Phishing Won 69% of UK Cyber Battles Last Year: Why the Fight Has Moved From Your Inbox to Your Identity
Fifty-one percent of UK businesses that experienced a cyber breach or attack in the last twelve months were hit by phishing alone. No ransomware. No hacking. No denial-of-service. Just phishing. One mechanism, executed competently, was sufficient. That figure is up from 45% last year, according to the Cyber Security Breaches Survey 2025/2026 published by DSIT and the Home Office on 30 April 2026.
That number deserves more scrutiny than it has received.
The Scale of a Single Attack Vector
Phishing attacks were experienced by 38% of all UK businesses surveyed. Among organisations that suffered any kind of breach or attack, phishing was identified as the most disruptive type in 69% of cases. The qualitative interviews within the survey noted that organisations perceived phishing attacks had become easier for attackers to commit, contributing to what they described as an increase in volume.
The concentration is striking. In a landscape where businesses face ransomware, impersonation, denial-of-service, and unauthorised access, more than half of all victims were compromised by a single, well-understood attack type. This is not a story about sophisticated adversaries deploying exotic tools. It is a story about a reliable mechanism meeting insufficient defences.
Ransomware, by contrast, declined to 1% of businesses, down from 3% in each of the two preceding years. Impersonation attacks fell to 12%, down from 17% in 2023/2024. The threat landscape is not becoming more diverse. It is consolidating around what works. And what works, overwhelmingly, is tricking a human being into clicking something.
Why “Spot the Typo” Is Dead
The traditional defence against phishing rested on training staff to recognise poorly written messages. Look for bad grammar. Check the sender address. Be suspicious of urgency. This advice was reasonable when most phishing emails were visibly crude: misspelled company names, broken syntax, implausible scenarios.
That era is over.
Large language models have eliminated the quality gap between legitimate and malicious correspondence. A fake invoice can now match the tone, formatting, and language conventions of a genuine supplier communication. A fraudulent Microsoft security alert can present more cleanly than the authentic version. The “human spam filter” model assumed that phishing messages would always carry visible tells. That assumption no longer holds.
The survey data supports this. Phishing prevalence increased, phishing-only breaches increased, and organisations themselves reported perceiving an increase in attack volume and sophistication. The supply side of phishing has become cheaper and higher quality. The demand side, meaning organisational defences, has not kept pace.
This does not mean user awareness is worthless. Staff should still pause before acting on unexpected requests. They should verify unusual payment instructions through a second channel. Caution has value. But it is no longer a sufficient control. The technical architecture around the account must assume that someone will eventually click.
The Identity Pivot
When a phishing attack succeeds, the immediate consequence is usually credential compromise. The attacker obtains a username and password, or a session token, or both. What happens next depends entirely on the identity controls in place.
In an environment with no multi-factor authentication, a stolen password means immediate, unimpeded access to the account. The attacker can read email, set forwarding rules, reset passwords for connected services, and establish persistence before anyone notices. In an environment with MFA, the stolen password alone is insufficient. The attacker needs a second factor, which raises the cost and complexity of the attack significantly.
The survey reports that MFA adoption among UK businesses rose from 40% to 47%. Among micro businesses specifically, the increase was more pronounced: from 35% to 43%. This is meaningful progress. But it means 53% of UK businesses still operate without MFA on any service. More than half of the business population is one successful phishing email away from full account compromise.
The framing matters. Phishing is commonly discussed as an email security problem. Filter better. Train harder. Block more domains. These measures help at the margins. But the data suggests that the decisive control is not at the inbox. It is at the login. The click is the doorknock. Identity protection determines whether it becomes a burglary.
What “Assume the Click” Means in Practice
Designing for the assumption that someone will click is not defeatism. It is engineering. Every mature security model works this way. Fire doors assume fires will start. Seatbelts assume collisions will happen. Identity controls should assume credentials will be compromised.
For a small business running Microsoft 365 or Google Workspace, this means implementing a specific set of controls.
Multi-factor authentication on every account. Not just admin accounts. Every user. The survey shows 47% adoption across businesses, but the distribution is uneven. Large businesses are far more likely to have MFA than micro firms. The gap is not about cost; both Microsoft 365 and Google Workspace include MFA at no additional charge on most licence tiers.
Conditional access policies where available. Microsoft 365 Business Premium and above supports conditional access, which allows you to restrict sign-ins by location, device compliance, and risk level. This means a sign-in from an unrecognised device in an unusual location can be challenged or blocked automatically, even if the credentials are valid.
Suspicious sign-in monitoring. Both Microsoft Entra ID and Google Workspace provide sign-in logs and anomaly detection. A small business does not need a security operations centre to review these. It needs one person checking the alerts weekly and knowing what to escalate.
Session token protection. Modern phishing kits, including adversary-in-the-middle frameworks, can steal session tokens rather than passwords, bypassing traditional MFA. Token binding, continuous access evaluation, and short session lifetimes reduce this risk. These are more advanced controls, but businesses using Microsoft 365 Business Premium or E5 licences have access to them.
Mailbox rule auditing. One of the first things an attacker does after compromising a mailbox is create forwarding rules to exfiltrate email silently. Regular auditing of mailbox rules, particularly forwarding and deletion rules, catches this quickly.
The Cost Argument Collapses
The survey data provides an important counterpoint to the assumption that cyber security requires significant investment. The controls that most directly address the phishing-to-identity chain are either free or included in existing licence costs.
MFA: included in Microsoft 365 Business Basic, Business Standard, and all Google Workspace tiers. No additional cost.
Conditional access: requires Microsoft 365 Business Premium. The upgrade cost from Business Standard is typically modest and includes additional security features.
Sign-in monitoring: available in the admin consoles of both platforms. Requires configuration and attention, not budget.
The median perceived cost of the most disruptive breach for businesses was reported at zero, which reflects the fact that many breaches involve staff time rather than direct financial outlay. But for the top 5% of cases, the perceived cost reached £4,000 for micro and small businesses and £10,000 for medium and large businesses. Revenue impact from breaches more than doubled year on year, from 2% to 5%. The cost of inaction is becoming more visible.
The Awareness Paradox
The survey reveals an uncomfortable dynamic. Awareness of cyber risk increased. The qualitative data explicitly attributes this to high-profile media coverage of major attacks. Yet the controls that would prevent the most common attack vector, phishing leading to identity compromise, have not kept pace.
This is not a failure of messaging. It is a failure of conversion. Businesses hear the lesson and do not translate it into the specific, slightly boring administrative steps that would actually reduce risk. A managing director who watches the M&S breach coverage and thinks “we should do something about cyber” has experienced awareness. A managing director who then opens the Microsoft 365 admin centre and enables security defaults has experienced conversion.
The gap between those two moments is where the survey’s declining hygiene numbers live. And closing it does not require more dramatic headlines or more alarming statistics. It requires making the first step so obvious and so accessible that postponement becomes harder to justify than action.
How to Turn This Into a Competitive Advantage
If 53% of UK businesses lack MFA and 85% do not review their supply chain for cyber risk, having these controls in place is a genuine differentiator. Procurement questionnaires increasingly ask about identity controls, MFA adoption, and incident response capability. Being able to answer yes, with evidence, separates you from the majority.
For businesses that serve as suppliers to larger organisations, this is particularly valuable. The survey shows only 15% of businesses review their immediate suppliers for cyber risk, but that figure rises to 48% among large businesses. If your client is a large enterprise, they are increasingly likely to ask about your security posture. Having MFA, sign-in monitoring, and documented identity controls gives you a concrete, verifiable answer.
How to Sell This to Your Board
The threat is concentrated, not diffuse. 69% of the most disruptive incidents were phishing. This means the defensive investment can be equally concentrated: identity controls, not a sprawling security programme.
The controls are already paid for. MFA and sign-in monitoring are included in existing Microsoft 365 and Google Workspace licences. The conversation is about configuration, not procurement.
53% of competitors have no MFA. Framing identity controls as a competitive advantage, not just a defensive measure, changes the budgetary conversation from cost centre to business enabler.
Revenue impact doubled. Breaches that caused revenue or share value loss went from 2% to 5% year on year. The financial case for prevention is strengthening with each survey cycle.
What This Means for Your Business
-
Enable MFA on every account this week. Microsoft 365 security defaults or Google Workspace enforcement. Every user, not just admins. This single control addresses the most common attack path identified in the survey.
-
Audit your mailbox forwarding rules. Check all user mailboxes for unexpected forwarding or deletion rules. If you find rules you did not create, investigate immediately.
-
Review your sign-in logs fortnightly. Set a calendar reminder. Look for sign-ins from unfamiliar locations, devices, or at unusual times. Both Microsoft and Google provide this data in the admin console.
-
Stop relying on “spot the typo” training alone. Awareness training has value, but it must sit alongside technical controls. If your entire phishing defence is a poster in the kitchen, you are building on sand.
-
Check whether your Microsoft 365 licence includes conditional access. If you are on Business Premium or above, you have access to conditional access policies. If you are on a lower tier, consider whether the upgrade is justified by the security improvement.