How to Protect Your Business Email from Phishing Attacks

Every day, Australian businesses receive millions of phishing emails. Some are obvious — badly written messages asking you to click a suspicious link. Others are frighteningly convincing, crafted to look exactly like an email from the ATO, a bank, a supplier, or even your own boss.

Phishing is consistently the most common entry point for cyber attacks on Australian small businesses, according to the Australian Cyber Security Centre (ACSC). And it works — not because business owners are foolish, but because modern phishing attacks are designed by professionals who study human behaviour for a living.

The good news is that a combination of technical controls and staff awareness can stop the vast majority of phishing attacks before they cause harm.

What Is Phishing?

Phishing is when a cybercriminal sends a deceptive email designed to trick you into doing one of three things:

• Clicking a link that takes you to a fake website to steal your login credentials
• Opening an attachment that installs malware on your device
• Transferring money or sensitive information directly

The name comes from "fishing" — casting a wide net and waiting for someone to bite. Attackers send millions of phishing emails at once, and they only need a tiny percentage of recipients to take the bait.

Variants include spear phishing (targeted at a specific person or business, using personal details to seem more credible) and whaling (targeting senior executives specifically).

How to Spot a Phishing Email

Training yourself and your team to recognise the warning signs is the first line of defence. Look out for:

Suspicious sender addresses

The display name may say "ATO Tax Refund" but the actual email address is something like noreply@ato-refunds-gov.com.au — note the hyphen and the fact it is not a genuine ato.gov.au address. Always hover over or click on the sender name to see the full address.

Urgency and pressure

Phishing emails create a sense of panic: "Your account will be suspended in 24 hours," "Immediate action required," or "You have an outstanding tax debt." Legitimate organisations rarely demand instant action via email alone.

Unexpected links and attachments

Hover over any link before clicking it. The URL that appears in the bottom of your browser should match where you expect to go. Be especially wary of compressed files (.zip), executable files (.exe), and Office documents that ask you to "Enable Macros."

Generic greetings

Mass phishing emails often use "Dear Customer" or "Dear User" rather than your actual name. Spear phishing attacks, however, may use your real name, so this alone is not a reliable indicator.

Unusual requests

An email from your "CEO" asking you to buy gift cards urgently, or a "supplier" sending new bank account details, should always be verified by phone before acting — using a phone number you already have, not one provided in the email.

Technical Controls That Block Phishing at the Source

Individual vigilance matters, but you should not rely on it alone. These technical measures filter out a significant proportion of phishing emails before they reach your inbox.

Enable spam and phishing filters

Both Microsoft 365 and Google Workspace have built-in anti-phishing and anti-spam protections. Make sure these are turned on and configured to their recommended settings. Microsoft Defender for Office 365 includes advanced features like Safe Links (which checks URLs at click time) and Safe Attachments (which detonates attachments in a sandbox before delivery).

Set up email authentication (SPF, DKIM, DMARC)

These three DNS records tell receiving mail servers how to verify that an email claiming to be from your domain is legitimate. They do not directly protect you from incoming phishing, but they stop criminals from impersonating your business when targeting your customers or partners. They also help ensure your own emails are not marked as spam. (See our dedicated guide on DMARC, SPF and DKIM for setup instructions.)

Use multi-factor authentication on your email

Even if a phishing attack successfully steals your email password, MFA prevents the attacker from accessing your account. This is one of the most important protections you can implement. (See our guide on MFA for more detail.)

Block dangerous file types

Configure your email system to block attachments with file types commonly used by malware, including .exe, .vbs, .ps1, and password-protected archives. Microsoft 365 and Google Workspace both allow administrators to set these rules.

Consider a dedicated email security gateway

Tools like Proofpoint Essentials, Mimecast, or Barracuda Email Security sit in front of your email system and provide an additional layer of filtering. These are worth considering if your team handles sensitive data or high-value financial transactions.

What to Do If You Receive a Suspicious Email

Establish a clear process so your team knows what to do:

1. Do not click any links or open attachments
2. Report the email to your IT contact or administrator
3. In Microsoft 365, use the "Report Message" button to flag it as phishing
4. In Gmail, click the three dots next to the email and select "Report phishing"
5. If you think your business may have been targeted specifically, report it to the ACSC at ReportCyber.gov.au
6. If you clicked a link or opened an attachment by mistake, act immediately — change your passwords, enable MFA, and contact your IT support

What to Do If You Have Already Been Phished

Clicked a link and entered your credentials? Time matters. Do the following as quickly as possible:

• Change your password immediately from a different, unaffected device
• Enable MFA if it was not already active
• Check your account for any unauthorised changes — email forwarding rules, connected apps, or sent messages
• Alert your IT provider or administrator
• If financial information was involved, contact your bank immediately
• Report the incident to ReportCyber.gov.au
• If personal data may have been exposed, you may have notification obligations under the Privacy Act 1988 and the Notifiable Data Breaches scheme — seek advice if you are unsure

Building a Phishing-Aware Culture

Technology can only do so much. The most resilient businesses make security awareness part of their culture — not a one-off training exercise, but an ongoing conversation.

Simple habits that make a big difference include: always verifying unexpected financial requests by phone, never sharing passwords over email, and creating a psychologically safe environment where staff feel comfortable reporting a suspected mistake without fear of blame.

Phishing simulations — where you send harmless fake phishing emails to test your team — can also be highly effective. Tools like KnowBe4 and Proofpoint Security Awareness Training make it easy to run these exercises and identify who needs extra support.

Key Takeaways

• Phishing is the most common cyber attack vector for Australian small businesses — it targets people, not just technology
• Warn your team about the key warning signs: suspicious sender addresses, urgency, unexpected links, and unusual requests
• Enable anti-phishing filters in Microsoft 365 or Google Workspace and keep them updated
• Set up SPF, DKIM and DMARC to prevent criminals from impersonating your domain
• MFA on your email account means a stolen password alone cannot unlock your inbox
• Create a clear, no-blame process for staff to report suspicious emails
• If you have been phished, change your password immediately and report the incident to ReportCyber.gov.au

Want to know how well-protected your business email is right now? Flagged offers a free cyber risk assessment designed specifically for Australian small businesses. It takes minutes and gives you a clear, actionable report — no technical knowledge required.