How to Protect Your Edinburgh Business from Phishing Attacks

Understanding phishing protection Edinburgh is essential for any business handling sensitive data. In May 2025, Edinburgh Council was targeted by a spear-phishing campaign. The attackers didn’t blast out a generic scam – they researched their target, crafted a convincing approach, and went after staff credentials. Edinburgh Council has an IT team. They had defences. They still got targeted.

Edinburgh professional services firms face exactly the same tactics. Law firms, financial advisers, accountants, healthcare practices – all are high-value targets because the data they hold and the payments they process are worth the effort.

Phishing isn’t random noise. It’s the entry point for 85% of UK business breaches (DSIT Cyber Security Breaches Survey 2025, April 2025). That figure hasn’t budged in years because phishing keeps working.

This guide gives Edinburgh business owners the practical steps to reduce their exposure – starting today. If you want the full picture, our Complete Cyber Security Guide for Edinburgh Businesses covers every major threat category, regulation, and control in one place.

Why Is Phishing Getting Harder to Spot?

AI-generated phishing emails now achieve a 54% click-through rate – compared to 12% for standard phishing – according to Microsoft’s 2025 Digital Defense Report, according to the DSIT Cyber Security Breaches Survey (2025). The gap between a real Microsoft 365 login page and a convincing fake has almost disappeared. Attackers who once needed copywriting skill now just need a prompt.

AI-generated phishing is 4.5 times more effective than manually written attacks. Microsoft’s 2025 Digital Defense Report found AI-generated phishing achieves a 54% click-through rate, compared to 12% for standard phishing. Microsoft is the most impersonated brand in phishing globally, accounting for 32% of all brand-based phishing attacks (Microsoft Digital Defense Report 2024).

The Five Psychological Triggers in Every Phishing Email

The NCSC has identified five psychological triggers that phishing emails consistently use. Knowing them makes the emails easier to spot – even convincing AI-generated ones.

Authority – “HMRC requires you to confirm your VAT details immediately.” The email claims to be from a body you can’t argue with: a bank, a regulator, a solicitor. Real HMRC communications don’t work like this; they arrive by post for significant matters.

Urgency – “Your account will be suspended in 24 hours.” Urgency is designed to stop you thinking. The faster you’re pushed to act, the less time you have to check.

Emotion – Fear, panic, or curiosity. An email saying your payment has failed uses fear. One saying “I’ve attached the invoice you asked for” uses curiosity – you click just to find out what invoice.

Scarcity – “This offer expires tonight.” Less common in business-focused phishing, but it appears in supply chain attacks dressed as procurement deals.

Current Events – Attackers follow the news. Tax season brings HMRC phishing. Major cyber incidents (like the Marks and Spencer attack in May 2025) prompt lookalike emails: “Has your data been compromised? Check here.”

Plus a 2025 emerging technique: QR codes in emails. Attackers now embed a QR code instead of a clickable link. Email security tools scan text links – they often can’t scan where a QR code points. The dangerous URL is in the QR image, not in the email text. The NCSC flagged this technique in 2025 as an active, growing risk.

Why Spear Phishing Is Different

Standard phishing is a spray-and-pray approach – millions of identical emails sent to harvested addresses. Spear phishing is the opposite. Attackers research a specific target before sending a single email.

They check LinkedIn for your name, title, and who you report to. They check Companies House for your registered address and director details. They look at your website for client names, supplier relationships, and service descriptions. Then they write an email that uses all of that.

Edinburgh Council was targeted this way in May 2025 (Texaport, 2025). Edinburgh law firms, financial advisers, accountants, and healthcare practices face exactly the same approach – they hold high-value data and process payments worth targeting.

How to Identify a Phishing Email

The DSIT Cyber Security Breaches Survey (2025) found that Most phishing emails share detectable patterns – but trained attackers make them hard to spot without knowing what to look for. Staff who recognise these red flags before clicking reduce breach risk significantly. 52% of UK SME employees have never received any cyber security training (Vodafone Business research, April 2025). That’s the gap attackers rely on.

Red Flags in the Sender and Header

Start with the sender address, not the display name. The display name is whatever the attacker typed – it can say “HMRC” or “Lloyds Bank” without any verification. The actual email address is what matters.

Watch for domains one character off the real one: microsofft.com, lloyds-bank.co.uk instead of lloydsbank.co.uk, hmrc-gov.uk instead of hmrc.gov.uk. Also check whether the reply-to address matches the sender address – a mismatch is a reliable red flag.

Be careful with emails from known contacts, too. If a supplier’s email account is compromised, you’ll get a real email from their real address asking you to do something unusual. That’s spear phishing at its most convincing.

Red Flags in the Email Content

Urgent requests involving money or credentials are the most reliable signal. “Please approve this urgent payment before end of business” sent unexpectedly – especially if it asks you to bypass your normal authorisation process – should always be verified by phone.

Watch for generic greetings (“Dear Customer”, “Dear User”) rather than your name. Low-grade phishing still uses these. AI-generated phishing uses your name correctly, so this test is necessary but not sufficient.

One pattern that catches people off guard: an email that says “don’t call the office about this, just reply here.” That instruction exists specifically to prevent you from verifying it through a channel the attacker doesn’t control.

Red Flags in Links and Attachments

Hover over any link before clicking. The URL that appears in your browser’s status bar should match the claimed sender’s domain. If an email says it’s from Microsoft and the link goes to microsoft-account-verify.net, that’s not Microsoft.

QR codes in emails deserve extra scepticism. There is no legitimate business reason a supplier or HMRC needs to send you a QR code to scan. If you see one, treat it as a phishing attempt until you’ve verified it directly with the sender.

For attachments: .zip files, .docx files that ask you to enable macros, and .pdf files with embedded links are the most commonly weaponised formats. Don’t open unexpected attachments – even from known senders – without verifying the request first.

6 Technical Controls That Stop Phishing Before It Reaches Your Staff

The DSIT Cyber Security Breaches Survey (2025) shows that Technical controls filter out or neutralise phishing attacks before a staff member has to make a judgement call. Only 40% of UK businesses have enabled multi-factor authentication (DSIT Cyber Security Breaches Survey 2025), the single most effective control available. The six measures below address the technical gaps present in the majority of successful phishing attacks.

41% of UK SMBs experienced fraud in 2024, with 24% specifically citing phishing scams as the fraud type. The average SMB loss per fraud incident was £3,808 (Visa / Opinium Research, 1,000 UK SME decision-makers, March 2024). For Edinburgh professional services firms handling client payments and sensitive data, the risk is concentrated and the losses are direct.

For a full checklist of controls, see our Cyber Security Checklist for Edinburgh SMEs.

1. Enable Multi-Factor Authentication on Every Account

MFA is the single highest-impact control you can enable today. Even if an attacker steals a password through a phishing email, they cannot log in without the second factor.

Priority accounts: Microsoft 365, Google Workspace, online banking, accounting software (Xero, QuickBooks, Sage), and any cloud storage. Use an authenticator app – Microsoft Authenticator or Google Authenticator – rather than SMS codes. SMS can be intercepted; authenticator apps cannot.

Cost: free on all major platforms. If only 40% of UK businesses have done this (DSIT 2025), enabling MFA today puts you ahead of the majority.

2. Configure DMARC, DKIM, and SPF on Your Domain

Without these three DNS records, anyone can send an email that appears to come from your domain. Your clients could receive phishing emails that say they’re from you@yourbusiness.com – and nothing would flag them as fraudulent.

DMARC at enforcement level (p=reject) tells receiving mail servers to reject any email claiming to be from your domain that fails authentication. Getting to p=reject is the goal. Most UK businesses have not reached it.

Who does this: your IT provider sets these records in your DNS. It takes under two hours. Check your current status for free at mxtoolbox.com/dmarc.

3. Enable Advanced Email Filtering

Microsoft 365 Business Premium includes Microsoft Defender – anti-phishing policies, Safe Links (which re-checks URLs at click time), and Safe Attachments (which detonates attachments in a sandbox before delivery). If you’re on Microsoft 365 and not using Business Premium, upgrading is worth the cost difference.

Enable external email warning banners – a simple one-line notice that says “This email was sent from outside your organisation.” It sounds minor. We’ve found it meaningfully increases staff vigilance because it gives people explicit permission to pause.

4. Block Malicious Links with DNS Filtering

DNS filtering tools intercept traffic to known malicious domains – even if a staff member clicks a phishing link. The request to visit malicious-login.net gets blocked before the page loads.

Options: Cloudflare Gateway is free and effective for small businesses. Cisco Umbrella and similar enterprise tools add policy controls and reporting for larger teams. DNS filtering works on managed devices including remote workers – as long as the device is enrolled.

5. Control Who Has Admin Access

Admin accounts that get phished give attackers the keys to everything. They can create new user accounts, change passwords, access all data, and disable security controls – all within minutes of gaining access.

Separate admin accounts from day-to-day accounts. Use your admin credentials only for IT administration tasks. Use your regular account for email, documents, and everything else. Most breaches escalate because admin credentials were in use when the phishing email arrived.

6. Keep Software Patched – Phishing Often Exploits Unpatched Systems

Phishing emails frequently deliver malware that exploits known vulnerabilities. “Known” means a patch exists – the attacker is betting you haven’t applied it yet. The NCSC recommends applying high-severity patches within 14 days of release.

Enable automatic updates for Windows, browsers, Microsoft 365 apps, and business applications. For servers and infrastructure, your IT provider should have a patching schedule. Ask them when yours was last reviewed.

Does Staff Training Actually Make a Difference?

Technical controls reduce phishing risk, but they don’t eliminate it (the DSIT Cyber Security Breaches Survey, 2025). The final filter is a staff member who pauses before clicking. Only 52% of UK SME employees have received any security awareness training (Vodafone Business, April 2025). The good news: effective training doesn’t require a budget. Scotland has a free, proven tool that works.

The NCSC’s Exercise in a Box programme was piloted in Scotland by the Cyber and Fraud Centre Scotland, reaching 266 organisations and 772 attendees through phishing and ransomware simulation exercises. The programme is free, takes under two hours per session, and is designed for organisations without in-house security expertise (Cyber and Fraud Centre Scotland, cyberfraudcentre.com).

NCSC Exercise in a Box – Free and Scotland-Proven

Exercise in a Box is a free online tool from the NCSC containing tabletop exercises covering phishing, ransomware, and data breach scenarios. No technical knowledge is required. It was designed specifically for non-technical teams and board members.

Scotland’s Cyber and Fraud Centre ran a pilot that reached 266 organisations and 772 attendees. That’s a meaningful dataset. The exercises work.

A standard phishing exercise takes under an hour. You can run it as a team lunch session with no external facilitation. The NCSC also provides a facilitator guide if you’d like someone to lead it. Start at exerciseinabox.service.ncsc.gov.uk.

For a full directory of free tools available to Scottish businesses, see our guide to Free Cyber Security Resources for Scottish Businesses.

Simulated Phishing Tests

Sending fake phishing emails to your own staff is more effective than classroom training alone. Staff learn from experience – clicking a test email and seeing the immediate feedback creates a memory that a slide deck doesn’t.

Free options include GoPhish (open source, self-hosted) and the phishing exercises within Exercise in a Box. Paid platforms – KnowBe4, Proofpoint Security Awareness, Mimecast Awareness Training – add automated scheduling, reporting, and pre-built template libraries for larger teams.

Run simulations at least quarterly. Never shame individuals who click; use it as a teaching moment. The goal is to build habit, not to catch people out.

What Your Training Should Cover

Cover the NCSC’s five psychological triggers (Authority, Urgency, Emotion, Scarcity, Current Events) with real examples relevant to your sector. For Edinburgh law firms and financial advisers, HMRC and Companies House impersonation are especially relevant.

Add the QR code email tactic to your training pack – it’s a 2025 development your staff are unlikely to know about. Teach people to check sender addresses, hover over links before clicking, and what to do if they’re unsure: don’t click, don’t reply, call IT.

Run a refresher after any major public cyber incident. The M&S attack in May 2025 prompted a wave of lookalike phishing emails. Staff who’d been trained recently recognised them. Those who hadn’t were far more exposed.

What to Do If Someone in Your Business Clicks a Phishing Link

The DSIT Cyber Security Breaches Survey (2025) reports that Speed matters. The moment someone clicks a phishing link or enters credentials on a fake page, the clock starts. Isolate the device, reset the credentials, and assess what data was exposed – in that order. A prepared Cyber Incident Response Plan reduces a chaotic, expensive response to a manageable checklist.

Immediate Steps – First 30 Minutes

Act in this sequence:

1. Don’t switch the device off. Disconnecting from the network is enough. A powered-off device may be harder to examine forensically later.
2. Disconnect from the network. Unplug the ethernet cable or disable WiFi on the affected device.
3. Reset passwords from a different, unaffected device. Change the password for any account whose credentials were entered on the phishing page.
4. Enable or verify MFA on the compromised account immediately – if MFA wasn’t on, enable it now before the attacker can act.
5. Tell your IT contact straight away. Don’t investigate alone and don’t email from the compromised account.

Assess the Damage

What was phished determines the severity. An email account compromise is high risk – the attacker can read all received email, use it to reset passwords on other accounts, and impersonate you to your clients and suppliers. A banking or payment portal compromise is critical.

Check whether any payments were authorised or initiated during the compromised window. If so, call your bank immediately – fraud teams can sometimes reverse transactions if they’re contacted quickly.

Were any client or employee personal details likely visible in the compromised account? If so, you may have a data breach requiring ICO notification. Don’t wait to find out for certain – get legal or IT advice within the first few hours.

Report to the Right Authorities in Scotland

Don’t assume reporting is someone else’s problem. The right contacts for a Scottish business:

• Action Fraud: actionfraud.police.uk or 0300 123 2040 – for fraud-related phishing attacks
• Police Scotland: 101 (non-emergency) or 999 if you’re actively under attack
• NCSC: report.ncsc.gov.uk – for significant incidents affecting business operations
• ICO: ico.org.uk – if personal data was exposed, you have a 72-hour reporting window from the point you become aware of the breach
• Cyber and Fraud Centre Scotland: cyberfraudcentre.com – specialist support for Scottish businesses; they can advise on next steps without needing to report formally

Frequently Asked Questions

What is the most common type of phishing attack targeting Edinburgh businesses?

Email phishing impersonating Microsoft 365 login pages is the most common form. Microsoft is the most impersonated brand globally, representing 32% of all brand-based phishing attacks (Microsoft Digital Defense Report 2024). Edinburgh professional services firms are also frequently targeted by invoice fraud – emails that appear to come from a known supplier but redirect payment to a fraudulent account. 24% of UK SMBs who experienced fraud in 2024 cited phishing as the fraud type (Visa / Opinium Research, 2024). If your business processes supplier invoices or client payments, you’re a plausible target for both types.

How much does a phishing attack typically cost a small business in Scotland?

The average cost of the most disruptive breach for a UK micro or small business was £1,510 in 2025 – up 93% from £780 in 2023 – rising to £3,550 when zero-cost incidents are excluded (DSIT Cyber Security Breaches Survey 2025). For SMBs that experienced fraud specifically, the average loss was £3,808 (Visa / Opinium Research, 2024). Those figures cover direct financial loss only. Operational disruption, staff time spent recovering systems, and the cost of customer notification or regulatory reporting can easily double the real cost.

What is spear phishing and am I at risk?

Spear phishing is targeted. Attackers research a specific individual – using LinkedIn, Companies House, and your website – before sending a single email. They use your name, your role, your suppliers’ names. Edinburgh Council was targeted this way in May 2025. Law firms, financial advisers, accountants, and healthcare practices in Edinburgh are high-value targets because they hold sensitive client data and process significant payments. If your business is listed on Companies House or has a visible web presence, you’re reachable.

What is DMARC and does my business need it?

DMARC is a DNS record that prevents attackers from sending emails that appear to come from your domain – a technique called domain spoofing. Without it, someone can send a convincing phishing email to your clients that shows your email address in the from field. At enforcement level (p=reject), DMARC instructs receiving mail servers to block those emails outright. Check your current status for free at mxtoolbox.com/dmarc. Your IT provider or a DNS-literate developer can implement it – the technical work takes under two hours.

Is Exercise in a Box really free and suitable for non-technical teams?

Yes. Exercise in a Box is a free NCSC tool with no catch. Exercises take under two hours and require no prior security knowledge to run or participate in. The NCSC provides facilitator guides if you want to lead a session. Scotland’s Cyber and Fraud Centre ran a pilot reaching 266 organisations and 772 attendees – the programme is proven at the local level. A single phishing exercise, run as a team session over lunch, is more effective than most paid awareness training.

If an employee clicks a phishing link, do we need to tell anyone?

It depends on what data was accessed. The ICO’s 72-hour reporting requirement applies only if personal data about identifiable individuals was likely exposed or accessed. Clicking a phishing link and closing the browser without entering credentials may not trigger any mandatory reporting. Entering credentials to an email account containing client personal data almost certainly does. When in doubt, get advice quickly – the ICO’s breach-reporting guidance is at ico.org.uk/report-a-breach. For financial fraud, report to Action Fraud regardless of whether personal data was involved.

Can Cyber Essentials certification help protect against phishing?

Yes – significantly. Cyber Essentials covers the five technical controls that block or limit the impact of phishing: boundary firewalls, secure configuration, access control, malware protection, and patch management. It’s the UK government’s baseline certification for cyber hygiene. Getting certified doesn’t prevent every phishing email from arriving, but it closes the gaps that turn a phishing click into a full breach. It also demonstrates to clients and insurers that you’ve met a recognised standard. Our guide to Cyber Essentials certification in Scotland covers the process, cost, and how to prepare.

Krzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and managed IT services for businesses in financial services, legal, and healthcare. Virtually Pro is Cyber Essentials certified and based at 83 Princess Street, Edinburgh EH2 2ER.