The top three ways for SMBs to prevent phishing attacks in 2023

Some @ symbols and email envelope icons submerged in water being caught by fishing hooks
(Image credit: Getty Images)

Take a look at all the different types of cyberattacks that businesses, large and small, succumb to on a weekly basis and you’ll find various common denominators. There are malware attacks, ransomware attacks, DDoS campaigns, and botnets galore, are just some of the cyberattacks that businesses large and small succumb to on a weekly basis. These all cause massive disruption in their own unique ways and most of them incur great recovery costs. But one common denominator in almost all of these attacks is the initial access method: Phishing.

Phishing is the scourge of the cyber threat landscape and the reason for so many successful cyberattacks. By now, organizations should have at least a basic phishing protection toolkit. But, building a phish-resistant security stack takes a great deal of thought and expertise. Ideally you know your environment well enough to make a call on the best products to fend off the biggest threats of 2023, but many don’t have that level of understanding.

All too many SMBs also lack a dedicated security function, which compounds the issue. Turning to managed service providers (MSPs) is fast becoming a popular option. They provide expert advice on the best solutions to implement, how to implement them, and can even run the organization’s security on their behalf.

Prevent phishing in 2023: Where SMBs stand

While some SMBs manage IT and cybersecurity internally, the requirements placed on businesses to stay cyber-secure are growing every year. A solution that’s right for one business may go wasted at another – it’s all about personalizing services for maximum effect. Choosing to work with an MSP has clear advantages, especially for businesses without substantial security expertise on their team. No organization can afford to waste any money in the current economic climate, and MSPs can help advise on the most suitable products for each of their clients.

According to the Datto SMB Cybersecurity for MSPs Report, one in four SMBs outsource their security to MSPs and one in six outsource to a dedicated managed security services provider (MSSP). With reports of phishing attacks rising each year as well, the need for well-selected and professionally managed security services is only going to become greater.

Data taken from Zscaler ThreatLabz’s latest research shows that global phishing attacks are up nearly 50% year on year, and IBM’s Cost of a Data Breach report for 2022 indicates the average cost of recovering from a phishing attack stands at $4.91 million. The need for effective phishing protection is clear for all to see, and for SMBs operating in turbulent economic conditions, investing in the right solutions could ultimately save the business from bankruptcy.

1. Prevent phishing in 2023: Passwordless authentication

Going passwordless may sound counterintuitive as passwords have been the way in which all organizations have kept access to accounts and systems secure for decades. Yet the transition to passwordless authentication is becoming a popular choice among businesses of all sizes and verticals.

Earlier this month, Google enabled passkeys for all user accounts. Passkeys get rid of passwords and multi-factor authentication (MFA) for good, opting instead for a public key cryptographical option. Private keys are stored on devices, like company-issued smartphones, and when a member of staff wants to log into a service, such as their email, instead of entering a password and a two-factor authentication (2FA) code, for example, they simply confirm the login on their device. The device stores all the private keys for online services and the services store the corresponding public keys.

Apple also has its own version of passkeys that allows users to create a passkey on their iPhone, which can also be used across other Apple devices connected to the same iCloud account for authentication.

When you remove the password from the equation, you remove one of the most valuable pieces of information a cybercriminal can tease out of a successful attack. This can prevent account compromises, which can lead to much worse consequences such as data theft and ransomware incidents. Passkeys are seen somewhat as ‘the next big thing’ when it comes to preventing phishing attacks since the cybercriminal would need physical access to the worker’s device in order to login to a user’s account. 

Going passwordless will require organization-wide buy-in and would be a significant project for the IT team to carry out effectively. But, considering the dangers phishing prevents and how successful the method has become, it’s perhaps an outlay worth making.

2. Prevent phishing in 2023: Email security solutions

The vast majority of cyberattacks (91%) begin with a malicious email, according to Microsoft, so implementing tools to stop initial access attempts right at the source is imperative. Most cybersecurity vendors offer effective tooling for email security and new features available to customers are continually developed.

The usuals like spam filters – which are getting more intelligent as time goes on – are essentially a given with any email service now, but going with an aftermarket email security solution can offer functionality like the detonation of malicious attachments and data encryption. Most will offer advanced threat detection that provides greater protection, usually leveraging a database of known vulnerability exploits to offer protection against up-to-date threats. Additionally, with the rise of email hijacking having an effective email security tool can also help validate the identity of senders, minimizing the risk of some of the most convincing methods out there.

Email security tools have been around for many years and as such, there are plenty of solutions out there to choose from, so it’s worth shopping around for the one that’s right for your organization.

3. Prevent phishing in 2023: Web security

Phishing emails are what most people associate with a phishing attack, but the internet is littered with malicious websites filled with dangerous downloads and other tricks to steal data from your employees.

Having passwordless authentication enabled, or failing that an MFA solution combined with a hardware key, as well as a robust email security tool, will be enough to prevent most unauthorized access attempts. But in the rare case that an email evades all security detections and reaches the main inbox, and seems legitimate enough to convince a worker to click a malicious link, then web security measures must be in place to block access to bad websites. 

Many phishing emails contain links to external sites that, when visited, can lead to malware downloads, or sometimes spoof legitimate online services with frightening accuracy. The best course of action is to prevent employees from ever accessing such sites by deploying a range of tools.

The NCSC recommends keeping browsers up to date – something your IT team can enforce with company-wide policies. Many browsers come with built-in protections against visiting bad websites, so to ensure the latest and most secure blocking rules, be sure to update browsers regularly.

Running a proxy service is also a good idea and is another of the NCSC’s recommendations. Organizations can route all workers’ internet requests through a proxy server, which acts as an intermediary between the employee and the online resource they’re trying to access. If the server is configured to block websites known as malicious, then access to them would be prevented, potentially saving serious data loss or unauthorized access.

There are, of course, myriad other solutions that can help bolster an SMB’s security posture, but having strong authentication protocols, as well as email and web security solutions installed, can stymie most phishing attempts. Datto’s report shows that phishing emails were the main reason SMBs have experienced security issues, so there’s never been a better time to take cybersecurity seriously than right now.


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.