Phishing attacks remain the most common cause of cyber breaches in the UK. The government’s Cyber Security Breaches Survey found that 85% of businesses that experienced a breach identified phishing as the attack method. That figure has barely shifted in three years. What has changed is how the attacks look, how they arrive, and why email filters alone no longer catch them.
For SMEs, the risk is straightforward. Phishing works because it targets people, not systems. And unless your team knows what to look for, a single click can give an attacker access to your email accounts, customer data or financial systems.
Why Phishing Has Become Harder to Spot
A few years ago, most phishing emails were easy to identify. Poor spelling, generic greetings, suspicious sender addresses. That is no longer the case.
Attackers now use AI tools to generate phishing emails that match the tone, formatting and language of legitimate business communication. They research targets using LinkedIn, company websites and public data to craft messages that feel personal and relevant. A finance team member might receive what looks like a genuine invoice from a known supplier. A director might get a convincing request from what appears to be their bank.
Beyond email, phishing has expanded into other channels. Voice phishing (vishing) uses phone calls, often spoofing real numbers, to pressure staff into sharing credentials or making payments. QR code phishing (quishing) embeds malicious links in printed materials or PDF attachments, bypassing email filtering entirely. SMS phishing (smishing) targets mobile devices where people tend to be less cautious.
The Mistakes Businesses Keep Making
Relying entirely on email filters. Filters catch a lot, but they are not infallible. AI-generated phishing emails are specifically designed to pass through automated detection. Filters should be a layer of defence, not the only one.
Running training once a year. An annual awareness session does not change behaviour. Monthly, bite-sized training with simulated phishing tests is what actually builds recognition skills over time. Staff need to practise identifying threats in realistic conditions, not just sit through a slide deck.
No clear process for reporting. If someone suspects a phishing email, do they know what to do? Many businesses have no defined process, and staff worry about looking foolish for flagging something that might be legitimate. A simple, blame-free reporting process catches threats faster and encourages vigilance.
Assuming small businesses are not targeted. Attackers increasingly target SMEs because they tend to have weaker defences and less formal processes. Automated phishing campaigns do not discriminate by company size. If your email addresses are publicly listed, you are a target.
What Actually Reduces Risk
Effective phishing defence combines technical controls with regular staff training.
On the technical side, ensure your email platform has modern anti-phishing protections enabled. If you use Microsoft 365, check that Safe Links and Safe Attachments are turned on. Make sure multi-factor authentication is active on every account, so that even if credentials are stolen, attackers cannot log in without a second factor.
On the people side, invest in ongoing cyber security training that includes regular phishing simulations. This does not need to be time-consuming or expensive. Managed training platforms run automatically, track completion, and provide targeted follow-up for anyone who falls for a test. The data from simulations shows you exactly where your team’s weaknesses are.
Create a clear internal process: if you receive a suspicious email, forward it to a designated address or flag it in your email client. Do not click, do not reply, do not forward it to colleagues to ask ‘does this look dodgy to you?’
What to Do If Someone Clicks
If a staff member clicks a phishing link or enters credentials on a suspicious page, act quickly. Change the affected passwords immediately. Check whether the compromised account has been used to send further phishing emails internally or to contacts. Review recent sign-in activity for anything unusual.
If you work with a managed IT provider, report it to them straight away. Providers with proactive monitoring tools can isolate affected accounts and check for signs of deeper compromise before it spreads.
The speed of response matters more than blame. Businesses that have a tested incident response process recover faster and limit damage. Businesses that do not often discover the breach weeks later, after significant harm has already been done.
Phishing Prevention Starts with People
Technical tools help, but phishing exploits human judgement. The businesses that handle it best are the ones where staff feel confident identifying threats and comfortable reporting them.
If your team has not had structured phishing awareness training recently, or if you are unsure how your current defences measure up, talk to The Unite Group about managed security awareness training. We run phishing simulations and ongoing training programmes that fit around your team’s working day and give you clear data on where to focus.