Phishing Emails: Why they still work, and what UK businesses must do.

Phishing Emails: Why they still work, and what UK businesses must do.

*Updated: Unveiling the Threat: How Phishing Attacks Impact Businesses by Mark One Consultants*

Phishing has been a problem for a good number of years and is still a big cyber threat businesses face today. The techniques have evolved over the years: AI-generated text, stolen branding, advanced impersonation as well as phishing kits available as a paid service enable online criminals to launch large-scale attacks quickly. As a result, phishing is still a leading cause of data breaches, fraud, and ransomware in the UK.

Recent real-world examples (UK & relevant global incidents)

Below are some recent incidents that show how phishing or phishing infrastructure helped criminals break into organisations, and how the consequences can be significant:

• HMRC: organised phishing campaign targeting taxpayer accounts (2024, investigation reported 2025)
  HMRC uncovered unauthorised access attempts against around 100,000 taxpayer online accounts, in what investigators describe as a phishing campaign orchestrated by organised crime groups. While the targeted accounts were secured and no financial losses occurred, the scale of the operation highlights how criminals exploit harvested personal data to attack major public services.
  
• Large-scale phishing-as-a-service dismantled (Sept 2025)
  Microsoft and its partners have disrupted a phishing subscription service known as Raccoon0365, which had been facilitating widespread credential harvesting and large-scale phishing campaigns. The takedown highlights that phishing is no longer merely opportunistic spam — it has evolved into an industry powered by tools that make campaigns cheaper, faster, and more effective.
  
  
• UK supply-chain & public-sector impacts (NHS / Synnovis, June 2024)
  The ransomware attack that hit Synnovis, a pathology provider for several NHS trusts, caused major disruption to hospital services across London. While the exact cause of entry can vary in these cases, the incident shows how supply-chain and healthcare partners can create wider risks if they are compromised. Phishing is often a key factor, leading to stolen credentials or further attacks.
  

• Company breach after staff phishing (UK case example)
  Reviews of past UK company breaches show phishing emails are still a common entry point. Hackers use them to send malware through infected files or to spread stolen login details inside a business, leading to system compromise. The key point is that attackers mix social engineering with widely available phishing kits and newer tools - like AI-created content, copycat domains, and fake SMS or voice calls to make phishing more convincing and easier to scale.

Why phishing still works today

• Humans are unfortunately always going to be the weak link. Even well-trained staff make mistakes under pressure or distraction. 
  
• Phishing is cheap and scalable. Criminals can buy templates, hosting, and “phishing-as-a-service” subscriptions that pre-configure fake login pages and harvesting infrastructure.
  
• AI makes impersonation easier. Auto-generated, context-aware messages can mimic colleagues or suppliers better than many earlier attacks.

Clear, practical steps for UK businesses & what to do today:

Below are the high-impact yet realistic steps we recommend businesses adopt as soon as possible. This is suitable for SMEs up to larger enterprises.

Enable Multi-Factor Authentication (MFA) 
Use MFA on email on systems such as Microsoft 365 and other critical systems your business uses. Even if credentials are phished, MFA significantly reduces the chance of account takeover. Where possible, use an authenticator app or hardware key rather than SMS. (Mark One)

Email filtering and link protections
Invest in a modern and trusted email filtering system that can alert users of threat before its too late. Such systems can rewrite and scan links, ‘sandbox’ attachments and flag domain look-alikes before users are scared into acting. (NCSC)

Run targeted security awareness + simulated phishing
Regular, role-specific training combined with phishing simulations helps people spot risks faster and get into the habit of checking before clicking. Keep sessions short, frequent, and realistic so they’re easy to follow and stick over time.

Verify payment & HR requests
For any payment requests, changes to bank details, or sensitive HR instructions, always confirm through a second channel - like a quick phone call to a known number or face-to-face check - before taking action. This simple step helps stop “CEO fraud” and invoice redirection scams.

Restrict Admin Access and use the Principle of Least Privilege
Limiting admin accounts and implementing the Principle of Least Privilege effectively means only granting users access to the resources they require. This reduces the potential damage that could occur if an account is compromised. Admin-level users should also consider maintaining a separate account specifically for administrative tasks.  

Backup, test restores, and segment networks
Good data backups combined with proper network segmentation reduce the operational pain from ransomware or data encryption events. Regular restore tests are critical… backups that haven't been tested are a false comfort.

Have an incident playbook and perform tabletop exercises
An incident playbook is a detailed, step-by-step guide that defines how an organisation responds to cybersecurity incidents. "Tabletop exercises" are simulated practice sessions where the team gathers to role-play incident scenarios like phishing attacks, breaches involving third parties, or data leaks. These exercises help test the playbook, improve coordination, and ensure everyone knows their role and responses before a real incident happens.

Watch for problems and act fast
Keep an eye on what’s happening in your systems using basic tools that track activity and send alerts. Subscribe to updates about new threats in your industry. If you spot phishing emails, report them to the NCSC so they can help protect everyone better. (NCSC)

Quick checklist for staff 

• Pause & don’t act under pressure.
• Check the sender address (not just display name).
• Hover over links on a desktop system to confirm the destination before clicking on any links.
• Don’t enable macros when opening attachments, instead perhaps request a PDF.
• If a request seems odd, verify this by calling the sender on a known number.
• Report suspicious emails to management or IT support immediately.

How Mark One Consultants can help

We can provide the following services to help organisations fight the ongoing battle with cyber threats:

• M1C SpamShield: Our managed email filtering solution provides comprehensive protection to end users, which can also help them identify spoofing attempts.  
• IT security reviews of your Microsoft 365 tenancy and local network
• Phishing simulations and advice on staff awareness programmes  
• Incident response planning and tabletop exercises  

Please do not hesitate to contact us today should you require any assistance or what further information on how we can help your business.