+44 345 1255400
Threats & Attacks

Phishing

Also known as: Spear phishing, Whaling, Smishing, Vishing, BEC, Business Email Compromise

Phishing is any attempt by an attacker to trick someone into handing over information or taking an action they shouldn’t, usually by impersonating a trusted person, brand, or service. It’s the most common way UK businesses are breached, and the techniques have become dramatically more sophisticated in the last two years thanks to AI and social engineering.

The common variants

  • Phishing email, the classic. A fake login page linked from an email that looks like it came from a bank, delivery service, or colleague.
  • Spear phishing, a targeted attack on a specific person, using details scraped from LinkedIn or social media.
  • Whaling, spear phishing aimed at directors and senior decision-makers.
  • Smishing, phishing via SMS (“You have an unpaid Dartford Crossing charge of £3.50…”). Widespread in the UK throughout 2025 and 2026.
  • Vishing, phishing via phone call (fake HMRC debt collectors, fake Microsoft support).
  • Business Email Compromise (BEC), the attacker takes over a real internal email account and uses it to redirect payments or request sensitive data.

Why modern phishing is harder to spot

  • AI tools write grammatically perfect, contextually-aware emails
  • Attackers scrape LinkedIn and company websites to reference real colleagues, real projects, real suppliers
  • File-share notifications that come from Microsoft’s or Google’s actual servers because the attacker compromised a partner’s account
  • URL shorteners, lookalike domains, and punycode tricks hide the destination

How businesses defend against it

  • Multi-Factor Authentication on every account, see MFA. Phish-proof MFA (FIDO2 keys) defeats most account takeover attempts.
  • Email authentication, SPF, DKIM, and DMARC set up correctly so spoofed emails are rejected at the gateway.
  • Anti-impersonation filtering, catches display-name fraud and lookalike domains.
  • Payment approval workflows, bank detail changes verified through a second channel (a phone call to a known number, not a reply to the email).
  • Security awareness training, not compliance theatre; short, frequent, scenario-based training that matches the attacks actually hitting UK businesses.

How we help

Our cyber security service includes email authentication hardening, anti-phishing filtering, phishing simulation, and awareness training. We’re particularly active with accountants and law firms where BEC attacks aimed at client payments are a live threat.