--- description: Phishing attacks pose big threats to companies and spotting them isn’t always easy. GetApp analysed the risks to learn what SMEs should be ready to face. image: https://gdm-localsites-assets-gfprod.imgix.net/images/getapp/og_logo-94fd2a03a6c7a0e54fc0c9e21a1c0ce9.png title: Research data: Phishing attack risks for UK SMEs --- # 94% of phishing attacks arrive by email: what are the risks to UK SMEs? Canonical: https://www.getapp.co.uk/blog/4224/risks-uk-smes-phishing-attacks Published on 04/10/2023 | Written by David Jani. ![94% of phishing attacks arrive by email: what are the risks to UK SMEs?](https://images.ctfassets.net/63bmaubptoky/4i4EZlhJuVDavthE7KozyG/367783d2d39c8d17cf27f4463caa2bf5/Phishing-Attacks-Prevelence-UK-GA-HEADER.jpg) > Being phished is an ever-present danger of the modern internet landscape. UK businesses may represent a key target for hackers due to the data and funds that they may hold and process. These dangers are often assumed to just be an issue for bigger businesses but increasingly, small to mid-sized enterprises (SMEs) could be becoming an attractive target for cybercriminals. ----- ## Article Content Being phished is an ever-present danger of the modern internet landscape. UK businesses may represent a key target for hackers due to the data and funds that they may hold and process. These dangers are often assumed to just be an issue for bigger businesses but increasingly, small to mid-sized enterprises (SMEs) could be becoming an attractive target for cybercriminals.Press releases published this yearRespondents observed a big rise in phishing attacks since 202094% of phishing attacks arrive via email69% of respondents report phishing attacks when they happenPhishing remains a persistent cybersecurity threatPhishing attacks rose amongst the public during the COVID-19 pandemic according to the ONS,and as such they cannot be taken lightly by businesses. These attacks have the potential to compromise company systems and could allow funds or sensitive data stored in the cloud and on managed devices to be stolen by hackers. What are phishing attacks?Phishing attacks take the form of scam messages or calls from cybercriminals that impersonate trusted institutions or companies with the intention of stealing personal data such as login credentials or bank account information. These messages aim to persuade or manipulate the targets into clicking on compromised links, downloading malware, or directly sharing private or personal information with the scammers.Whilst countermeasures such as email security software can offer protection, it is also vital that SMEs and their employees understand the real risks and consequences of a phishing attack.To investigate the dangers posed to small businesses across the UK from phishing attacks, we surveyed 564 UK staff comprising 349 employees and 215 senior managers, executive managers, and owners, who use a computer for their daily work and have received one or more phishing attacks on company devices. Our full methodology can be found at the end of this article.Respondents observed a big rise in phishing attacks since 2020Our first finding is that there is already a high prevalence of phishing attacks occurring in UK companies. Whilst our sample was selected from a pool of respondents who had experienced a phishing attempt, more than half (67%) had experienced multiple attacks from phishing messages. This rose to 73% of respondents reporting multiple phishing attempts on personal devices. Furthermore, the rate of attacks appeared to be increasing, according to our sample. Many of our participants feel that during the last three years, phishing threats have risen noticeably.In our findings, a combined total of 53% of respondents thought phishing messages had increased by over 20%. However, around a fifth (18%) of the whole sample reported experiencing an increase of over 40%. There is, therefore, no doubt that phishing is a common and persistent threat and one that is only increasing in intensity. In many ways, the growth in phishing attacks is not a great surprise. This aligns with the findings of the latest UK Government Cyber security survey where phishing was identified as the most common type of cyber attack by businesses in the country.   As a result of this increased danger, most senior leaders in our sample are understandably apprehensive about the risks of phishing. In our sample, a combined total of 94% of senior managers, executive management, and owners —a group whom we will refer to as senior manager respondents— said that they saw phishing as a cause for concern at some level. In addition, nearly a third of the same subset of respondents (29%) identified it as a serious concern.  There are many potential negative outcomes that can occur as a result of phishing. Yet, the biggest causes for worry according to senior manager respondents were the possible loss of customers’ private data and financial losses. The increasing number of phishing attacks as well as the severe implications of a breach reported by respondents in our surveys highlights the growing importance of addressing the dangers of phishing attacks as a business. Risks such as a data breach can also have serious impacts on consumer trust, as demonstrated in GetApp’s 2023 building digital trust and identity report. Whether the steps taken involve addressing the problem at its source with the help of anti-spam software or implementing cloud security or network protection, it is important to have a plan in place to limit the harm that could be caused if a breach occurs. 94% of phishing attacks arrive via emailAfter exploring the prevalence of phishing attacks and their consequences, we also wanted to discuss what form these phishing attacks can take. Phishing often takes the form of a digital message. Emails and short message service (SMS) phishing (or ‘Smishing’) offer quick and easy ways to trick employees. However, some cyber criminals also use other means such as robo calls and hacked social media posts to acquire sensitive information from targets. Therefore, knowing where to focus attention on security operations and training is important as hackers can employ many different types of phishing attacks. Naturally, a modern business relies on its digital communications and that may be exactly why cyber criminals seek to exploit them. How does this work in practice when a company becomes a target?In our analysis, receiving a phishing email was by far the most common way phishing scams manifested, as demonstrated in the image below.Although social media is the least likely form of phishing attempt reported by our participants, it should still be taken seriously as criminals could employ evermore audacious tactics to trick users. Recent reports have shown that on X (formerly known as Twitter) consumers have been targeted by accounts impersonating legitimate brand customer service profiles. This suggests that companies need to be monitoring social networks carefully to spot imposters. Tips for SMEsSocial listening tools could offer SMEs a helpful means to spot potential fraudsters. They work by identifying mentions of a company or product online that could be impersonating your communications or social profiles. In GetApp’s 2023 SMEs and social media report, half the sample used social listening which —as well as potentially offering better audience visibility and brand oversight— bestowed helpful benefits such as improved customer relationships and up-to-date product/service feedback.However, whilst it is clear that phishing attacks may be becoming commonplace, there are concerns that they are also becoming more deceptive. 82% of senior managers in our survey believe that phishing messages are getting harder to spot. This is likely to exacerbate the level of risk that companies are exposed to as it becomes harder to discern phishing attacks from legitimate communications.Who are fraudsters impersonating?  A significant element of phishing emails and calls is that they take on the appearance of communications from trusted entities. This makes it harder to detect that the attack is happening and allows the scammer to gain the trust of the target more easily. Upon investigating, we observed five of the most commonly chosen types of phishing attacks by our sample:It was most typical for companies to be impersonated overall, with almost half of the phishing messages taking this form. However, we also saw significantly more trusted organisations such as banks, government agencies, and even coworkers being impersonated in phishing messages amongst our sample. These kinds of specifically deceptive attacks correlate with the finding from senior managers that phishing attempts are getting harder to spot. It appears that cybercriminal tactics are becoming more specialised. This raises the possibility of a situation occurring where trusted business contacts or fellow coworkers are mimicked in order to trick employees into clicking on malicious links. Did you know?Spear phishing is a highly targeted form of phishing used by cybercriminals, typically intended to attack specific people or groups. This could prove to be a particular concern to businesses as hackers may target their companies with spoofed messages impersonating known business contacts, family, and friends, or, as was the case for 24% of our sample, coworkers. These kinds of risks underscore the importance of staff training in security awareness. It is wise to keep employees informed of these new and more underhanded kinds of attacks that can occur so people can be on the lookout for more realistic and specialised impersonations.69% of respondents report phishing attacks when they happenThe data so far has shown that phishing attacks are becoming a bigger threat as time goes on. With the chances increasing of a member of staff accidentally falling for an email or text message scam, what logical steps can be taken if a phishing attack is noticed to limit the potential damage?We investigated these considerations when we questioned our survey sample, and found that a majority (69%) of respondents took the time to report an incident of phishing at work.These are positive findings to observe, suggesting that companies in the UK are in a good position to potentially avoid the worst effects of phishing attacks. A culture of accountability is important for workplace cybersecurity. This is especially true in companies where remote/hybrid work arrangements are practised as IT security teams likely have much less oversight over company devices operated off-site. We spoke to Bryan Altimas, a veteran cyber security and technology risk expert and director of Riverside Court Consulting, to get more information on the factors that could help SMEs stop phishing hackers from succeeding. He advised that it was important to ‘Have a culture in the company where a team member is not scared of reporting they have been phished.’ Fortunately, as seen in the data, the vast majority of our respondents seemed to work in organisations where this rang true. However, there was still 40% of our sample who didn’t notify anyone of the attack. Altimas also offered the following tips for SMEs on what they can do to secure their systems if a phishing attempt initially succeeds. ‘Identify the affected accounts and apps and change the password if you still have access to do so. Once the password is changed log off all devices logged onto the account and set up two-factor authorisation. If the password was shared across apps there are at least two or more apps to secure. Time is of the essence.’Bryan Altimas, Director, Riverside Court ConsultingIt is worth reflecting that the price of inaction or complacency can be very high when it comes to phishing. For respondents unlucky enough to disclose information or click on a malicious link from a phishing attack, the consequences could include issues such as data leaks, reputational damage, and financial losses. These are three things no small company can afford to deal with on a regular basis.Phishing remains a persistent cybersecurity threatAs shown by the data collected from this survey, phishing attacks remain a significant risk for company systems and devices. Being prepared to deal with these dangers, therefore, could be a major challenge for companies, although it is one that they must be ready to respond to. It is important that SMEs consider mitigation methods such as putting in place security filters within email systems to limit the number of spam messages that successfully get through to an employee's inbox. Additionally, it is essential to have a plan set, cybersecurity expertise available, and the correct training and software implemented to fight back if an attack succeeds.   In part two of GetApp’s phishing report, we examine some of the methods that SMEs are using to protect themselves from scam emails and phishing attempts to avoid being caught out. Looking for email security software? Check out our catalogue. ## Disclaimer > MethodologyThe data for GetApp’s 2023 Phishing Attacks Survey was collected between July-August 2023 and comprises answers from 564 respondents comprising 349 employees and 215 senior managers, executive managers, and owners. We selected our survey sample based on the following criteria:UK residentAged 18-65 years oldEmployed either full-time or part-time with a company with at least two employeesUsing a computer for daily work tasks at least sometimesHas received one or more phishing attacks at work Understands the meaning of phishing attacks after being shown the following definition: ‘Phishing is a common type of cyber attack that targets individuals through email, text messages, phone calls, and other forms of communication usually by impersonating senders known to the recipient (e.g., package delivery, prizes, public entities, etc.). A phishing attack aims to trick the recipient into falling for the attacker’s desired action, such as revealing financial information, system login credentials, or other sensitive information. Phishing attacks are very often perpetrated against companies through their employees.’ ## About the author ### David Jani David is a Content Analyst for the UK, providing key insights into tech, software and business trends for SMEs. Cardiff University graduate. He loves traveling, cooking and F1. ## Related Categories - [Cloud Security Software](https://www.getapp.co.uk/directory/291/cloud-security/software) - [Cybersecurity Software](https://www.getapp.co.uk/directory/1035/cybersecurity/software) - [Help Desk Software](https://www.getapp.co.uk/directory/287/help-desk-ticketing/software) - [IT Service Software](https://www.getapp.co.uk/directory/1049/it-service/software) - [Network Security Software](https://www.getapp.co.uk/directory/1443/network-security/software) ## Related Articles - [Biometric authentication methods: How UK consumers feel about sharing their data](https://www.getapp.co.uk/blog/2002/biometric-authentication-methods) - [Free trial VPN software: The best 4 tools for your SME](https://www.getapp.co.uk/blog/1635/free-trial-vpn-software-the-best-4-tools-for-your-sme) - [3 expert tips for small business crisis management](https://www.getapp.co.uk/blog/4256/expert-tips-small-business-crisis-management) - [Benefits of RFID systems in inventory management](https://www.getapp.co.uk/blog/3513/benefits-of-rfid-systems) - [How To Prepare Your Enterprise Against Common Cyber Security Threats](https://www.getapp.co.uk/blog/1930/prepare-your-enterprise-against-common-cyber-security-threats) ## Links - [View on GetApp](https://www.getapp.co.uk/blog/4224/risks-uk-smes-phishing-attacks) - [Blog](https://www.getapp.co.uk/blog) - [Home](https://www.getapp.co.uk/) ----- ## Structured Data