Phishing: Taking a Multi-layered Defence Approach

Andy Wilson

Security Consultant

Andy is one of our Security Consultants, specialising in Infrastructure Testing with extensive knowledge around cyber security matters.

Phishing: Taking a Multi-layered Defence Approach

What is Phishing?

You have most likely heard the term phishing thrown around social media recently, and no, people haven’t taken up a new hobby at the local lake. The first known mention of the term “phishing” stems from a program named AOHell designed in the 1990s.
One of the features of the toolkit was the ability to send a large number of instant messages to AOL users asking them to verify their account by providing their username and password, this type of attack is now commonly known as phishing.

How Have Techniques Changed?

The way in which threat actors conduct Phishing campaigns has become significantly more sophisticated over time. Threat actors have now moved away from generic phishing campaigns and are focusing more on campaigns aimed at a specific target.

With a targeted campaign (commonly known as spear phishing) open source intelligence (OSINT) can be performed on the target to gather the information that would make the campaign seem more legitimate. This can range from personal information found online to recent real-world events.

Taking a Multi-layered Approach

Relying on users to spot and report a phishing email is often the only defence a company takes against phishing. It is only a matter of time before one email slips through, so the best approach would be to plan for this and to minimise the amount of damage possible.

Layer 1 – Reach

Prevent the e-mail from reaching the user’s inbox. This can be achieved by introducing anti-phishing security software such as spam filters. Anti-spoofing controls should also be implemented, such as; DMARC, DKIM and SPF records.

Layer 2 – Identify

The majority of data breaches are initiated through a phishing email due to human error. Staff should have regular training in identifying the latest potential phishing emails. This will enable them to follow the company process when an incident does occur, which should include reporting the incident to the relevant team.

Layer 3 – Protect

Protections should be in place for when incidents do occur. These protections include but are not limited to; enforcing multi-factor authentication (MFA), password managers, regular IT health checks and endpoint defences.

Layer 4 – Response

Staff should be able to report phishing incidents to the relevant team. A dedicated security logging and alerting system should be in place as well as an Incident Response Plan.


The UK Cyber Security Breaches Survey conducted by DCMS, highlights phishing as the most common attack vector, accounting for around 83% of reported attacks. With the increased sophistication of campaigns alongside the increased digital footprint of most companies, it is likely this attack vector will continue to grow and be the main target for threat actors. To raise awareness of the potential risks, Andy also prepared a quick video outlining the multiple layers of a phishing attack and how businesses can defend against them.

Video/Audio Transcript

My name's Andy from Pentest People. We're here to talk to you today about phishing. So what is phishing?

It was first heard about around in the 1990s. It involves hackers trying to trick people into clicking on links, and trying to pretend to be people that are not. A recommended Defence for efficient second in depth approach by having multiple layers to defence. Layer one would be the reach,  you should try and stop the emails reaching your employees. This can be done by various tools, and one of which being an anti spam filter. Layer two should be to identify the threats to adapt to adequate training to be able to identify phishing emails and report them to the relevant team. Layer three would be protection, this should be in place for when an incident does occur such as multi factor authentication. This will therefore be the response and incident response plan that should be in place and staff should be trained on who to report the incidents to. The UK cybersecurity breaches survey reports around 83% of attacks come in through phishing campaigns, and it's only likely to increase.