24/7 incident response: 0333 880 0922

How to stop phishing emails from catching your team

Practical steps to reduce phishing risk in your business. Technical controls, training that works, and what to do when someone clicks.

By Jellybean Cyber

Phishing is still the number one way attackers get into businesses. Not because people are stupid — because the emails are good. A well-crafted phish looks exactly like a real email from Microsoft, your bank, or your CEO.

Here's what actually works to stop them.

The technical controls

These should be in place before you do anything else. They stop phishing emails from reaching your team in the first place.

Email authentication (SPF, DKIM, DMARC)

These three protocols verify that emails claiming to be from your domain actually came from your mail servers.

  • SPF — lists which servers are allowed to send email on your behalf
  • DKIM — cryptographically signs your outgoing emails
  • DMARC — tells receiving servers what to do when SPF or DKIM fails (quarantine or reject)

If you haven't set these up, attackers can send emails that look like they came from your domain. Your own clients could receive phishing emails "from" you.

Email filtering

Use a proper email security gateway that scans for:

  • Known malicious links and attachments
  • Suspicious sender reputation
  • Impersonation attempts (display name spoofing)
  • URL rewriting and time-of-click analysis

Microsoft 365 and Google Workspace have built-in filtering, but dedicated solutions like Mimecast or Proofpoint catch significantly more. For smaller businesses, the built-in filters with proper configuration are a solid starting point.

Multi-factor authentication (MFA)

Even if someone enters their password on a phishing page, MFA stops the attacker from logging in. This is the single most effective control against credential phishing.

Use app-based MFA (Microsoft Authenticator, Google Authenticator) or hardware keys. SMS-based MFA is better than nothing but can be intercepted.

Enable MFA on everything. Email, VPN, cloud services, admin panels. No exceptions.

Training that actually works

Most security awareness training is boring, condescending, and forgotten within a week. Here's what works instead.

Run phishing simulations

Send realistic fake phishing emails to your team on a regular basis. Not to catch people out — to give them practice recognising phishing in a safe environment.

Track the results over time. You should see click rates drop. If they don't, change your approach.

Make reporting easy

Give your team a one-click way to report suspicious emails. A "Report Phishing" button in Outlook or Gmail. The easier it is, the more they'll use it.

Better yet, use our JellyPhish tool built into SecureDesk. Staff forward suspicious emails and get an instant analysis — sender reputation, link safety, attachment checks, and a clear verdict.

Teach the real tells

Forget "check for spelling mistakes." Modern phishing emails are grammatically perfect. Teach your team to check:

  • The sender's actual email address — not the display name, the actual address
  • Where links actually go — hover before clicking, check the domain
  • Urgency and pressure — "your account will be locked in 24 hours" is almost always phishing
  • Unexpected requests — especially anything involving money, credentials, or sensitive data
  • The context — were you expecting this email? Does it make sense?

What to do when someone clicks

It's going to happen. Someone will click a phishing link. What matters is what happens next.

Have a clear process

  1. Don't panic. Shame makes people hide incidents instead of reporting them.
  2. Report immediately. The faster you know, the faster you can contain it.
  3. Reset credentials. Change the password for any account that may have been compromised. Force MFA re-enrollment.
  4. Check for access. Did the attacker log in? Did they set up mail forwarding rules? Did they access any files?
  5. Contain the damage. Block the compromised account, revoke active sessions, and check for lateral movement.

Foster a no-blame culture

If people get punished for clicking phishing links, they'll stop reporting them. You want a culture where reporting a potential phish is praised, not penalised.

The person who reports a phish in 30 seconds is worth more than perfect click rates on simulations.

The bottom line

Phishing defence is layers: technical controls to block most of it, training to catch what gets through, and a response plan for when something slips past both.

No single control stops all phishing. But the right combination makes your business a much harder target than the one next door.

Need help setting this up? Talk to us. We'll assess where you stand and build a plan that fits your team.