How to Protect Email from Phishing Attacks

What is phishing?

Phishing is a form of cyber attack in which the attacker tries to trick the victim into revealing sensitive information such as passwords, credit card numbers, or personal data. The attacker poses as a trusted organization or person via email, SMS, or a fake web page.

According to reports, phishing is responsible for over 90% of all cyber attacks. Across the United Kingdom and Europe, attacks impersonating banks, tax authorities (such as HMRC), courier services, and popular online services are especially common. Every company, regardless of size, can be a phishing target. A professional business email account with proper authentication is the first line of defense.

Types of phishing attacks

Email phishing

The most common form of phishing. The attacker sends mass emails that appear to come from a legitimate organization. The email usually contains a link to a fake web page that looks identical to the real one, or an infected attachment.

Spear phishing

A targeted attack on a specific person or organization. The attacker researches the victim through social networks and public data, then crafts a personalized email that looks very convincing. Far more dangerous than mass phishing because it is harder to detect.

Whaling

A subtype of spear phishing that targets high-ranking employees (CEO, CFO, directors). Emails often impersonate legal documents, tax filings, or urgent money-transfer requests.

Business Email Compromise (BEC)

The attacker compromises or impersonates an employee's email (usually an executive's) and sends requests for money transfers or sensitive data to other employees. BEC attacks are extremely profitable for attackers - average damage is over $100,000 per attack.

Smishing and Vishing

Smishing uses SMS messages and vishing uses phone calls to deceive. Across the United Kingdom and Europe, SMS messages impersonating courier services are common, demanding payment of "additional delivery fees".

How to recognize a phishing email

Several signs indicate an email may be a phishing attempt. Pay attention to the following before clicking any link or opening an attachment.

• Suspicious sender address: Check the exact email address, not just the sender name. Attackers use addresses like "support@secure-bank-login.com" instead of the bank's real domain.
• Urgency and threats: "Your account will be blocked in 24 hours" or "Confirm your details urgently" are classic phishing tactics.
• Grammar errors: Professional organizations have editors. Many grammar errors and odd wording are red flags.
• Generic greeting: "Dear customer" instead of your name - legitimate organizations usually address you by name.
• Suspicious links: Hover over the link (no click!) to see the real URL. If it differs from what you expect, do not click.
• Unexpected attachments: Never open attachments you did not expect, especially .exe, .zip, or .doc files with macros.
• Request for sensitive data: No legitimate organization will ask for a password, PIN, or card number via email.

Technical protection: SPF, DKIM, and DMARC

SPF, DKIM, and DMARC are three complementary protocols that together provide strong protection against email spoofing - the technique attackers use to send emails with a fake sender address.

SPF (Sender Policy Framework)

SPF lets the domain owner define which servers are allowed to send emails on behalf of that domain. The receiving server checks the SPF record in DNS and rejects emails from unauthorized servers.

An SPF record in DNS looks like this: v=spf1 include:_spf.google.com include:mail.beohosting.com -all. This record says only Google and BeoHosting mail servers are allowed to send emails from your domain. The "-all" tag at the end means all others should be rejected.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to every email you send. The receiving server uses the public key published in DNS to verify the email was not modified in transit and really comes from your domain.

DKIM uses asymmetric cryptography - a private key on your mail server signs every email, and the public key in DNS enables verification. Without a valid signature, the email will be flagged as suspicious.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC is an upgrade to SPF and DKIM that tells the receiving server what to do with emails that fail SPF/DKIM checks. DMARC also provides reports on attempts to abuse your domain.

• p=none: Monitoring only - does not affect delivery, but sends reports. Use this at the start to see what is happening.
• p=quarantine: Emails that fail checks go to the spam folder. The recommended level for most sites.
• p=reject: Emails that fail checks are rejected entirely. The strictest setting for maximum protection.

The recommendation is to start with p=none, monitor reports for a month, then move to p=quarantine and finally p=reject. This way you will not accidentally block legitimate emails.

Employee training

Technical protection is only one side of the coin. The human factor remains the weakest link in the security chain. Regular employee training is key to phishing protection.

Training program elements

• Simulated phishing tests: Periodically send test phishing emails to employees and track who clicks. Tools like KnowBe4 or Gophish automate this process.
• Regular workshops: Quarterly workshops with examples of current phishing attacks. Show real examples of attacks targeting your industry.
• Clear procedures: Define the procedure for reporting suspicious emails. Employees must know whom to contact and what to do.
• Two-factor authentication: Mandatory 2FA for all business accounts. Even if an attacker gets the password, they cannot access the account without the second factor.
• Password manager: Use password managers like Bitwarden or 1Password for unique, strong passwords for each account.

What to do if you are a phishing victim

• Change passwords immediately: For the compromised account and all other accounts where you use the same password.
• Notify the IT team: Report the incident immediately - time is critical to limit damage.
• Check banking transactions: If you entered financial details, contact the bank and block the card.
• Scan your computer: Run a full antivirus scan if you opened a suspicious attachment.
• Document the incident: Save the phishing email, screenshots, and all relevant details for further investigation.
• Report the attack: Report the phishing attempt to your national cybersecurity authority (such as the UK's National Cyber Security Centre) and to the hosting provider of the fake site.

Conclusion

Phishing attacks are becoming more sophisticated and harder to recognize. A combination of technical protection (SPF, DKIM, DMARC), employee education, and clear procedures is the only effective approach. Set up SPF, DKIM, and DMARC for your domain via DNS configuration, train employees to recognize suspicious emails, and build a security culture where everyone is responsible for protecting the company from cyber threats.