Skip to main content
Home/Insights/Security
Security

Phishing Defence for Canadian Businesses: Beyond the Spam Filter

Spam filters catch the obvious attacks. Modern phishing is targeted, convincing, and designed to bypass technical controls. Here's what actually stops it.

4 min readMicroPro Team

Phishing remains the entry point for the majority of business email compromise, ransomware infections, and credential theft incidents. The attacks have gotten significantly more sophisticated—AI-generated emails are grammatically correct, well-researched, and tailored to the recipient's role.

Technical controls alone won't stop them. Here's what a layered phishing defence looks like.

Layer 1: Email authentication (SPF, DKIM, DMARC)

Email authentication doesn't stop phishing directly, but it prevents attackers from spoofing your domain—sending emails that appear to come from yourcompany.com to attack your customers, partners, and staff.

  • SPF (Sender Policy Framework) specifies which mail servers are authorized to send email for your domain.
  • DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound email, allowing recipients to verify it wasn't tampered with.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do with messages that fail SPF or DKIM checks—report them, quarantine them, or reject them.

Starting DMARC in p=none (report-only) mode lets you see who's sending email on your behalf before enforcing rejection. Most organizations reach p=reject within 60–90 days after working through legitimate sending sources.

Google and Microsoft have both tightened their enforcement of DMARC in recent years. Domains without proper authentication are increasingly likely to land in spam.

Layer 2: Advanced email filtering

Microsoft Defender for Office 365 and Google Workspace's email security add protection beyond basic spam filtering:

  • Safe Links — rewrites URLs in email; checks them at click time against threat intelligence
  • Safe Attachments — detonates attachments in a sandbox before delivering them
  • Impersonation protection — detects emails that mimic your executives' names or your domain's appearance (e.g., micr0pro.com)
  • Anti-phishing policies — machine learning-based detection of novel phishing patterns

These features are included in Microsoft 365 Business Premium and Google Workspace Business Plus. If you're on a lower tier, upgrading for the security features is often worth it.

Layer 3: Multi-factor authentication

Phishing frequently targets credentials—getting your password is only valuable if it can be used. MFA prevents credential theft from translating directly into account compromise.

Use phishing-resistant MFA where possible. TOTP apps (Google Authenticator, Microsoft Authenticator) are better than SMS. Hardware security keys (YubiKey, Titan Key) or passkeys are better still—they bind the authentication to the legitimate site and can't be replayed by attackers running real-time phishing proxies.

Enforce MFA for:

  • Email and Microsoft 365 / Google Workspace
  • VPN and remote access
  • Cloud management consoles (AWS, Azure, GCP)
  • Financial platforms and banking

Layer 4: Security awareness training

Technical controls filter out the majority of phishing. Humans are the last line of defence for what gets through.

Effective security awareness training:

  • Is ongoing, not annual. Monthly microlearning outperforms a yearly all-hands session.
  • Includes simulated phishing. Sending realistic test phishes and providing immediate feedback to users who click is more effective than slideshow training.
  • Covers current attack patterns. Business email compromise (BEC) attacks—where someone impersonates your CEO or a supplier asking for a wire transfer—are now more common than malware attachments.

The goal isn't to make employees paranoid—it's to give them a mental model for recognizing suspicious requests and a clear action (report it, don't click, call to verify).

Layer 5: Incident response for phishing

When a phishing email lands in inboxes despite controls:

  1. Establish a reporting mechanism. A "Report Phishing" button in Outlook or Gmail makes it easy for employees to flag suspicious emails.
  2. Respond quickly. Investigate reported phishing campaigns; check if others received the same email; retract messages from inboxes if the mail platform supports it.
  3. Reset credentials promptly. If anyone clicked and entered credentials, reset those accounts immediately and review audit logs for unauthorized access.

A phishing incident handled in 15 minutes is dramatically less costly than one discovered three weeks later.

MicroPro helps Canadian businesses configure email security, enforce MFA, and build security awareness programs. Our Cloud Security service covers end-to-end protection.

Ready to put this into practice?

MicroPro works with Canadian businesses on cloud, IT, and security. Book a free consultation.