According to the UK's Cyber Security Breaches Survey 2025, 93% of businesses that experienced any cybercrime reported phishing as the method used.
Cybercriminals know that the easiest way into a business isn’t by “hacking” a firewall, it’s by tricking someone into clicking a link or opening an attachment.
The term phishing is used for generic attacks, where cybercriminals send fake messages to many people, often with the goal of tricking recipients into clicking on links, or downloading malware. The fake messages will often look like they are from a well known organisation such as your bank, or HMRC.
Whereas spear phishing is a targeted attack aimed at a specific person or role within a company. These attacks are often personalised and researched, using real names with the goal of gainer deeper access into systems to access data or initiate fraud. These attacks can be harder to spot and are on the rise.
Human error is a critical vulnerability. More than 90% of cyber security incidents are traceable to mistakes such as poor password hygiene, falling for phishing links, or mismanaging sensitive data.
Attackers are leveraging AI and automation to craft highly convincing, personalised phishing requests and spear-phishing attempts that are harder to detect and stop.
We are now seeing a significant increase in phishing attacks. Improving awareness and taking steps to reduce your risk are essential.
So what can everyone do to reduce their risk of a phishing attack?
Be vigilant and take extra care when clicking on links or sharing information.
1. Pause before you click
If an email creates a sense of urgency and has requests, such as "pay now", or "reset your password immediately", take a moment to think. Urgency is a red flag.
2. Check the sender address carefully
Look for subtle spelling mistakes or strange domains (e.g. @micros0ft.com instead of @microsoft.com).
Or for unusual domain extensions, most large organisations will have purchased the common domain extensions such as .com, .co.uk, .net even if they don't use them, but there will be many other extensions available that could potentially be used for malicious activity. Unusual domain extensions are a red flag.
3. Check the path of the link
Sometimes the links in an email are disguised. Hover over or copy and paste links into a text document to check the path of the url. If it looks odd, don’t click on it.
4. Report suspicious emails
If you are unsure, or if you have discovered a malicious email it's best to let our support team know. We can help identify if the email is malicious and we will also implement additional security actions should they be necessary.
What can businesses do to reduce the risk further
When securing your IT to reduce the risk of phishing attempts, it’s important to remember that phishing is just one piece of a wider cybersecurity system. The solutions below all contribute to providing a more secure environment for your users to work within.
1. Cyber Security Awareness Training
Regular user training and realistic phishing simulations to build employee vigilance
2. Strong Email Security
Implement DMARC, SPF, DKIM, advanced spam and phishing filters
3. Zero Trust Architecture
Minimise access privileges across devices, networks and accounts
4. Supply Chain Audits
Vet vendors, enforce security standards, and monitor access
5. Active threat protection monitoring and remediation
Anti-Virus and malware scanning, realtime endpoint detection and response, zero day threats across computers, mobile devices and cloud platforms
6. Identity and Access Management
Enforce MFA, security policies, passwords and access rights across all identities
7. Security Framework
Implement a recognised level of security, such as Cyber Essentials +, SOC 2 or ISO27001.
We're here to help
Roadmap are both Cyber Essentials + and ISO27001 certified and we can help your businesses achieve the same level of compliance. We also have a number of other Cyber Security solutions to help secure your business.