Risk & Compliance
6 minute read

How to protect your business against phishing attacks

Phishing email

Each year, millions of businesses fall victim to cyber security attacks. October is Cyber Security Month, so take the time to make sure your business isn't at risk. Read our first blog on password security and knowledge

As technology advances, organisations are becoming better at protecting themselves and avoiding breaches and attacks. But incidents do still happen.

Last year, according to the Department for Digital, Culture, Media and Sport1, almost half of all UK businesses fell victim to a cyber security breach or attack.

When these breaches happen, they can have a substantial – and often costly – effect on your business. A survey found that 33% of account-compromised victims cut ties with the companies who suffered from data breaches2. So how can you do better at avoiding them in the first place?

Revisiting phishing this Cyber Security Month is a great place to start.

What is phishing and why should you care?

Phishing is a form of cyber attack used to steal user data such as usernames, passwords and other confidential credentials.

Typically, phishing attacks are carried out through emails. The attacker will pretend to be someone the victim knows in order to trick them into opening the email and clicking on a malicious link.

In the past, the biggest cyber security threats to businesses came in the form of viruses or other types of malware. Nowadays, the nature of cyber attacks has changed and phishing attacks are rising rapidly.

According to government statistics1, 86% of UK businesses have experienced a phishing attack over the last three years.

22% of UK organisations3 don't give their employees regular email cyber security awareness training. Not investing the time and resources in ensuring your employees receive the right learning around phishing and cyber security could have devastating results for your business. 

Not only could data breaches result in a loss of customers4, but it could also lead to heavy fines. British Airways, for example, was issued a £183 million fine for GDPR violations after experiencing a data breach5

Now, more than ever, your focus needs to be on ensuring your employees have access to the right tools and knowledge to protect themselves and the business against phishing attacks.

How to make your employees aware

Successful learning doesn't happen in a vacuum.

In order for their learning to positively impact the business, it's not enough that your employees are aware of the dangers of phishing, they also have to understand why they're being asked to learn about it.

Learn Amp CEO, Duncan Cheatle advises organisations provide training in context "so people fully understand the risk and how to act in a way that mitigates that risk."

Phishing learnlistsUse your learning platform to create dedicated learning pathways so your employees can clearly and easily understand what they're being asked to learn.

At Learn Amp, we create 'Learnlists' within our pathways. These are quick and easy ways to compile and deliver out curated learning content in the most engaging way possible.

It's also important make sure you've created a culture of transparency within your organisation. It does nobody any good if your employees are afraid to admit they've made a mistake.

Encourage your employees to report any phishing emails they may have received - or fallen victim to - and let them know they won't be reprimanded for clicking on a phishing email.

Request a demo

We recently sat down with Reena Shah, Director of Cyber Security, Culture and Strategy at Refinitiv6, to discuss what else businesses can do to encourage learning around cyber security.

These were some of Reena’s key takeaways:

  • Create and nurture a culture of cyber security awareness and make sure it's modelled from the top.

  • Within your weekly or monthly communications, make sure you direct your employees to your learning platform so they always have access to the cyber security learning and tools they need.

  • Consider using 'phishing simulations' to check whether your employees have retained the knowledge.

  • Check your incident reports to see how the learning is going. 

Additionally, with a next-gen learning platform like Learn Amp, you can assign and deliver the learning materials depending on the team or individual, ensuring everyone is receiving learning that is directly relevant to themselves and their role.

What to do if you receive a phishing email

Receiving a phishing email doesn't mean the end of the world. However, it's important the correct next steps are taken to reduce the risk of a data breach.

Don't open it

If you suspect an email of being a phishing attempt, don't open it. In some cases, simply opening the email could be all the attacker needs to access the data they want. 

Delete it

Don't be tempted to keep the email in your inbox as you may accidentally open it at a later date. Delete it as soon as you've identified it as a phishing attempt.

Don't click on any links

If you do open the email, it doesn't mean you've automatically become a victim. Many phishing emails require you to click a link or download an attachment for the attacker to access your data.

If you suspect an email of being a phishing attempt, don't click any links or download any attachments.

Don't reply

As tempting as it may be to engage the attacker in a witty back and forth, replying to  phishing email can lead to further attacks. If you're responding from your company address it could also lead to the attackers targeting other email addresses in the organisation.

Report it

Before you delete it, take a screenshot of the email and send it to your IT department to make them aware of the issue.

Discover how Learn Amp can help to deliver phishing awareness training to your employees by requesting a demo below

Request a demo




1. UK Government Cyber Security Breaches Survey 2020

2. Data Prot Password Statistics

3. UK Cyber Security Statistics

4. Red Seal Cyber Security Research

5. British Airways faces record £183m fine for data breach; BBC

6. Refinitiv