To protect your UK business from phishing attacks, deploy four controls in this order: enforce multi-factor authentication on every account, configure email authentication (SPF, DKIM and DMARC set to reject), run quarterly staff awareness training with simulated phishing tests, and write a one-page incident playbook before you need it. Phishing is the single most common attack on UK businesses: the government's Cyber Security Breaches Survey 2025 found 85% of breached businesses were hit by phishing, and 43% of all UK businesses (roughly 612,000) suffered a breach in the prior 12 months. The cheapest high-impact step costs nothing: MFA blocks the majority of credential-theft attempts. Cyber Essentials self-assessment certification costs around £300 plus VAT. Report scam emails to report@phishing.gov.uk, scam texts to 7726, and fraud to Action Fraud on 0300 123 2040. Under UK GDPR you have 72 hours to report a notifiable breach to the ICO.
Last updated: June 2026
Phishing is a social-engineering attack where a criminal impersonates a trusted party to trick someone into handing over credentials, money or access. It is the most common cyber threat facing UK businesses by a wide margin, and it is the entry point for most ransomware and business-email-compromise incidents. If you only defend against one attack type, defend against this one.
The numbers are not abstract. The UK government's Cyber Security Breaches Survey 2025 found that 43% of all UK businesses identified a breach or attack in the previous 12 months, which translates to roughly 612,000 businesses. Of those affected, 85% experienced phishing, making it comfortably the most prevalent threat. The same survey put the average cost of the most disruptive breach at around £1,600, rising to roughly £3,550 once you exclude the firms that reported no measurable cost. For a small business those figures understate the real damage, because they rarely capture lost time, reputational harm or the cost of rebuilding trust with customers.
Our honest view: most UK SMEs are not targeted because they are valuable, they are targeted because they are easy. Attackers run phishing campaigns at industrial scale and harvest whoever clicks. You do not need to be a bank to be worth £40,000 in a fraudulent invoice. The good news is that the same lack of sophistication that makes you a target also means a handful of cheap, boring controls will deflect the overwhelming majority of attempts.
Here is how phishing fits into the wider threat picture for a typical UK SME:
| Threat | Prevalence among breached UK firms (2025) | Typical entry point |
|---|---|---|
| Phishing | 85% | Email, SMS, phone, social |
| Impersonation (spoofed sender/domain) | Around 35% | Email, lookalike domains |
| Malware | Around 13% | Malicious attachment or link |
| Ransomware | Around 4% (and rising) | Almost always phishing first |
The pattern is consistent year after year: phishing is the front door, and everything worse walks through it. That is why a layered defence beats any single product. No spam filter catches everything, no training stops every click, and no policy survives a busy Friday afternoon. You win by stacking controls so that a failure at one layer is caught at the next.
Phishing is not one attack, it is a family of attacks that share a method: deception. Understanding the variants matters because the defences differ. A spam filter stops mass email phishing but does nothing against a phone call, and MFA stops credential theft but does nothing against a fraudulent invoice that asks you to change bank details.
The main categories you and your staff should recognise are these:
Our stance: BEC deserves disproportionate attention from any UK business that pays invoices, because it bypasses most of your technology. It does not carry malware, it rarely fails a spam check, and it preys on process rather than software. The defence is a procedural one, not a technical one: a hard rule that no change to supplier bank details is ever actioned on the strength of an email alone. Always verify by calling a known number, never the number in the message.
| Type | Channel | Primary defence | UK report route |
|---|---|---|---|
| Email phishing | Filtering, DMARC, training | report@phishing.gov.uk | |
| Spear phishing / whaling | Training, MFA, verification culture | report@phishing.gov.uk | |
| Smishing | SMS | Awareness, never tap links | Forward to 7726 |
| Vishing | Phone | Callback verification, codeword | Action Fraud 0300 123 2040 |
| BEC | Dual-authorisation, callback policy | Action Fraud + your bank | |
| AI / deepfake | Voice / video | Out-of-band verification, codeword | Action Fraud 0300 123 2040 |
Notice how many defences are human rather than technical. That is deliberate. Across every variant, the single most reliable control is a culture where verifying an unusual request is normal, encouraged, and never treated as an insult. A bank will never mind being called back. A genuine supplier will never mind you confirming new account details. The attacker is the only party who suffers when you verify.
You spot phishing by checking a fixed set of red flags before you click, reply or pay, regardless of how legitimate the message looks. The best phishing emails in 2026 are clean, well-spelled and convincing, so the old advice about bad grammar is no longer enough. Teach your staff to inspect structure and intent, not just tone.
Here is the checklist we train every client team to run, in order:
| Red flag | What to check | Why it matters |
|---|---|---|
| Sender address | Hover the display name and read the real address. Look for lookalike domains (rn vs m, .co vs .co.uk). | Spoofing and lookalikes are the most common trick. |
| Urgency or threat | "Act now", "account suspended", "final notice". | Pressure short-circuits judgement. It is the attacker's main tool. |
| Link mismatch | Hover every link and read the destination before clicking. | Display text and real URL often differ. |
| Unexpected attachment | Invoices, CVs, voicemails, ZIP files you did not expect. | Attachments carry malware or lead to fake portals. |
| Request for credentials or payment | Any message asking you to log in, pay, or change bank details. | Legitimate organisations rarely ask this way. |
| Out-of-character request | The CEO asking for gift cards, a supplier changing bank details. | Classic BEC and whaling signatures. |
The honest rule we give staff is simple: if a message makes you feel urgency, slow down. Urgency is manufactured precisely because a calm person spots the deception. When something feels off, the correct response is never to reply to the message; it is to verify through a separate, known channel. Phone the colleague on their saved number. Log into the supplier portal directly rather than through the emailed link. Open a new browser tab and type the bank's address by hand.
One practical addition: encourage a "report, don't delete" habit. If staff simply delete a suspicious email, your security team never sees the pattern and the next person who receives the same lure is unprotected. A one-click report button in Outlook or Google Workspace, feeding into a shared mailbox, turns every cautious employee into a sensor for the whole organisation. That cultural shift, from individual deletion to collective reporting, is one of the cheapest and most effective improvements any business can make.
SPF, DKIM and DMARC are three DNS records that together stop criminals from sending email that appears to come from your domain. Most UK businesses have SPF and DKIM partly configured but leave DMARC either absent or set to a do-nothing policy, which means a spoofer can still impersonate the company to its own customers. Getting all three right is the highest-leverage technical control you can apply, and it costs nothing but configuration time.
Here is what each record does, in plain terms:
The setup walkthrough most articles skip looks like this:
| DMARC policy | What happens to a failing message | Protection level |
|---|---|---|
| p=none | Delivered as normal, but reported | Monitoring only, no protection |
| p=quarantine | Sent to spam/junk | Partial |
| p=reject | Rejected before delivery | Full anti-spoofing |
Our blunt view: a DMARC record stuck at p=none is security theatre. It looks like you have done the work, but anyone can still send email as your finance director. The whole point of the exercise is to reach p=reject safely, and the staged approach above is how you get there without accidentally blocking your own newsletters or invoices. If your business sends customer-facing email and pays invoices, this is not optional housekeeping; it is a direct defence against BEC fraud. We build this configuration as part of every secure email and business process automation project we deliver, because automated systems that send mail on your behalf are exactly the senders that get forgotten in an SPF record.
Multi-factor authentication stops the large majority of credential-theft phishing, because even when an employee hands over a password, the attacker still cannot log in without the second factor. It is the single most cost-effective control available, it is usually free on platforms you already pay for, and there is no good reason for any UK business to run without it in 2026. If you do one thing after reading this article, turn on MFA everywhere.
That said, not all MFA is equal, and honest advice means saying so. SMS codes are better than nothing but can be intercepted or phished in real time. App-based authenticators are stronger. Phishing-resistant methods such as FIDO2 hardware keys or passkeys are the gold standard because the cryptography simply will not authorise a fake site. For most SMEs, app-based MFA on every account plus hardware keys for finance and admin staff is the right balance of cost and protection.
| MFA method | Phishing resistance | Typical cost | Best for |
|---|---|---|---|
| SMS one-time code | Low | Free | Better than nothing only |
| Authenticator app | Medium | Free | All staff, baseline |
| Push approval with number matching | Medium-high | Free to low | All staff |
| FIDO2 key / passkey | High | £20-£50 per key | Finance, admins, executives |
MFA is half the access story. The other half is least privilege: nobody should have more access than their job requires. When a phished account has admin rights over your entire system, one click becomes a catastrophe. When the same account can only read its own mailbox, the blast radius is small. Practical least-privilege steps include separate admin accounts that are never used for daily email, removing access the day someone leaves, and reviewing who can authorise payments at least twice a year.
When we build a custom CRM or integrate finance systems for a client, role-based access and MFA enforcement are designed in from day one rather than bolted on afterwards. Security that is part of the architecture is far cheaper than security retrofitted after an incident.
You train staff by combining short, regular awareness sessions with realistic simulated phishing tests, then measuring the click rate over time and coaching rather than punishing the people who fail. Annual tick-box training does almost nothing; people forget within weeks and the threat changes monthly. Effective training is little, often, and tied to the real lures your industry actually receives.
A sensible programme for a UK SME looks like this across a year:
Our strong opinion on this: never punish the clicker. The moment staff fear being blamed, they stop reporting, and a hidden click is far more dangerous than a reported one. The goal is a culture where forwarding a suspicious email to your security mailbox earns a thank-you, not a sigh. Frame simulations as a team sport against the attacker, not a trap for the employee.
| Training activity | Frequency | Goal metric | Healthy target |
|---|---|---|---|
| Onboarding module | Per new starter | Completion before access | 100% |
| Micro-training | Quarterly | Participation | Above 90% |
| Simulated phishing | Monthly to quarterly | Click rate | Below 5% over time |
| Reporting drill | Ongoing | Report rate | Above 70% of simulations |
Budget context for UK businesses: a decent phishing-simulation and training platform costs in the region of £1 to £3 per user per month, so a 20-person firm might spend £300 to £700 a year. Set against an average disruptive breach cost of around £1,600, and far higher for a successful BEC fraud, that is one of the best returns in your entire security budget. Training is not a substitute for technical controls, but technical controls are not a substitute for training either. You need both.
AI has made phishing cheaper, faster and far more convincing, removing the spelling mistakes and clumsy phrasing that used to give attacks away and adding voice and video impersonation to the criminal toolkit. The practical consequence is that you can no longer tell staff to "look for bad English", because generative tools produce flawless, personalised messages at scale. The defence has shifted decisively from spotting mistakes to verifying identity.
Three AI-driven trends matter most for UK businesses right now:
Our honest assessment: be sceptical of any urgent instruction that arrives by voice or video and asks for money or access, no matter how real it sounds. Hearing a familiar voice is no longer proof of identity. The single most effective defence is the oldest trick in the book: a verbal codeword or callback rule. Agree a private phrase with your finance team, and require that any unusual payment instruction is confirmed by calling the person back on their known number. A deepfake cannot answer your direct call on a number you already trust.
| AI phishing tactic | Old defence (now weak) | 2026 defence (strong) |
|---|---|---|
| Perfect-grammar email | Spot bad spelling | Verify sender and intent, DMARC reject |
| Cloned voice call | Recognise the voice | Codeword + callback on known number |
| Deepfake video call | Trust what you see | Out-of-band confirmation before any payment |
| Hyper-personalised lure | Generic suspicion | Dual authorisation, verification culture |
There is a constructive flip side. The same AI that powers attacks also powers defence: modern email security uses machine learning to detect anomalous tone, unusual payment language and impersonation patterns that rule-based filters miss. We help clients deploy intelligent automation, including AI voice agents and AI-assisted monitoring, in ways that strengthen rather than expose the business. The technology is neutral; the question is who deploys it more thoughtfully. Our job is to make sure that is you, not the attacker.
If an employee clicks a phishing link or enters credentials, act immediately on a fixed sequence: isolate the device, reset the affected passwords, revoke active sessions, check for unauthorised changes, and report the incident through the correct UK channels. Speed matters more than blame. The first hour decides whether this is a near-miss or a full breach, so have the playbook written and visible before it happens, not improvised under pressure.
Here is the copy-and-keep incident playbook we give every client:
| What to report | Where | Contact |
|---|---|---|
| Scam / phishing email | NCSC Suspicious Email Reporting Service | report@phishing.gov.uk |
| Scam text message | Mobile network spam reporting | Forward to 7726 |
| Fraud or financial loss | Action Fraud (England, Wales, NI) | 0300 123 2040 / reportfraud.police.uk |
| Personal data breach | Information Commissioner's Office | Within 72 hours if notifiable |
| Money already transferred | Your bank's fraud line | Immediately, request recall |
One point that catches businesses out: the UK GDPR 72-hour clock starts when you become aware of a notifiable breach, not when you finish investigating. If you are unsure whether personal data was affected, document your reasoning at the time. The ICO looks far more favourably on a business that reported promptly and acted decisively than on one that delayed while it deliberated. Recovery is also a good moment to consider Cyber Essentials certification and cyber insurance if you do not already hold them; 62% of small UK businesses now carry cyber insurance, and many insurers expect basic controls such as MFA before they will pay out.
Softomate Solutions hardens UK businesses against phishing through a fixed five-stage process that combines technical controls, staff training and secure system design, delivered against a fixed quote so you know the cost before we start. We are a London-based automation and software development agency in Stanmore (HA7), and we build security into the systems we deliver rather than treating it as an optional extra. Most SME engagements begin from £2,500 for a foundational hardening package, with ongoing training and monitoring available as a monthly retainer.
Our five stages run as follows:
| Stage | Typical timeline | Key deliverable |
|---|---|---|
| Assessment | Week 1 | Risk and gap report |
| Technical hardening | Weeks 1-2 | DMARC at reject, MFA enforced |
| Training and simulation | Weeks 2-4 | Trained staff, baseline click rate |
| Process and playbook | Week 3 | Incident playbook, payment controls |
| Monitor and improve | Ongoing | Monthly report and tuning |
We quote fixed prices, not open-ended hourly billing, because security work should not come with budget surprises. If your phishing risk is tangled up with wider workflow problems, weak systems, manual payment processes or fragmented data, we can address the root cause too through our AI automation agency services and custom software development. Secure automation removes the manual steps where human error and fraud creep in, which is often the most durable defence of all. Companies House registered and London-based, we work with UK SMEs that want practical protection rather than jargon.
Forward suspicious emails to the National Cyber Security Centre's Suspicious Email Reporting Service at report@phishing.gov.uk. Forward scam text messages to 7726. If you have lost money or handed over financial details, report it to Action Fraud on 0300 123 2040 or at reportfraud.police.uk, and contact your bank immediately to request a recall.
MFA stops most credential-theft phishing because a stolen password alone is no longer enough to log in. It is not absolute: real-time phishing kits and MFA-fatigue attacks can defeat weaker methods like SMS codes. Phishing-resistant MFA such as FIDO2 hardware keys or passkeys offers the strongest protection and should be used for finance and admin accounts.
BEC is a phishing attack where a criminal spoofs or compromises a trusted email account, usually a director or supplier, then sends a plausible request to change bank details or release a payment. It often carries no malicious link, so technical filters miss it. The defence is procedural: verify every payment change by calling a known number.
Cyber Essentials self-assessment certification costs around £300 plus VAT for a small business, with tiered pricing by company size. Cyber Essentials Plus, which adds a hands-on technical audit, costs more, typically from around £1,500 depending on your size and assessor. Many UK contracts and insurers now expect at least basic Cyber Essentials certification.
Under UK GDPR you must report a notifiable personal data breach to the Information Commissioner's Office within 72 hours of becoming aware of it. The clock starts on awareness, not on completing your investigation. If you are unsure whether to report, document your reasoning; prompt reporting is viewed far more favourably than delay.
Report it at once, do not hide it. Disconnect the device from the network, reset the passwords for any account whose credentials may have been entered, and sign out of all sessions. Then check for new mailbox forwarding rules or changed bank details, and report the email to report@phishing.gov.uk. Speed in the first hour matters most.
Check the real sender address by hovering the display name, watch for manufactured urgency, hover links to read the true destination, and be wary of unexpected attachments or requests to log in or pay. AI now produces flawless grammar, so do not rely on spelling mistakes. When in doubt, verify through a separate known channel.
Yes. Voice cloning needs only a few seconds of recorded audio, and there have been real cases of finance staff approving large transfers after a cloned-voice call from a supposed director. Hearing a familiar voice is no longer proof of identity. Protect against it with an agreed codeword and a rule to call the person back on their known number.
Run simulated phishing tests monthly to quarterly, at random intervals, with friendly coaching rather than punishment for anyone who clicks. Track both the click rate, aiming below 5% over time, and the report rate, aiming above 70% of simulations. Pair simulations with short quarterly micro-training rather than a single annual session, which staff quickly forget.
Cyber insurance and technical controls work together, not as substitutes. Around 62% of small UK businesses now hold cyber insurance, and many insurers require basic controls such as MFA and a working backup before they will pay out. Insurance covers residual financial risk; controls reduce the chance of a claim. Sensible businesses invest in both.
Protecting your UK business from phishing comes down to layering a few proven controls rather than chasing a single silver bullet. Turn on MFA everywhere, because it blocks most credential theft for free. Move DMARC to p=reject so criminals cannot spoof your domain. Train staff little and often, run simulated tests, and reward reporting rather than punishing clicks. Treat any urgent voice or payment request with suspicion in the age of deepfakes, and verify with a codeword and a callback. Write your incident playbook now, while it is calm, so you know to isolate, reset, revoke and report when the click happens. Remember the numbers: 85% of breached UK businesses are hit by phishing, certification starts at around £300, and you have 72 hours to report a notifiable breach to the ICO. Get the boring controls right, and you deflect the overwhelming majority of attacks before they ever reach a human decision.
If you want phishing defences configured properly, from DMARC to staff training to a tested incident playbook, our team can harden your systems against a fixed quote. Talk to us through our business process automation and security hardening service, or get in touch via our contact page.
Written by Deen Dayal Yadav, Founder of Softomate Solutions, a London-based AI automation and software development agency in Stanmore (HA7). With over 12 years building software, automation and secure systems for UK businesses, Deen has helped organisations replace fragile manual processes with secure, automated workflows that close the gaps where fraud and human error take hold. Softomate Solutions is a Companies House registered company. Learn more on our about page.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.
More from the blog
Work with us
Book a free 30-minute discovery call with DD and get a personalised automation roadmap.
Softomate Solutions Limited
Deen Dayal Yadav
Online
We use essential cookies to keep the site running. With your permission, we also use analytics cookies to understand how visitors use our site so we can improve it. No data is sold. Privacy Policy
