10 April 2026
16:41
Phishing remains the most common starting point for cyber attacks on UK businesses. Despite years of awareness campaigns, it continues to work – because attackers have become significantly more sophisticated, and because the consequences of one wrong click can be severe.
Phishing is a form of social engineering in which an attacker impersonates a trusted individual or organisation to trick someone into revealing their credentials, transferring funds, or installing malware. It covers a range of methods:
– Email phishing. The most common form, involving fraudulent emails that appear to come from a legitimate source such as a bank, software provider, or a colleague.
– Spear phishing. Targeted attacks tailored to a specific individual, often using personal details gathered from LinkedIn or company websites to appear credible.
– Smishing. Phishing conducted via text message, increasingly used to target mobile devices.
– Vishing. Voice-based phishing, where attackers impersonate IT support, HMRC, or other trusted parties over the phone.
– Business email compromise (BEC). A particularly damaging variant in which attackers compromise or spoof a senior employee's email account to authorise fraudulent payments.
What makes modern phishing especially difficult to detect is the use of AI to generate convincing, personalised messages that lack the spelling errors and awkward phrasing of older attacks. The urgency and authority tactics remain the same; the execution has improved significantly.
Phishing succeeds because it targets people, not systems. Even organisations with robust technical defences can be compromised if a single employee clicks a malicious link or enters credentials on a spoofed page.
– High email volumes. Employees processing large numbers of messages are more likely to act without scrutiny.
– Hybrid working. Remote workers may be less likely to verify unusual requests in person.
– Supply chain trust. Attackers often impersonate known partners or vendors, exploiting established business relationships.
– Infrequent training. One-off awareness sessions wear off quickly; phishing tactics evolve faster than annual training cycles.
An effective defence against phishing is layered:
1. Technical controls
– Email filtering and anti-spoofing protocols (SPF, DKIM, DMARC) reduce the volume of malicious emails that reach inboxes.
– Multi-factor authentication (MFA) on all accounts means that compromised credentials alone are not enough to gain access.
– Endpoint detection and response (EDR) tools can identify and contain threats that do get through.
– DNS filtering blocks connections to known malicious domains, even if a user clicks a link.
2. Process and governance
– A clear process for verifying unusual payment requests or credential changes – particularly any instruction received by email – reduces the risk of BEC attacks.
– Privileged accounts should be separate from day-to-day email accounts; senior staff with elevated permissions are high-value targets.
– Supplier communications should be verified through established channels when anything out of the ordinary is requested.
3. People and culture
– Regular phishing simulation exercises help staff recognise attack patterns in a low-stakes environment – and give you measurable data on where training is needed.
– Security awareness training should be ongoing rather than annual, and should be updated to reflect current attack techniques.
– Creating a culture where staff feel comfortable reporting suspected phishing – without fear of embarrassment – is as important as the training itself.
If an employee suspects they've clicked a malicious link or entered credentials on a suspect page, act immediately – isolate the device, change passwords, and notify IT or your security provider. Delaying action increases the window for attackers to move through your network.
If a fraudulent payment has been made, contact your bank as quickly as possible – early intervention improves the chances of recovery.
The honest answer for most businesses is that they don't know how their team would respond until they test it. Phishing simulation is a low-disruption way to find out — and the results tend to focus minds. Speak to the team about human risk management, or explore our cybersecurity services.
