What is Phishing?

Phishing is a type of cyber-attack that uses disguised emails to trick the recipient into believing the message is genuine. These emails often pretend to come from banks, well-known services, business partners, or even colleagues. The goal is usually one of two things:

• To steal sensitive information such as login details, financial data, or personal information.
• To get you to download malicious software onto your device.

Phishing emails usually include a link or attachment, encouraging you to “click here” or “open this document.”

Why are we receiving these emails?

Phishing has become more sophisticated over the years. Cybercriminals have many tactics:

• They may already have your email address or personal details from a data breach.
• They might compromise someone you know, then use their account to target you.
• They can even guess email addresses based on company formats (e.g. firstname.lastname@company.co.uk).

To make emails look convincing, attackers often spoof the sender address, making it appear the email comes from someone you know or trust. They also copy logos, branding, and signatures from legitimate companies to make their messages look authentic. Sometimes, they’ll lift graphics and layouts directly from real emails you might have received before.

Public-facing addresses like “info@company.co.uk” are prime targets. Once criminals know a company’s format, it’s easy to generate fake addresses to send scams.

How can we recognise phishing emails?

Phishing emails often share common warning signs:

• Unexpected links or attachments.
• A sense of urgency (“Your account will be locked in 24 hours”).
• Unusual tone, spelling errors, or awkward grammar.
• Requests for sensitive information (passwords, payment details).

If something feels “off,” trust your instincts.

Can we stop receiving them?

Unfortunately, not entirely. Spam and security filters block many phishing attempts, but not all. Sometimes filters block genuine emails, so businesses can’t rely on filtering alone.

What can we do?

• Be cautious. If an email doesn’t seem right, pause before clicking.
• Verify. Call the company or colleague directly to confirm, rather than replying or clicking links.
• Check with others. A second pair of eyes can help spot something suspicious.
• Don’t click first. Always confirm before opening attachments or links.
• Use strong security practices. Protect accounts with strong, unique passwords and change them regularly.

What if I’ve already clicked?

If you think you may have fallen for a phishing email:

1. Disconnect from the internet – this can help limit any further malicious activity.
2. Change your password immediately – especially for the account you think may have been compromised. Use a strong, unique password.
3. Enable two-factor authentication (2FA) where possible for added protection.
4. Run a full antivirus and malware scan on your device.
5. Report it – this helps block future attacks.
6. Monitor accounts – keep an eye on bank accounts, emails, and online services for any suspicious activity.

Acting quickly can limit the damage. Even if you’re unsure, it’s always safer to treat a suspicious click as serious.

Final thought

The best defence against phishing is awareness. Keep yourself and your colleagues informed. Training staff to spot phishing attempts is one of the most effective ways to reduce risk.

Remember: If in doubt, leave it out. Don’t click until you’re sure.