Learn why GetApp is free

94% of phishing attacks arrive by email: what are the risks to UK SMEs?

Published on 04/10/2023 by David Jani

Being phished is an ever-present danger of the modern internet landscape. UK businesses may represent a key target for hackers due to the data and funds that they may hold and process. These dangers are often assumed to just be an issue for bigger businesses but increasingly, small to mid-sized enterprises (SMEs) could be becoming an attractive target for cybercriminals.

SME owners deal with a phishing attack on a giant mobile phone

Phishing attacks rose amongst the public during the COVID-19 pandemic according to the ONS,and as such they cannot be taken lightly by businesses. These attacks have the potential to compromise company systems and could allow funds or sensitive data stored in the cloud and on managed devices to be stolen by hackers. 

What are phishing attacks?
Phishing attacks take the form of scam messages or calls from cybercriminals that impersonate trusted institutions or companies with the intention of stealing personal data such as login credentials or bank account information. These messages aim to persuade or manipulate the targets into clicking on compromised links, downloading malware, or directly sharing private or personal information with the scammers.


Whilst countermeasures such as email security software can offer protection, it is also vital that SMEs and their employees understand the real risks and consequences of a phishing attack.

To investigate the dangers posed to small businesses across the UK from phishing attacks, we surveyed 564 UK staff comprising 349 employees and 215 senior managers, executive managers, and owners, who use a computer for their daily work and have received one or more phishing attacks on company devices. Our full methodology can be found at the end of this article.

Respondents observed a big rise in phishing attacks since 2020

Our first finding is that there is already a high prevalence of phishing attacks occurring in UK companies. Whilst our sample was selected from a pool of respondents who had experienced a phishing attempt, more than half (67%) had experienced multiple attacks from phishing messages. This rose to 73% of respondents reporting multiple phishing attempts on personal devices. 

Furthermore, the rate of attacks appeared to be increasing, according to our sample. Many of our participants feel that during the last three years, phishing threats have risen noticeably.

Graph showing the perceived increase in phishing attacks among employees and managers

In our findings, a combined total of 53% of respondents thought phishing messages had increased by over 20%. However, around a fifth (18%) of the whole sample reported experiencing an increase of over 40%. There is, therefore, no doubt that phishing is a common and persistent threat and one that is only increasing in intensity. 

In many ways, the growth in phishing attacks is not a great surprise. This aligns with the findings of the latest UK Government Cyber security survey where phishing was identified as the most common type of cyber attack by businesses in the country.   

As a result of this increased danger, most senior leaders in our sample are understandably apprehensive about the risks of phishing. In our sample, a combined total of 94% of senior managers, executive management, and owners —a group whom we will refer to as senior manager respondents— said that they saw phishing as a cause for concern at some level. In addition, nearly a third of the same subset of respondents (29%) identified it as a serious concern.  

There are many potential negative outcomes that can occur as a result of phishing. Yet, the biggest causes for worry according to senior manager respondents were the possible loss of customers’ private data and financial losses. 

Graph displaying most severe consequences of phishing attacks on a UK SME company

The increasing number of phishing attacks as well as the severe implications of a breach reported by respondents in our surveys highlights the growing importance of addressing the dangers of phishing attacks as a business. Risks such as a data breach can also have serious impacts on consumer trust, as demonstrated in GetApp’s 2023 building digital trust and identity report

Whether the steps taken involve addressing the problem at its source with the help of anti-spam software or implementing cloud security or network protection, it is important to have a plan in place to limit the harm that could be caused if a breach occurs. 

94% of phishing attacks arrive via email

After exploring the prevalence of phishing attacks and their consequences, we also wanted to discuss what form these phishing attacks can take. Phishing often takes the form of a digital message. Emails and short message service (SMS) phishing (or ‘Smishing’) offer quick and easy ways to trick employees. However, some cyber criminals also use other means such as robo calls and hacked social media posts to acquire sensitive information from targets. 

Therefore, knowing where to focus attention on security operations and training is important as hackers can employ many different types of phishing attacks. Naturally, a modern business relies on its digital communications and that may be exactly why cyber criminals seek to exploit them. How does this work in practice when a company becomes a target?

In our analysis, receiving a phishing email was by far the most common way phishing scams manifested, as demonstrated in the image below.

Phishing attacks received by media formats

Although social media is the least likely form of phishing attempt reported by our participants, it should still be taken seriously as criminals could employ evermore audacious tactics to trick users. Recent reports have shown that on X (formerly known as Twitter) consumers have been targeted by accounts impersonating legitimate brand customer service profiles. This suggests that companies need to be monitoring social networks carefully to spot imposters. 

Tips for SMEs
Social listening tools could offer SMEs a helpful means to spot potential fraudsters. They work by identifying mentions of a company or product online that could be impersonating your communications or social profiles. In GetApp’s 2023 SMEs and social media report, half the sample used social listening which —as well as potentially offering better audience visibility and brand oversight— bestowed helpful benefits such as improved customer relationships and up-to-date product/service feedback.

However, whilst it is clear that phishing attacks may be becoming commonplace, there are concerns that they are also becoming more deceptive. 82% of senior managers in our survey believe that phishing messages are getting harder to spot. This is likely to exacerbate the level of risk that companies are exposed to as it becomes harder to discern phishing attacks from legitimate communications.

Who are fraudsters impersonating?  

A significant element of phishing emails and calls is that they take on the appearance of communications from trusted entities. This makes it harder to detect that the attack is happening and allows the scammer to gain the trust of the target more easily. 

Upon investigating, we observed five of the most commonly chosen types of phishing attacks by our sample:

Graph of the topic of the phishing attacks received by UK workers

It was most typical for companies to be impersonated overall, with almost half of the phishing messages taking this form. However, we also saw significantly more trusted organisations such as banks, government agencies, and even coworkers being impersonated in phishing messages amongst our sample. 

These kinds of specifically deceptive attacks correlate with the finding from senior managers that phishing attempts are getting harder to spot. It appears that cybercriminal tactics are becoming more specialised. This raises the possibility of a situation occurring where trusted business contacts or fellow coworkers are mimicked in order to trick employees into clicking on malicious links. 

Did you know?
Spear phishing is a highly targeted form of phishing used by cybercriminals, typically intended to attack specific people or groups. This could prove to be a particular concern to businesses as hackers may target their companies with spoofed messages impersonating known business contacts, family, and friends, or, as was the case for 24% of our sample, coworkers. 

These kinds of risks underscore the importance of staff training in security awareness. It is wise to keep employees informed of these new and more underhanded kinds of attacks that can occur so people can be on the lookout for more realistic and specialised impersonations.

69% of respondents report phishing attacks when they happen

The data so far has shown that phishing attacks are becoming a bigger threat as time goes on. With the chances increasing of a member of staff accidentally falling for an email or text message scam, what logical steps can be taken if a phishing attack is noticed to limit the potential damage?

We investigated these considerations when we questioned our survey sample, and found that a majority (69%) of respondents took the time to report an incident of phishing at work.

Graph of responses to receipt of phishing messages/calls

These are positive findings to observe, suggesting that companies in the UK are in a good position to potentially avoid the worst effects of phishing attacks. A culture of accountability is important for workplace cybersecurity. This is especially true in companies where remote/hybrid work arrangements are practised as IT security teams likely have much less oversight over company devices operated off-site. 

We spoke to Bryan Altimas, a veteran cyber security and technology risk expert and director of Riverside Court Consulting, to get more information on the factors that could help SMEs stop phishing hackers from succeeding.

He advised that it was important to ‘Have a culture in the company where a team member is not scared of reporting they have been phished.’ Fortunately, as seen in the data, the vast majority of our respondents seemed to work in organisations where this rang true. However, there was still 40% of our sample who didn’t notify anyone of the attack. 

Altimas also offered the following tips for SMEs on what they can do to secure their systems if a phishing attempt initially succeeds. 

‘Identify the affected accounts and apps and change the password if you still have access to do so. Once the password is changed log off all devices logged onto the account and set up two-factor authorisation. If the password was shared across apps there are at least two or more apps to secure. Time is of the essence.’
Bryan Altimas, Director, Riverside Court Consulting

It is worth reflecting that the price of inaction or complacency can be very high when it comes to phishing. For respondents unlucky enough to disclose information or click on a malicious link from a phishing attack, the consequences could include issues such as data leaks, reputational damage, and financial losses. These are three things no small company can afford to deal with on a regular basis.

Phishing remains a persistent cybersecurity threat

As shown by the data collected from this survey, phishing attacks remain a significant risk for company systems and devices. 

Being prepared to deal with these dangers, therefore, could be a major challenge for companies, although it is one that they must be ready to respond to. It is important that SMEs consider mitigation methods such as putting in place security filters within email systems to limit the number of spam messages that successfully get through to an employee's inbox. Additionally, it is essential to have a plan set, cybersecurity expertise available, and the correct training and software implemented to fight back if an attack succeeds.   

In part two of GetApp’s phishing report, we examine some of the methods that SMEs are using to protect themselves from scam emails and phishing attempts to avoid being caught out. 

Looking for email security software? Check out our catalogue.


Methodology

The data for GetApp’s 2023 Phishing Attacks Survey was collected between July-August 2023 and comprises answers from 564 respondents comprising 349 employees and 215 senior managers, executive managers, and owners. We selected our survey sample based on the following criteria:

  • UK resident
  • Aged 18-65 years old
  • Employed either full-time or part-time with a company with at least two employees
  • Using a computer for daily work tasks at least sometimes
  • Has received one or more phishing attacks at work 
  • Understands the meaning of phishing attacks after being shown the following definition: ‘Phishing is a common type of cyber attack that targets individuals through email, text messages, phone calls, and other forms of communication usually by impersonating senders known to the recipient (e.g., package delivery, prizes, public entities, etc.). A phishing attack aims to trick the recipient into falling for the attacker’s desired action, such as revealing financial information, system login credentials, or other sensitive information. Phishing attacks are very often perpetrated against companies through their employees.’


This article may refer to products, programs or services that are not available in your country, or that may be restricted under the laws or regulations of your country. We suggest that you consult the software provider directly for information regarding product availability and compliance with local laws.

About the author

David is a Content Analyst for the UK, providing key insights into tech, software and business trends for SMEs. Cardiff University graduate. He loves traveling, cooking and F1.

David is a Content Analyst for the UK, providing key insights into tech, software and business trends for SMEs. Cardiff University graduate. He loves traveling, cooking and F1.