Phishing is the number one cyber threat facing UK businesses right now. It accounts for 36% of all data breaches, and modern phishing emails are frighteningly convincing โ often indistinguishable from genuine messages sent by Microsoft, HMRC, your bank, or even your colleagues.
โ ๏ธ A phishing email was sent to a UK business every 6 seconds in 2023. Your staff are your first โ and often only โ line of defence. The good news is that with the right training, most phishing attempts are easy to spot.
What Does a Phishing Email Look Like?
Here's a realistic example of what a phishing email targeting a UK business might look like. See if you can spot the red flags before reading the analysis:
We have detected unusual sign-in activity on your Microsoft 365 account. To prevent suspension, you must verify your account immediately.
๐ Click here to verify your account now โ
Failure to verify within 24 hours will result in permanent account suspension and loss of all data.
Microsoft Security Team
The Red Flags โ Spotted in Seconds
๐จ Warning Signs in That Email
- Misspelled domain: "microsofft-365.com" โ Microsoft would never use this address. Always check the sender's full email domain, not just the display name.
- Urgency and fear: "24 hours", "permanent suspension", "loss of all data" โ attackers create panic to stop you thinking clearly.
- Vague greeting: "Dear Customer" โ Microsoft knows your name. Legitimate services use it.
- Suspicious link: Hover over any link before clicking. If the URL doesn't match the company's official domain, don't click it.
- Unexpected request: You didn't ask for a security alert. Unsolicited requests for action are always suspicious.
The 30-Second Phishing Check
Train your staff to run through this quick checklist every time they receive an unexpected or urgent email:
โ Before You Click Anything
- Check the sender's email address โ not just the display name. Does the domain match the organisation?
- Hover over links โ before clicking, hover to see the real URL. Does it go where it claims?
- Question urgency โ is this email creating panic or pressure? That's a manipulation tactic.
- Check for personalisation โ legitimate businesses use your name. "Dear Customer" is a red flag.
- Verify independently โ if you're unsure, don't click. Call the company directly using a number from their official website.
The Most Common Phishing Attacks on UK Businesses
CEO / Business Email Compromise (BEC)
An attacker poses as your MD or CEO and emails a member of staff asking them to make an urgent bank transfer or purchase gift cards. These attacks have cost UK businesses millions. They're highly targeted and devastatingly effective.
Fake Microsoft 365 / Google Login Pages
An email sends staff to a pixel-perfect copy of the Microsoft or Google login page. They enter their credentials โ which go straight to the attacker. Multi-factor authentication is the only reliable defence here.
HMRC and Invoice Fraud
Fake HMRC tax refund emails, or spoofed supplier invoices with changed bank details. Finance staff are particularly targeted โ make sure any bank detail changes are verified by phone before processing.
How to Protect Your Business
Enable MFA on all email accounts โ even if a password is stolen via phishing, MFA prevents access.
Run phishing simulation training โ services that send realistic fake phishing emails to staff and provide instant feedback dramatically reduce click rates.
Set up email filtering โ tools like Microsoft Defender or Proofpoint block the majority of phishing attempts before they reach inboxes.
Implement a reporting culture โ make it easy and blame-free for staff to report suspicious emails. Early reporting can stop an attack in its tracks.
๐ก NCSC Tip: The UK's National Cyber Security Centre offers a free Suspicious Email Reporting Service (SERS). Forward suspicious emails to report@phishing.gov.uk and they'll investigate.
IS YOUR TEAM PHISHING-PROOF?
Our free cyber audit assesses your email security defences and tells you exactly what needs improving โ in plain English.
๐ก Get My Free Audit