What Is Phishing?
Phishing is a cyberattack in which criminals send fraudulent messages — usually emails — designed to trick recipients into revealing credentials, clicking malicious links, or transferring money. It remains the most common initial access method used in attacks against UK businesses.
Direct Answer
Phishing is a social engineering attack in which an attacker impersonates a trusted entity — a bank, a supplier, HMRC, Microsoft — to deceive a user into taking an action that benefits the attacker. The most common outcomes are credential theft, malware installation, and business email compromise (BEC) fraud. Phishing attacks range from mass, untargeted campaigns to highly personalised spear-phishing aimed at specific individuals in an organisation. Technical controls such as email filtering, DMARC, and multi-factor authentication can reduce exposure, but security awareness training remains an important layer of defence. Phishing is the number one attack type — 85% of businesses that experienced a breach identified phishing as the cause (DSIT 2025). Phishing was the most disruptive breach for 65% of businesses.
Types of Phishing Attack
Phishing covers a range of techniques. Understanding the differences helps identify the right controls.
Email Phishing
Mass-sent fraudulent emails impersonating trusted brands. Typically direct recipients to fake login pages or prompt them to open malicious attachments.
Spear Phishing
Targeted attacks using personalised information about the recipient — their name, role, or current projects — to increase credibility and success rates.
Business Email Compromise
The attacker impersonates a senior executive or supplier to redirect payments or extract sensitive information. Often involves no malware, making it harder to detect.
Smishing & Vishing
Phishing delivered via SMS (smishing) or phone call (vishing). Attackers pose as banks, delivery firms, or IT support to extract credentials or approve fraudulent transactions.
Clone Phishing
A legitimate email previously received by the target is cloned and resent with malicious links replacing the originals. The familiarity of the message increases the likelihood of engagement.
Pharming
DNS-level manipulation that redirects users from legitimate websites to fraudulent ones without any email interaction required. Harder for users to detect.
Basic Email Security vs Anti-Phishing Controls
The difference between a standard email setup and one with layered anti-phishing controls in place.
| Feature | Basic Email SetupTypical out-of-the-box | Anti-Phishing ControlsLayered defenceRecommended |
|---|---|---|
| SPF record configured | Sometimes | |
| DKIM signing enabled | ||
| DMARC policy enforced | ||
| Advanced threat protection / link scanning | ||
| MFA on email accounts | ||
| Staff phishing awareness training | ||
| Simulated phishing campaigns | Recommended |
DMARC, DKIM, and SPF are DNS-based controls that help prevent attackers from spoofing your domain. Microsoft 365 Business Premium includes Defender for Office 365, which adds link and attachment scanning.
Frequently Asked Questions
BEC is a type of fraud where attackers impersonate executives or suppliers to trick employees into transferring funds or sharing sensitive data. BEC attacks increased 33% in 2025. The average loss per BEC incident is $137,000. Even organisations with fewer than 1,000 employees face a 70% weekly probability of a BEC attempt.
MFA requires two or more verification methods to access an account. Microsoft reports that over 99.9% of compromised accounts did not have MFA enabled. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025). MFA can prevent more than 99.9% of account compromise attempts.
UK businesses typically allocate 13.2% of their total IT budget to cybersecurity. More than half of UK small businesses increased their cybersecurity spending in 2024. 85% of UK firms plan to boost their cyber budget for 2026. The cost of prevention is significantly less than the average breach cost of £3,550.
Organisations with Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance. Certification is mandatory for UK government contracts involving sensitive data. Only 3% of UK businesses are currently certified, giving certified businesses a competitive advantage.
Yes. 50% of small businesses (10-49 employees) reported a cybersecurity breach in 2025. UK small businesses face around 65,000 hack attempts daily, with approximately 4,500 successful breaches. More than a quarter of SMBs say a single cyber attack could put them out of business entirely.
Strengthen Your Defences Against Phishing
AMVIA can audit your email security configuration, deploy DMARC and advanced threat protection, and run staff phishing simulations. Speak to our team to get started.
Related Guides
How to Prevent Ransomware
Phishing is the most common delivery method for ransomware. Here's how to reduce your exposure.
The Complete Guide to Cybersecurity
A practical overview of all the controls UK SMEs should have in place.
What Is Cyber Essentials?
The UK Government's baseline certification scheme, which includes email and access controls.