Take Steps To Protect Your Organization From Phishing Attacks

Small and midsize organizations are targets for threat actors who use phishing schemes as a way to steal sensitive data, fraudulently take money, or cause disruption. Phishing has become so prevalent that it has now replaced stolen credentials as the No. 1 initial attack vector for threat actors, according to IBM Security’s Cost of a Data Breach Report 2025. Today, phishing is responsible for 16% of all breaches, costing an average of $4.8 million per breach.

Phishing attacks are different than many other types of cyberattacks because they use human error rather than a technology vulnerability as their entry point. An employee can click on one wrong link and unwittingly allow a threat actor to steal credentials, access business accounts, or install malware or ransomware. 

The Cybersecurity and Infrastructure Security Agency (CISA) recommends that all organizations take steps to protect against phishing, and there’s no better time to take those steps than during Cybersecurity Awareness Month 2025 in October. There are many things employees at your organization can do to combat phishing including understanding how phishing works, knowing the different types of phishing that threat actors use, recognizing the red flags associated with phishing, and participating in training to protect themselves and the organization from attacks.

How phishing works

A phishing attack is designed to manipulate an employee into providing information such as passwords, bank account numbers, PIN numbers, credit card numbers, and Social Security numbers, to name a few. In a phishing attack, a threat actor impersonates a co-worker, customer, or business associate and sends a message requesting that the employee take a particular action such as click on a link, open an attachment, or visit a website. Since the message looks legitimate, the employee may be convinced to take the requested action. 

Once the action is taken, the threat actor has what he needs to further the attack, going on to commit fraud, take over bank accounts, steal credit cards, collect Social Security numbers, install malware or ransomware, or complete whatever plan is in place to disrupt and harm the organization’s finances, business operation, or reputation. The employee may not even know the attack occurred until much later. 

Types of phishing

Threat actors use numerous types of phishing scams to convince employees to hand over their sensitive information. Emails are the most common way that phishing occurs, but the attack can also happen on an employee’s phone, by text message, or via website. The APWG Phishing Activity Trends Report, which analyzes phishing attacks reported by its member companies, observed more than 2.1 million phishing attacks for the first six months of 2025, and the number of phishing attacks being reported is steadily rising. The increase in phishing is cause for concern, and every organization should be familiar with the types of phishing attacks that employees may encounter.

• Spear phishing. This email phishing attack targets a specific employee who has access to sensitive information or accounts. The threat actor may study the target before the attack to plan a convincing strategy using personal details to make the email seem more authentic — and more likely to succeed. Very similar to spear phishing, whale phishing is a targeted attack on a high-profile executive or high-net-worth individual.

• Business email compromise (BEC). In this phishing attack, the threat actor sends an email to an employee at an organization that appears to be from another employee, customer, or business associate. The email deceives the employee into sending files that contain sensitive data, wiring money to a fake bank account, paying a fraudulent invoice, or performing some other harmful act. BEC attacks accounted for more than $2.7 billion in losses in 2024, making them one of the costliest types of cyberattacks, according to the FBI Internet Crime Report 2024.

• Vishing. This attack occurs by voicemail or phone using voice over internet protocol technology. The threat actor may impersonate a co-worker, customer, or business associate to convince the employee to provide sensitive information. As a different tact, the threat actor may try to frighten the employee with threats of legal trouble, past due invoices, credit card issues, or other critical situations that require immediate attention.

• Smishing. This phishing attack occurs through text messages. The fake texts often appear to come from a phone carrier, the post office, a credit card company, or even toll road operators, asking for updated account information or payments.

Threat actors also use many other phishing schemes to trick employees into giving up their information including clone phishing, website spoofing, image phishing, domain spoofing, search engine phishing, and the list goes on. Cybercriminals constantly devise new malicious phishing attacks, so employees need to stay alert to potential threats.

Red flags

In past years, phishing messages were fairly easy to recognize with poor grammar, awkward language, or misspellings. Today, threat actors are able to use artificial intelligence (AI) tools to create messages that are much more sophisticated and effective. 

However, there are several red flags to alert employees that a message may be a phishing attack, and employees should watch out for these signs of phishing:

• Incorrect email address or website URL. Threat actors use subtle differences in spelling to deceive employees, so employees should closely examine the address or URL.

• Unknown email address from a known sender. If an email address is not one that the sender usually uses, it may be a sign of phishing.

• Urgent request. If an email sender requests a quick response or offers an emotional plea for action, the employee should think carefully before responding.

• Links within an email. Employees should always hover over a link to confirm that it is indeed a legitimate site. Also, they should never click on the “unsubscribe” link of a suspicious email.

• Unknown phone numbers. Employees should not use phone numbers from an unsolicited email. Instead, look up the phone number on the company’s website and call that number to verify that the message is real.

• Suspicious attachments. Employees should be cautious about any email attachment and should never open attachments from an unknown sender. 

• Request for login credentials, money, or personal or financial information. Employees need to know that legitimate organizations will not ask for these items in an email.

How to protect against phishing

The threats from phishing can be relentless, but small and midsize organizations can protect against these attacks. Providing user awareness training, implementing technology, and establishing reporting protocols can help keep employees and sensitive data safe.

Offering ongoing user awareness training is one of the most critical steps an organization can take to protect against phishing. After all, knowledgeable, observant employees are the best defense against a phishing attack. During training, employees can learn what a phishing attack is, how to recognize the signs of phishing, what they can do to prevent phishing attacks, and how to report phishing. Training improved phishing recognition for 52% of participants, according to a National Cybersecurity Alliance study.

Organizations can use tools and technology to detect phishing messages and files, including email security software, spam filters, antivirus software, and anti-malware software. Also, endpoint detection and response solutions with AI and advanced analytics can intercept phishing attempts. In addition, CISA recommends that all organizations implement phishing-resistant multifactor authentication (MFA) to combat phishing. MFA is an authentication method that requires an employee to provide two or more factors, or forms of identification, during login for an extra layer of security. Phishing-resistant MFA is the only MFA that is resistant to phishing attacks.

Unfortunately, even with training and technology, phishing attacks can still occur, so organizations should have procedures in place for reporting suspected cyber events. Employees need to know how to immediately report a suspicious email, phone call, or text message to a trusted person at the organization. Then, if warranted, the organization can contact CISA, the FBI’s Internet Crime Complaint Center, the Anti-Phishing Working Group, or the Federal Trade Commission to take further action with authorities.

Conclusion

Small and midsize organizations are targets for phishing attacks as threat actors tenaciously plot to steal sensitive data, access financial accounts, and cause disruption. But your organization can take steps to teach employees what they need to know about phishing attacks to protect your organization’s data and accounts and keep your business operating without disruption.