Editorial & Advertiser disclosure

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Home > Technology > Five key steps to defend your organisation from harmful phishing attacks

Five key steps to defend your organisation from harmful phishing attacks

Published by Jessica Weisman-Pitts

Posted on August 18, 2022

5 min read

Last updated: February 4, 2026

Warning alert on a computer screen highlighting phishing attacks - Global Banking & Finance Review — An alert message displayed on a computer screen emphasizes the importance of defending against phishing attacks. This image relates to the article's focus on protecting organizations from cyber threats and enhancing security measures.

By Chris Watkins, Head of Security, Ultima

Some of the worst cybercrimes have taken place because of a tiny flaw. Cybercriminals rely on this flaw in an organisation’s security defences – commonly the employees themselves – to launch their attack. You only need to look at the number and scale of phishing attacks taking place every year. In 2021, 83% of organisations reported experiencing phishing attacks. In 2022, an additional six billion attacks are expected to occur.

Many phishing defences start and end with employee training to help them spot a phishing email. Empowering employees is certainly a key strategy. But employee education is only a part of the solution. This article will explain how organisations can widen their defences using technical measures as well as reporting processes and plan for attacks to minimise their impact.

Phishing at its worse

A phishing attack is where a malicious hacker launches an email-based attack with the objective of obtaining user credentials so that they can gain a foothold within a corporate network and use that foothold to exploit data or demand a ransom. Cybercriminals use deception tactics to encourage users to click on a link which launches malware or makes the user give away details such as usernames, email addresses or better still, passwords.

Phishing emails are so common because it’s a numbers game; if a phishing campaign circulates to enough users (often in the millions), it increases the chance of success. Such data breaches not only cause loss of company data but lead to loss of revenue from a decline in customer trust and market value.

Here are five steps to take to bolster the defence of your corporate network that should be combined with effective employee training.

Review how you’re preventing phishing emails reaching you in the first place

Whether manual or through your cloud-based email provider, ensure that the filtering or blocking service is sufficient for your needs and that it is applied to all users’ accounts.

A filtering service will send them to a junk folder, whereas a blocking service will prevent the email getting through to the user completely. This is based on the senders IP address, domain name, attachment type or because it’s detected malware.

Think like a hacker

Often, thinking like a hacker is the best ways to spot one and this involves gaining an understanding of the nature of the threat that phishing poses to your organisation. What would a hacker want from an employee? Which departments are managing processes that are most sensitive (such as product development or finance) and could these processes be mimicked by a hacker?

Make specific processes more resilient

This involves good cyber hygiene practice. If dealing with many external email requests, try using multi-factor authentication, such as an SMS message or phone call to verify the sender.

Rather than sending and receiving email attachments, use a different login method or share files through an access-controlled account in the cloud such as Dropbox or Microsoft Teams.

Adopt a zero-tolerance security culture It’s important to be realistic – not everyone can spot a phishing email 100% of the time. Phishing emails have become much more sophisticated in recent years. Zero trust is the mindset of ‘protect everyone, verify everything’. Every user and device accessing a network is a potential threat. A zero-trust policy requires employees to act with a healthy dose of scepticism to everything that lands in their inbox. Such a culture brings the employee into the broader security network, establishing trust between the organisation and employee while increasing resilience.
Encourage transparency and ensure ease of reporting Often, it’s the phishing culture within an organisation that needs to be improved. Far from pointing the finger and assigning blame to an employee, it’s important to foster a culture of awareness, support, and action. If an employee feels that they are going to be reprimanded for not spotting a phishing email or making a mistake, they may not report it promptly, or at all. Implement a process that is easy to follow when an employee believes that a phishing email has made it past the company’s technical defences. Once it’s been reported, make sure that employees know that it will be actioned so that they feel encouraged to repeat the exercise again. Create an environment where employees aren’t afraid to ask out loud for extra support in spotting phishing attacks.

Being involved in an organisation’s awareness and reporting culture should all form part of an employee’s wider security hygiene which also includes password management, use of removable media and remote working practices among other things. As an organisation, this should be actively encouraged to ensure that security is maintained.

In summary

A combination of education, simulation, transparency and effective security reporting, along with leading-edge security tools are necessary to create a zero-trust organisation. From a technology perspective, this could involve multi-factor authentication, a VPN, encryption for files and updated hardware. Together, they can create a more secure corporate environment for all.

The reality is that there are always going to be threats that creep into a company’s layers of security. But if an organisation has the necessary security technology, employee education and a strong culture of zero-trust, then identifying and reporting threats becomes innate in everyone.