Most businesses approach phishing the same way: send staff a training video, maybe run a simulated phishing test, and hope everyone remembers not to click dodgy links.
Training helps. But if training is your only line of defence, you are relying on every person in your business making the right call every single time. That is not a realistic expectation. People are busy, distracted, and under pressure, and phishing emails are getting harder to spot.
What actually works is a layered approach. Multiple controls working together so that even when someone does click the wrong link, the damage is contained. Here is what that looks like in practice.
Why Training Alone Is Not Enough
Phishing, the practice of sending fake emails designed to trick someone into handing over credentials or clicking a malicious link, is the most common way Australian businesses get compromised. It is not close. Phishing is involved in the majority of incidents the ACSC reports on each year.
The problem with relying on training is that phishing attacks are designed to exploit exactly the moments when people are not thinking carefully. An email that looks like it is from your accountant during tax season. A fake invoice from a supplier you actually use. A password reset request that arrives at 5pm on a Friday.
Training raises awareness, and that matters. But it is one layer. You need technical controls doing the heavy lifting so your staff are not the last line of defence. They are one of several.
Layer 1: Stop People Impersonating Your Domain
Three technical standards, SPF, DKIM, and DMARC, work together to prevent attackers from sending emails that appear to come from your domain. In plain English, they tell email servers around the world: “Only these authorised systems can send email on behalf of our company.”
Without these in place, someone can send an email that looks like it came from your business, to your clients, your staff, or your suppliers. With them in place, those fake emails get flagged or blocked before they arrive.
Setting up SPF, DKIM, and DMARC requires changes to your domain’s DNS records. It is a one-time configuration that your IT provider should handle and monitor. If you do not know whether these are in place, they probably are not.
Layer 2: Scan Links and Attachments Before They Reach Staff
Microsoft 365 includes two features that most businesses either do not have turned on or do not know exist: Safe Links and Safe Attachments.
Safe Links rewrites every URL in an incoming email and checks it in real time when someone clicks. If the link points to a known malicious site, even if it was clean when the email arrived but was weaponised later, the click is blocked.
Safe Attachments opens every attachment in a secure sandbox environment before delivering it. If the file contains malware, it is quarantined before it reaches your inbox.
These features are available in Microsoft 365 Business Premium and above. They need to be configured correctly, turned on, applied to the right policies, and set to the right action (block, not just warn). CIO Tech’s Microsoft 365 Security setup includes this as standard.
Layer 3: Flag External Emails
One of the simplest and most effective controls is external email tagging. Every email that comes from outside your organisation gets a visible banner at the top: “This email was sent from outside your organisation. Be cautious with links and attachments.”
It sounds basic, but it works. When someone receives what looks like an internal email from a colleague but sees that external warning banner, it triggers a pause. That pause is often enough to prevent a click.
This is a straightforward configuration in Microsoft 365 Exchange Online. It takes minutes to set up and costs nothing.
Layer 4: Control Where and How People Log In
Conditional Access policies in Microsoft 365 control the conditions under which someone can access your systems. You can require MFA (multi-factor authentication, a second verification step like a code on your phone) for every login. You can block logins from countries where you have no staff. You can require that devices meet certain security standards before they can access company data.
Even if an attacker gets hold of a staff member’s password through a phishing email, Conditional Access can block the login because it is coming from an unrecognised device or location.
This is where the real protection sits. A stolen password without the ability to use it is worthless to an attacker.
Layer 5: Phishing Awareness Training
Training is the final layer, not the first. Once your technical controls are in place, training helps staff recognise the phishing attempts that make it through.
Good training is short, regular, and practical. Not a 45-minute compliance video once a year. Quick simulations, real examples, and clear guidance: “If you are not sure, do not click it. Forward it to your IT team.”
The goal is not to make everyone a security expert. The goal is to create a habit of pausing before clicking, knowing that even if they do click, the technical controls are there to catch it.
Put the Layers in Place
Phishing protection is not about finding one tool that stops everything. It is about multiple controls working together so that no single failure leads to a breach.
If you are not sure which of these layers you have in place, start with our free IT Maturity Assessment. It takes a few minutes and gives you a clear picture of where your cybersecurity controls stand today.
