing passwords, check accounts for unauthorised activity or changed settings.

How do I report phishing that impersonates another company?

Most companies have phishing report addresses (e.g., reportphishing@apple.com, spoof@paypal.com). Search '[company name] report phishing' to find theirs. Also report to report@phishing.gov.uk. Reporting helps companies take down fake sites and warn others. It only takes a moment and contributes to collective defence.

My business was targeted—should I tell customers/partners?

Depends on what happened. If customer data was exposed, you may be legally required to notify them (and the ICO). If the attack was contained without data exposure, notification may not be required but consider whether warning partners could protect them. Transparency about security incidents, handled professionally, often strengthens rather than damages trust.

About the Author

CTC
CTC Editorial

Editorial Team

The Compare the Cloud editorial team brings you expert analysis and insights on cloud computing, digital transformation, and emerging technologies.

More Articles

Do You Need a Server? A Plain English Guide for Small Teams

CTC Editorial
AI technology transforming UK SME business operations

The AI Reality Check - State of UK SME Adoption in 2025

CTC Editorial
remote-backup guide hero image

Help Guide for Remote Backup for Small Businesses in the UK

CTC Editorial
cloud-storage-gdpr guide hero image

Help Guide for Cloud File Storage Rules for UK GDPR Compliance

CTC Editorial
Back to All Articles