Anti-Phishing Cybersecurity Featured

Multi-Layer Phishing Protection: The Onion Paradigm of Phishing Prevention

Multi-Layer Phishing Protection: The Onion Paradigm of Phishing Prevention

Reading Time: 7 minutes

Phishing protection is like an onion. Onions have layers. Phishing protection has layers

We know what you’re thinking; “not everybody likes onions. Cake! Everybody loves cake! Cakes have layers!”, but let’s not get too bogged down in the metaphor. Or the surreal Shrek references. The fact is, multi-layer phishing protection is the only way to allow for maximum detection probability. In this article, we’ll examine how and why phishing detection systems have grown, and what their developers and engineers could consider for sustaining that growth. 

What On Earth Are We Talking About?

If you think of an onion; there are layers upon layers. You don’t get to the centre unless you cut through it with a knife, or if you peel each layer off one by one, which would take an enormous amount of time and if it is cut all the way through, you’re likely to end up in tears. 

When it comes to phishing protection, layers protect the core, the user or employee who is at risk of clicking a link or inputting sensitive information. The user on their own is not enough, neither is an anti-viral or malware app or an IT team ready to pounce on suspicious emails, it all has to work together, each layer adding more protection than the one before.

The Onion Paradigm

Multi-Layer Phishing Protection


Users or employees in a corporate setting are at the very core of cybersecurity. The whole system should be designed to firstly stop phishing attacks from reaching them and secondly to ensure that they are appropriately trained in anti-phishing awareness and have good knowledge of company policy. 

The fact of the matter is, sometimes even the most intricate and best-engineered cybersecurity software can be compromised by the very latest attack vectors. The user is therefore the last line of defence for the whole protection system. Once they are compromised, everything else falls apart. 

Appropriate training of non-IT security employees needs to be relevant to them. Our CEO wrote about this in a recent article about ensuring that we don’t try and turn all employees into cyber security experts and then blame them when they fail! Instead, it’s important to create policies that they can simply follow, while also providing the grounding of things to look out for. Then train them on these policies and processes and also ensure that they are aware of the software in place. Keeping them informed of new common scams and things to look out for in emails or messages is another essential part of ensuring that they are aware enough to protect their machine and the company network should a suspicious email reach their desk. 

Remember that cyber security training is not a one-shot deal. People have to receive refresher training on a regular basis, typically every six months. Many companies even use this process to test employees randomly across the year with poisoned email and spoof pages – if you fail to report it, or worst still take an action on it, then it’s back to training for you!

Training Team for Anti-Phishing

Training Team

Appropriate training of non-IT security employees needs to be relevant to them. There are simply too many channels to train all staff on anti-phishing protection. At the core of the system, as mentioned, sit policies and processes to ensure that human error does not expose the system to a security risk. It’s important to train employees on these policies and processes and also ensure that they are aware of the software in place. 

Since awareness and training are so important to ensure the last gatekeepers in the anti-phishing system, the employees can prevent an attack from occurring, the training team is the next essential layer in our onion.

In larger companies, it is often common to have a learning and development team that would facilitate coaching and training. In smaller companies, an IT team or designated member of staff may be tasked with training other employees on cybersecurity awareness. 

The fact is, it only takes one person to accidentally or unknowingly click on a link on a website or email to unleash malware on an entire company network. This is why this layer is so important. So, if you don’t have a cyber security training and testing program, create one. If you’re too small to have a dedicated team, remember that there are companies that provide this service for you.

The IT Security Team

The next layer is the IT Team. They are responsible for maintaining software and hardware security and for ensuring that protocols are in place. It is also their responsibility to remain tuned in to developments in phishing and new security risks that may pose a threat to the business. It is fair to say that without a team or person managing IT security, other efforts may become redundant

They work actively on a daily basis to tackle any potential threats. This might entail stopping attacks that pass through the cybersecurity software, analysing threats that are caught by the software and keeping tune into developments in the world of security: New threat vectors, new widespread scams.

Many companies either have a team or one person designated to oversee security or the business might outsource all security to an IT Management Company. Most companies will also outsource the security technology and alert system to a Managed Detection and Response service (MDR) or a Managed Security Service Provider (MSSP). 

Cybersecurity Company and Technology

Cybersecurity Technology prevents potential threats from infiltrating a network, putting sensitive information at risk. The software itself must have layers, each with its own ability to detect different elements and perform specific checks. Some technologies that you may require might include: 

  • A firewall
  • Email Security 
  • Web Security
  • DMARC Analyzer for Brand Protection
  • Cloud Security 
  • Information Protection 

Many companies will use a service provider to amalgamate and monitor the technology employed. Typically you will choose between a Managed Security Service Provider (MSSP) and a Managed Detection and Response (MDR) Service. 


A Managed Security Service Provider (MSSP) provides outsourced monitoring and managed security services for businesses. The services normally provided include firewall, intrusion detection, virtual private network management, vulnerability scanning and antiviral services. They alert the person or persons responsible for managing your security of any incoming threats. They provide 24/7 security and support. For some companies, this reduces the need to hire, train and maintain an in-house security team, however many have both an internal team and avail of an MSSP.


Managed Detection and Response (MDR) is an advanced managed security service that provides another level of protection. While MSSPs provide alerts from security monitoring software, MDRs provide threat intelligence, threat hunting, security monitoring, incident analysis and incident response.

MDR provides deeper and faster detection and analysis than traditional MSSPs because they use Artificial Intelligence and Machine Learning to auto-contain and investigate threats as well as automating responses. 

Many MDRs not only use AI and machine learning to detect red flag text in communications and on websites but they also often use Visual-AI or Computer Vision to detect graphical attack vectors.

Systems and Technologies

Cybercriminals are becoming more sophisticated in their approach to attack attempts. These are cyber security experts in their own right and these days they even use AI to deliver highly effective and hard to detect campaigns. They can obfuscate code, they can spin out hundreds of spoof pages in seconds using single-use URLs and dynamically generate content from encrypted, obfuscated javascript and web assembly. Among the most recent and ingenious methods of exploiting gaps in programmatic systems is the use of graphics to exploit and confuse victims, and to also evade detection.

Techniques can be as simple as the creation of pixel-perfect emails and web pages carrying the spoofed brand, to converting trigger words into image fragments, or even the whole page into an image.

This is just one example of the many ways in which bad actors are using graphics to cheat the system. In a recent poll carried out by VISUA, 83% of IT security professionals have seen a phishing attack attempt with graphical vectors, so this is not a new phenomenon by any means. MSSP/MDR companies and the platforms they use should therefore ensure that they are making use of the most up-to-date technologies, like computer vision for phishing detection, to spot these clever subterfuges that typical systems would miss and the human eye would almost certainly accept.

Amazon Payment Screen highlighting graphical phishing attacks

Company Policies and Procedures

The layer that holds it all together is your company’s cybersecurity policies and procedures which dictate: 

  • What kind of technology you need
  • What third party companies you work with
  • The work those who are internally responsible for security will carry out
  • What the end-user, your employees, should do when they believe an email or other form of communication is suspicious.

A policy will apply to employees, contractors, volunteers and any third party that may have access to company networks and data. It will typically cover the following: 

  • The use and protection of confidential data including financial information, vendor and partner data, patents and formulae, customer lists and associated data, employee information.
  • The use and protection of both personal and business devices. This might include policies such as: 
    • Keeping all devices password protected
    • Not using personal devices for company work
    • Not leaving devices unattended in common or public areas
  • Being email smart i.e. not opening attachments if the content is not explained or referenced in the email, referring suspicious emails to the person responsible for IT security and so on. 
  • Password management. 
  • Secure data transfer e.g. not using flash drives to transfer files from one computer to another
  • Remote working policies


Some businesses might feel that having antivirus software in place on individual devices is enough. In other cases, they rely on their MDR company completely. But if our onion theory proves anything, it is that it takes so much more than that. From reliable third parties and effective detection systems to comprehensive policies and awareness trained employees. There is much to consider when it comes to your company’s security, but one thing is for certain if you ensure each of these layers is in place, and you ensure that you choose providers that use the very latest technologies, the risk of an attack on your network being successful is significantly reduced. 

Book A Demo


APWG Phishing Trends Report: Year on Year Review (2022)

Reading Time: 5 minutes A close examination of the APWG Phishing Trends Report (Q1 2022) TLDR: Our previous article on this subject focused on the historical […]

Anti-Phishing Cybersecurity
The Importance Of Measuring Placements in Sponsorship Monitoring

Reading Time: 4 minutes Measuring placements in sports sponsorship monitoring is crucial In the early days of publishing, advertising was sold based on ‘circulation’. There was […]

Featured Sponsorship Monitoring
Visual-AI Company VISUA Launches Sponsorship Opportunities Research Tracking (SORT)

Reading Time: 3 minutes Dublin and New York-based VISUA now enables sponsors to find new sponsorship opportunities from historical sports footage Leading Visual-AI company, VISUA has […]

Featured Sponsorship Monitoring VISUA News

Trusted by the world's leading platforms, marketplaces and agencies

Integrate Visual-AI Into Your Platform

Seamlessly integrating our API is quick and easy, and if you have questions, there are real people here to help. So start today; complete the contact form and our team will get straight back to you.

  • This field is for validation purposes and should be left unchanged.