Axia Computer Systems Ltd

Guide

Phishing attacks: how to spot them and what to do when one gets through

What a modern phishing email actually looks like, how to spot one in 10 seconds, and the first 30 minutes of response when a colleague clicks — written for UK SME owners and IT managers.

Phishing is still the single most common way a UK SME gets compromised. Not exotic zero-days, not nation-state actors — a finance assistant clicking a link in an email that looked like it came from a regular supplier.

The good news: phishing is the attack type where a small amount of staff awareness pays back disproportionately well. The bad news: modern phishing is good enough that even cautious people get caught. The plan therefore has to be: help people spot them, and have a clean response when they don't.

What modern phishing actually looks like

Forget the stereotype of a poorly-spelled email from a foreign prince. The phishing that hits UK SMEs now is:

  • Spear phishing — targeted, with your name, your company name, and a plausible reason to act.
  • Brand impersonation — Microsoft 365, DocuSign, HMRC, a real supplier, a real courier, your bank.
  • Conversation hijacking — replying inside a real, existing email thread after compromising one party. The "new" email is identical in tone and signature to the genuine thread.
  • QR code phishing ("quishing") — an email contains a QR code instead of a link, bypassing URL-based email filters entirely.
  • Voice phishing (vishing) — a phone call from "your IT department" or "your bank" that references real details harvested from a data breach or LinkedIn.
  • Multi-channel attacks — an email followed by a Teams message from "a colleague", a text message from "the CEO", an attachment sent via a file-share link.

How to spot a phishing email in 10 seconds

Train people to scan for these five checks, in this order:

  1. Who actually sent it? Look at the full email address, not just the display name. A real HMRC message comes from @hmrc.gov.uk, not @hmrc-notification.com.
  2. Is the action plausible? Would this person really send you a DocuSign at 22:40 on a Saturday? Would your CFO really ask you to settle an invoice to a new bank account by phone confirmation alone?
  3. What does the link actually go to? Hover, don't click. On mobile: long-press. Real axia.co.uk links do not resolve to random URLs.
  4. Urgency or fear? Phishing wants you to act without thinking. Real organisations give you time and signed paperwork.
  5. Any unexpected authentication or payment change? This is the single most expensive pattern — a last-minute "we've changed bank details" instruction is now responsible for the majority of large SME fraud losses.

Tell staff: if any of those is off, do not click — report. Reporting is the priority, not forwarding. Forwarding spreads the danger; reporting stops it.

What good anti-phishing culture looks like

  • A clearly promoted "report" button in Outlook and Gmail, and a human who reads what comes in.
  • Celebrated reporting, not punished mistakes. The employee who reports a click immediately is a hero; the one who hides it for a week is the problem.
  • Short, regular simulations (monthly or quarterly) that target the patterns above — not generic "can you spot the bad email" quizzes.
  • Two-minute team briefings when a real phishing attempt lands, with the actual example. "This is what tried to hit us on Tuesday."
  • Annual policy refresh that is one page, in plain English, and signed by someone the team actually knows.

Building real resilience: technical controls that filter out most phishing

Awareness alone will not catch a sophisticated attack. Use the staff-time you save with awareness to layer the following technical controls:

  • DMARC, SPF and DKIM correctly configured on your sending domain — stops most spoofing.
  • Email security gateway with sandboxing for links and attachments — catches the things gateway filters miss.
  • External recipient warnings in Outlook/Gmail so out-of-domain replies are obvious.
  • Banner warnings on emails that pass authentication but originate from new domains.
  • Multi-factor authentication — even a clicked credential goes nowhere useful without the second factor.
  • MFA fatigue / push bombing resistance — number-matching prompts rather than approve/deny.

The first 30 minutes: response when someone clicks

This is the bit that decides whether a phishing incident ends with a password reset or a ransomware containment. Your people need to know what to do, in order, before an incident happens.

Minute 0–5: stop the bleed

  • The user reports the click to IT / the MSP by phone, not email.
  • The user disconnects the device from the network (Wi-Fi off, unplug the cable) but leaves it on— forensically valuable, and you want EDR to finish isolating it.
  • IT resets the user's password and revokes active sessions from the identity console.

Minute 5–15: contain

  • For Microsoft 365 / Google Workspace: revoke all sessions, invalidate refresh tokens, force password reset, force MFA re-registration.
  • Search the mailbox for messages sent from the user in the last 24 hours — outbound spam is the classic sign of a compromised account.
  • Check inbox rules — attackers commonly create silent forwarding or "move to trash" rules to hide their tracks.
  • Pull a list of recent successful sign-ins: location, IP, device. Anything unexpected, treat as compromised.

Minute 15–30: assess and escalate

  • Was MFA in place? Did the attacker reach email only, or did they pivot to file shares, OneDrive, finance systems?
  • Has any data actually been accessed or exfiltrated? Pull audit logs.
  • Decide whether to notify the leadership team, your insurer, or — in the case of confirmed personal data breach — the ICO within 72 hours.

If money has already been moved

If a staff member has paid a fraudulent invoice, or authorised a payment to a changed bank account, the priority is your bank, not your email provider. Call the bank's fraud line within the first hour. UK Authorised Push Payment (APP) reimbursement rules, introduced in 2024, give many SME victims a path to recovery — but only if you act fast.

A short phishing policy your team will actually read

Forget a 12-page acceptable-use policy. Post a one-pager in the kitchen. It should say, in plain language:

  1. We use email and chat for business. Real things happen in person, on the phone or through proper channels.
  2. If you're asked to do anything with money, account details, or passwords — pause. Verify by another channel (phone, in person, known direct number).
  3. If anything feels off, click the Report Phishing button. If you're not sure, ask IT. There is no penalty for reporting; there is a real cost to hiding it.
  4. If you think you've already clicked something wrong, phone IT now. Don't email. Don't fix it yourself.

Need help with phishing resilience?

We run phishing simulations, response training and the technical controls above for SMEs across Hertfordshire, Bedfordshire and London. If you'd like a baseline assessment of where your business stands today, get in touch.

Ready to talk?

Discuss your IT requirements with our team. Call 01923 333111 or send us a message.

Authorised trading partners