Share
Phishing is the most common form of cyber attack in the UK. According to the UK Government’s Cyber Security Breaches Survey 2025/2026, phishing was identified as the most prevalent type of breach or attack. Despite being well-known, phishing attacks continue to catch businesses off guard because they’re constantly evolving.
This guide covers the main types of phishing attacks your team needs to know about, and the phishing protection steps and software that can help keep your business safe.
What is Phishing?
Phishing is a type of cyber attack where criminals impersonate trusted individuals or organisations, a bank, a supplier, HMRC, Microsoft, or even a senior colleague, to trick you into handing over sensitive information, clicking a malicious link, or transferring money.
The term comes from “fishing”: attackers cast a wide net hoping someone will take the bait. And with increasingly convincing emails, texts, and voice calls, the bait is getting harder to spot.
The Main Types of Phishing
1. Email Phishing
The classic form. An attacker sends a mass email designed to look like it came from a legitimate organisation, a bank, a courier company, or a software provider. The email typically urges you to click a link and log in to a fake website, where your credentials are captured.
2. Spear Phishing
Unlike broad email phishing, spear phishing is highly targeted. Attackers research a specific individual or company and craft a personalised message that’s far more convincing. They might reference a real project, a colleague’s name, or a recent event to make the email appear genuine.
3. Whaling
Whaling is spear phishing aimed at senior executives, CEOs, finance directors, or business owners. The goal is often to authorise a large fraudulent payment or gain access to high-level systems. Because these messages target people with authority over company finances, the stakes are especially high.
4. Smishing (SMS Phishing)
Smishing uses text messages rather than emails. Attackers send SMS messages appearing to be from delivery companies, banks, or government bodies, urging you to click a link or call a number. With more people checking texts than emails on the go, smishing has become increasingly effective.
5. Vishing (Voice Phishing)
Vishing involves phone calls from attackers posing as bank fraud teams, HMRC, or IT support staff. They create a sense of urgency to pressure you into providing account details, passwords, or remote access to your computer. AI-generated voice cloning is making this type of attack significantly more convincing.
6. Business Email Compromise (BEC)
BEC attacks involve criminals gaining access to or spoofing a legitimate business email account to send fraudulent requests. A common scenario involves a fake invoice or a request to change bank account details for an existing supplier. UK businesses lose millions to BEC fraud each year.
7. Clone Phishing
Here, attackers take a legitimate email you’ve previously received and create an almost identical copy, replacing the real attachment or link with a malicious one. Because the format and content look familiar, recipients are more likely to trust it.
Phishing Protection: How to Defend Your Business
No single measure provides complete protection, but a layered approach dramatically reduces your risk.
1. Email Security
Modern phishing protection software uses AI to scan inbound emails and flag suspicious messages before they reach your inbox. Look for solutions that include:
- Anti-spoofing controls (SPF, DKIM, DMARC)
- Sandboxing of links and attachments
- Impersonation detection for executives and trusted domains
- Real-time URL scanning
2. Multi-Factor Authentication (MFA)
Even if an attacker obtains a password through phishing, MFA adds a second layer of verification, typically a code sent to a mobile device or generated by an authenticator app. Enabling MFA on all business accounts is one of the most effective steps you can take.
3. Staff Awareness Training
Technology alone isn’t enough. Regular cyber security awareness training ensures your team can spot phishing attempts, report suspicious messages, and avoid making costly mistakes. Training should be ongoing — not a one-off exercise — because threats evolve continuously.
4. DNS Filtering
DNS filtering prevents users from accessing known malicious websites, even if they click a phishing link. It acts as a last line of defence when an email slips through.
5. Incident Response Plan
Know what to do if someone does fall victim to a phishing attack. A clear incident response plan, who to call, what to isolate, how to report, minimises damage and speeds up recovery.
6. Threat Monitoring
Managed detection services provide additional visibility and response capabilities.
How SilverCloud Can Help
SilverCloud offers comprehensive phishing protection solutions for UK businesses, from advanced email security and DNS filtering to staff cyber awareness training programmes. We help SMEs build layered defences that are proportionate to their size and risk profile.