How They Get In, What They Cost, And What SMEs Should Learn
Quick answer
The UK has reported more than 53 million phishing and scam reports to the National Cyber Security Centre (NCSC), leading to hundreds of thousands of malicious URLs being removed. Government research also shows phishing remains the most common cyber attack affecting UK businesses. For SMEs, phishing is still the biggest cyber risk because it targets people rather than technology. Attackers know that one rushed employee can bypass years of expensive IT spending in about fourteen seconds. Humanity continues to be the world’s favourite attack surface.
The Scale Of UK Phishing Attacks
What the numbers actually show
The NCSC confirmed that UK citizens and businesses have submitted more than 53 million scam and phishing reports through its Suspicious Email Reporting Service and related reporting systems.
The UK Government’s Cyber Security Breaches Survey found:
- 38% of UK businesses reported phishing attacks
- Phishing was involved in most reported cyber incidents
- Email compromise remains one of the main starting points for ransomware and fraud
- SMEs are increasingly targeted because attackers assume smaller businesses have weaker protection
References:
Why phishing still works
Phishing works because attackers exploit urgency, stress, authority and routine.
Most phishing emails are designed to look boringly normal:
- fake invoices
- fake Microsoft 365 logins
- HMRC messages
- parcel delivery notices
- supplier payment changes
- fake payroll documents
- urgent director requests
The goal is rarely “hacking” in the movie sense. The real goal is usually:
- stealing passwords
- accessing Microsoft 365 accounts
- redirecting payments
- spreading malware
- deploying ransomware
- stealing customer data
How Attackers Actually Get Into UK Businesses
Fake Microsoft 365 login pages
One of the most common attack methods in the UK is credential harvesting.
The employee receives an email saying:
“Your Microsoft 365 password expires today.”
They click the link.
The fake login page looks genuine.
They enter their password.
The attacker now owns the mailbox.
From there attackers often:
- read invoices
- monitor supplier conversations
- create forwarding rules
- impersonate directors
- attack customers
- launch internal phishing campaigns
Invoice and supplier fraud
A huge percentage of SME phishing losses involve payments rather than ransomware.
Attackers either spoof supplier emails or compromise genuine accounts.
Typical examples include:
“We have updated our bank details.”
“Please pay this urgent invoice today.”
“See attached revised payment schedule.”
Many businesses only discover the fraud after suppliers complain they have not been paid.
Social engineering and helpdesk impersonation
Modern attackers increasingly target IT support desks and outsourced providers.
Instead of technically hacking systems, criminals manipulate people into resetting passwords or bypassing controls.
This technique has appeared in several major UK cyber incidents.
It is uncomfortable for businesses because it proves that expensive security tools are useless if staff can be socially engineered into opening the door themselves. Which is apparently still easier than remembering a password manager exists.
Real UK Examples Of Phishing-Related Attacks
Marks & Spencer cyber incident
In 2025, Marks & Spencer suffered a major cyber incident believed to involve social engineering and credential compromise routes.
Reported impacts included:
- online ordering disruption
- operational downtime
- customer data concerns
- major financial losses
- prolonged recovery work
Reports suggested the financial impact could exceed £300 million.
References:
Gloucester City Council ransomware attack
Gloucester City Council suffered a serious cyber attack involving ransomware and stolen data.
Recovery reportedly cost over £1 million.
Some systems remained disrupted for months.
Attackers reportedly spent weeks moving through the network before encryption occurred.
References:
- https://www.local.gov.uk/sites/default/files/documents/Gloucester%20City%20Case%20Study%20-%20Managing%20a%20Cyber%20Attack.pdf
- https://democracy.gloucester.gov.uk/mgAi.aspx?ID=41263
British Library ransomware incident
British Library suffered a ransomware attack causing long-term operational disruption.
Reported recovery costs reached approximately £6-7 million.
Services were disrupted for months.
References:
How Much Does Recovery Cost?
The hidden costs SMEs underestimate
Most SME owners think cyber costs mean:
- replacing computers
- paying IT support
- restoring backups
In reality the bigger costs are usually:
- downtime
- lost sales
- payroll disruption
- customer communication
- staff overtime
- insurance excesses
- legal advice
- reputational damage
- delayed projects
- lost trust
The UK Government survey showed many smaller incidents cost little directly, but serious incidents could rapidly escalate into thousands or millions of pounds depending on:
- ransomware spread
- business interruption
- regulatory issues
- data exposure
- supplier impact
Recovery time varies massively
Simple phishing incident:
- several hours to several days
Email compromise:
- days to weeks
Ransomware:
- weeks to months
Major enterprise attack:
- months or longer
Some UK councils and organisations have spent nearly a year restoring systems fully after ransomware attacks.
What UK SMEs Should Learn From These Attacks
Email is now your front door
Most SMEs still think cyber security means antivirus software.
Modern attacks are usually identity attacks.
If attackers gain access to:
- Microsoft 365
- cloud accounts
- finance systems
they can often bypass traditional security entirely.
Small businesses are not “too small”
Attackers actively target SMEs because:
- weaker security
- fewer IT staff
- poor monitoring
- limited recovery planning
- lower MFA adoption
- rushed payment processes
Criminal groups know smaller businesses often panic faster and recover slower.
Human behaviour matters more than most companies admit
Attackers exploit:
- stress
- fatigue
- urgency
- hierarchy
- distraction
That is why finance teams, directors and administrators are heavily targeted.
The attacker does not need to defeat enterprise-grade encryption if Karen in accounts clicks “Approve Payment”. Humans built nuclear submarines and particle accelerators yet still open ZIP attachments called “Urgent_Payroll_Update_Final_v2”. A species of contradictions.
What Would Have Prevented Many Of These Attacks?
Multi-factor authentication (MFA)
Proper MFA blocks huge amounts of credential theft.
Especially important for:
- Microsoft 365
- cloud backups
- finance systems
- remote access
App-based MFA and passkeys are much safer than SMS codes.
Email authentication controls
Every SME should configure:
- SPF
- DKIM
- DMARC
These reduce domain spoofing and fake emails pretending to come from your business.
Staff awareness training
Employees should recognise:
- fake logins
- urgent payment requests
- suspicious attachments
- unusual supplier changes
- fake Microsoft alerts
Training should be ongoing rather than once-per-year compliance theatre.
Payment verification procedures
Never trust payment changes sent purely by email.
Always:
- verify by phone
- use known contact numbers
- require dual approval for larger payments
This single process prevents a huge amount of invoice fraud.
Proper backups
Backups should be:
- tested
- isolated
- protected by MFA
- difficult for attackers to delete
Many ransomware victims discover their backups failed only after the attack.
That is a uniquely human ritual:
“We have backups.”
“Have you tested them?”
“…”
Silence. Regret. Procurement meetings.
Incident response planning
SMEs should know:
- who responds
- who contacts the bank
- who informs customers
- who handles regulators
- who manages recovery
The middle of a cyber attack is not the ideal moment to invent a crisis process from scratch while someone cries near the printer.
Practical SME Cyber Security Checklist
Minimum recommended protections
- MFA on all important accounts
- Microsoft 365 security review
- password manager deployment
- email filtering
- phishing awareness training
- backup testing
- software updates
- endpoint protection
- payment verification rules
- restricted admin access
- incident response plan
Higher maturity protections
- conditional access policies
- phishing simulations
- security monitoring
- device management
- immutable backups
- cyber insurance review
- supplier security assessments
Final Thoughts
The real lesson for UK SMEs
Phishing attacks are no longer occasional annoyances. They are constant operational risks.
The attacks that cause the biggest damage usually do not begin with elite hacking. They begin with:
- a fake email
- a fake login page
- a rushed employee
- weak authentication
- poor verification procedures
The businesses that recover fastest are usually not the ones spending the most money.
They are the businesses that:
- prepared properly
- limited access
- tested backups
- enforced MFA
- trained staff realistically
- created recovery plans before disaster struck
Cyber security is no longer optional operational overhead. It is business survival infrastructure now. Grim little milestone for civilisation, really.
References
National Cyber Security Centre
https://www.ncsc.gov.uk/collection/phishing-scams
UK Government Cyber Security Breaches Survey 2025/26
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-20252026
Local Government Association
https://www.local.gov.uk
British Library Cyber Attack Updates
https://www.bl.uk/about/cyber-attack
The Guardian Cyber Attack Reporting
https://www.theguardian.com/business/cybercrime
