While they pose a significant risk to your business, there are several steps you can implement to help mitigate phishing attacks targeting your company. Let’s take a look at a few of them below.

1) Security Awareness Training

Your best line of defense against phishing attacks is continued education.

Phishing attempts are only successful because of human error, which means your employees need to be taught how to spot them before they fall victim to an attack. Conduct regular security awareness training, including enrolling your employees in courses that help them identify phishing attempts.

As a part of this training, you can even conduct phishing simulations to help them understand how they should respond in real-world situations.

2) Email Security

In addition to security awareness training, bolster your email security. Be certain spam filters are active on email accounts across your network, make it easy for employees to report phishing scams, and be zealous when it comes to password security. 

3) Disable Macros

A popular way for attackers to install malware or spyware on your computer is by delivering a Microsoft Office document that requires macros to run. Macros are shortcuts or specific keystrokes that make routine commands easier to implement (i.e. print, save, undo). 

By disabling macros, you mitigate the risk of malware being unsuspectingly installed on an enterprise device in the case an employee accidentally opens an infected attachment. Be sure to make this a default setting and enforce it in your group policy.

4) Implement Multi-Factor Authentication

Another effective step in protecting yourself from being hacked via phishing attempts is to enable multi-factor authentication on all accounts. 

In the event you do fall victim to a phishing attack and accidentally hand over your email address and password, you have a second line of defense since you need another device in order to authenticate access. Microsoft reports this simple tactic blocks 99% of attempted hacks.

5) Encrypt Sensitive Data

Encryption converts all the data on your network and devices into something only accessible via an authentication key. By encrypting your data, you provide an additional layer of security in the event you’re compromised due to a phishing attack.

6) Employ SSL Certificates

Secure Socket Layer (SSL) certificates indicate information transmitted between a user and a website is encrypted and secure. 

These certificates are identified by “https://” at the beginning of a URL address. Other times, it’s indicated by a lock or the word “secure” in the browser bar. Websites without encryption only have “http://” at the beginning of the URL address and often read “not secure” in the browser bar.

If your company’s website collects any sort of personal information from its users (emails, passwords, credit card information, etc.), you need an SSL certificate to ensure their information is transmitted securely. Additionally, Google now uses SSL as a ranking signal. Without one, your website will be harder to find in search results.

7) Provide Securely Hosted Payment Pages

In addition to SSL certificates, if your business collects payment information via the web, it’s important to provide securely hosted payment pages (HPP) for your users.

These are typically hosted by a third-party and can either be embedded into your website or redirect users to a secure platform to process payments. An HPP is already secure and PCI-certified, helps you avoid sensitive credit card information from passing through your servers, and reduces your liability in the event credit card information is stolen.

8) Ensure Security Policy Covers Phishing Prevention Measures

Lastly, ensure your security policy clearly covers phishing prevention measures. This includes requiring security awareness training, establishing password requirements, mandating two-factor authentication, and policies regarding mobile device security.


Phishing is intentionally designed to trick, manipulate, and force an attacker’s targets into surrendering personal and sensitive information. Sometimes phishing attacks are quick financial ploys, whereas other times, they are a small piece of a larger social engineering attack to bring down an enterprise.

It’s vital for your small business to proactively train its employees to identify and prevent phishing attempts in their tracks, including establishing detailed security protocols to mitigate the risk of exposing sensitive data.

To summarize:

Need help identifying gaps in your company’s security? Commprise offers IT security and compliance auditing, including phishing tests. Book a call.