Preventing Phishing Attacks: A Practical Guide for Small Business

Written by Vigilant Sec | Nov 4, 2025 8:19:26 PM

At Vigilant Sec, we see every day how small businesses are facing increasingly sophisticated phishing attacks.

Phishing may be a familiar term, but it’s still one of the most common ways attackers breach small businesses. Stolen credentials often lead to lost data, account takeovers, and even ransomware.

Common sense alone can’t stop every attack.

That’s why Vigilant Sec encourages every business to adopt layered defenses against phishing. When we protect customer environments, we tend to assume one thing: your users’ passwords will be stolen.

Some phishing emails hide malicious links as QR codes, which circumvent detections and lead users to expose their mobile devices to phishing platforms.

Common Strategies: Benefits and Challenges

Common Strategy:	Benefit:	Challenges:
Multi-Factor Authentication (MFA)	Requires users to verify their identity with an additional method beyond a password to ensure it’s really them	Threat actors can use phishing tools to capture your password and MFA Users may not understand stronger MFA methods (like passkeys) Rollout can be time consuming for IT and users
Password Managers	Reduce password reuse and avoid already-stolen credentials	Added cost Rollout friction for users
Conditional Access Policies [M365]	Reduce password reuse and avoid already-stolen credentials	May restrict personal device use or travel access Requires greater technical skill to manage
Spam Detection (Exchange & Gmail)	Blocks some phishing emails before they reach users	More effective against spam than true phishing Efficacy may vary compared to dedicated third party solutions
Email Scanning Products	Enhance Microsoft or Google filtering with additional scanning	Added cost and management overhead Potential for false positives Requires staff time and expertise to handle alerts

Phishing Prevention = Identity Protection

A strong defense against phishing combines some, or all, of the solutions above. Security training for users helps as well, but can fail as phishing continues to get more sophisticated. True phishing prevention goes further by stopping all unauthorized access.

Here’s how Vigilant Sec helps businesses shift from avoiding risky emails to protecting their entire identity perimeter.

Start with Hardening and MFA

Vigilant Sec recommends hardening, not just alerting, as the best way to defend your business against phishing. Our guided automations help teams strengthen defenses step by step, on a schedule that fits their workflow.

The result? Most attacks are stopped outright, and alerts stay focused on what matters.

Best Practices for Hardening Users Against Phishing

Vigilant Sec Recommends:	Vigilant Sec Provides:
For Microsoft environments, use Entra Conditional Access to: Block legacy authentication Strengthen admin controls (e.g., disallow persistent sessions) Move users from no-MFA → standard-MFA → phishing-resistant-MFA	Automations to deploy secure policy templates and a guided rollout process, helping teams understand and confidently enable new settings
Transition users from less secure MFA methods to stronger ones: Poor: Text Messages Better: Authenticator Apps Best: Passkeys	Visibility into MFA usage, user adoption, and readiness for stricter MFA enforcement
Implement security recommendations from benchmarks such as CISA’s Secure Cloud Business Applications (SCuBA)	Continuous monitoring of key configurations, recommendations for improvement, and progress tracking over time Requires greater technical skill to manage
Review admin, guest, and stale accounts regularly; remove unnecessary access	More effective against spam than true phishing Efficacy may vary compared to dedicated third party solutions

Remain Vigilant About Risky Logins

It’s important to understand how long user sessions remain active in Google Workspace and Microsoft 365. By default, Google sessions last about 14 days before users are required to re-authenticate, while Microsoft 365 sessions can persist for up to 90 days, depending on app and tenant settings. That’s a long window for an attacker to maintain access if a session is compromised.

In both platforms, admins can review and manage risky users through their respective security consoles. If there’s any indication a user account may be compromised, it’s always worth revoking active sessions to cut off potential unauthorized access. Even if an attacker still has the user’s password, they’d need to phish the user again to capture a new session and complete MFA, making session revocation a quick and effective containment step.

Best Practices for Responding to Risky Logins

Vigilant Sec Recommends:	Vigilant Sec Provides:
Create notifications for risky login alerts	24/7 monitoring and investigation of all alerts and risky activity
Combine native detections (Microsoft, Google) with custom ones	A rich library of vendor, community, and Vigilant Sec-developed detections
Monitor password-reset requests and new device registrations	Detection coverage from authentication through post-login behavior
Establish a workflow to triage and understand risky login alerts	Custom tools to visualize, summarize, and communicate unusual activity clearly to customers
Learn Microsoft and Google processes for revoking sessions and resetting passwords	Automations for instant response to high-fidelity detections
Be ready to make judgment calls in real time	Experience and confidence to stop bad actors without disrupting business

Let Vigilant Sec Handle the Hard Part

Best practices are easier said than done, which is why we take pride in mastering them for our customers. Vigilant Sec handles the security side so you can stay focused on what matters most: your business.

Have questions? We’re happy to walk you through any of these recommendations and show how they can strengthen your environment.

View full post