85% of security breaches in UK businesses involve phishing. Greater Manchester is no exception - phishing attacks here jumped by 30% in the last year, contributing to an estimated £40 million in losses for local firms. Cyber criminals are casting wider and smarter nets, and no business is too small to take the bait. In this first blog in our Cyber Security Awareness Month series, we pull back the curtain on phishing scams targeting SMEs and arm you with insights to stay safe.
Phishing remains the number one cyber threat to businesses. It's alarmingly prevalent - among companies that experienced a cyber attack, 85% said phishing emails were involved. Criminals send highly realistic emails or messages that look legitimate, hoping to trick someone into clicking a malicious link, handing over credentials, or transferring money. And it's getting worse: in Greater Manchester, phishing incidents spiked by 30% last year. This surge has real consequences. Cyber scams cost Manchester businesses roughly £40 million in the past year - losses that hit Manchester SME owners particularly hard.
What's driving the spike? For one, phishing kits and stolen data are cheaply available on the dark web. Scammers have also upped their game with AI. The explosion of AI in the past few years has made scams far more convincing. Today's phishing emails are often polished - no more broken English - and some even use deepfake audio to mimic real executives on the phone. It's scary how real it all looks and sounds. In other words, the old advice of "watch for typos" isn't enough; phishing has grown sophisticated.
Local organisations are feeling the sting. SMEs are an attractive target - criminals know smaller businesses have fewer defences and busy, wear-many-hats staff who might click before thinking.
At first glance, many phishing messages appear innocently routine. It could be an email from "Microsoft Support" asking you to reset your password, or a WhatsApp message from a "supplier" about an unpaid invoice. The hallmarks of phishing include:
This is how easily an untrained eye can be hooked. Even tech-savvy people can slip up if the bait looks legit.
Spear phishing is even more dangerous. Instead of blasting thousands of generic emails, attackers target your company specifically. They might scrape LinkedIn to learn your staff roles, then send a personalised email: e.g. the CFO gets an email from the CEO (forged) asking, "Are you in the office? I need a payment sent ASAP for XXX project". Because it references real names and projects, it feels authentic. These tailored scams - known as CEO Fraud or Business Email Compromise - have tricked even seasoned professionals. In fact, in 2022 the most common frauds against UK businesses were invoice scams and CEO impersonation.
Consider this close call that happened to a Greater Manchester firm last year. The finance manager at a Trafford manufacturing company received an email from their Managing Director requesting an £18,000 urgent payment to a new bank account. The message read, "We need to pay this supplier today - I'm tied up in meetings, just get it done." The sender's address looked right (it was spoofed), and it was signed off just like the MD's usual tone. Red flag? It was 4.45pm on a Friday and the "MD" oddly said he couldn't be reached by phone.
Luckily, the finance manager felt uneasy and phones the MD's known number anyway. He answered baffled - he'd sent no such email. Fraud averted. The company later found out hackers had scraped the MD's publicly available information and crafted a believable story. This was a textbook example of CEO impersonation, also called "whaling" (harpooning a big phish).
Phishing succeeds because it exploits human nature. Scammers pray on our trust and our haste:
Given these tactics, it's no surprise that phishing remains the most disruptive type of cyber attack facing businesses. But you are now powerless against it. Let's look at how you can strengthen your defences.
Most Managed Service Providers (MSPs) will tell you the basics: "Think before you click" and "Don't trust unknown senders". Important advice, yes - but to truly phish-proof your organisation, you need more robust strategies.
Ensure all email accounts, portal logins, VPNs, and even your social media logins have MFA. If an employee inadvertently gives away their password, a hacker still can't log in without that second factor.
Treat any request involving payments or sensitive data with healthy scepticism - especially if made by email. Have a clear policy that any wire transfer or change of bank details must be verified by phone or face-to-face with the supposed requestor. This thwarts most CEO and invoice scams.
For transactions, use a second channel to confirm (e.g. if you get an email request, verify via a known phone number from your records, not from the email). Never use contact info provided in a suspicious message.
Work with your bank to enable protections like "Confirmation of Payee" on transfers. This service checks if the payee's name matches the account, helping catch when a fraudster is posing as a supplier. Also, set lower daily transfer limits and require dual approval for large payments.
Regularly train employees on phishing red flags an d do periodic simulated phishing exercises. It's better they fail a fake phishing test than a real attack. Foster a culture where staff feel safe to report a mistaken click immediately (rather than hide it). Speedy reporting can contain damage.
Consider an email banner or tag for external emails (e.g. "[External]" in the subject line). This alerts staff that an email came from outside the company, making impersonation attempts more obvious (e.g. an email pretending to be from your CEO would be marked external - a dead giveaway).
Protect your own email domain from being spoofed. Configure SPF, DKIM and DMARC records - these email authentication tools verify that messages actually come from your domain. (If this sounds like jargon to you, don't worry - our Managed Email Authentication service can handle it).
Phishing links often deliver malware. Ensure all PCs have updated anti-malware and that security patches are applies promptly. This helps contain the fallout if someone does click a bad link.
Remind your team: It's OK to slow down. A quick call or double-check with IT is encouraged if something seems off. Create an environment where no one gets scolded for asking, "Is this email legit?". It could save your company.
By implementing the tips above, you create layers of defence - covering people, processes, and technology. Phishing protection isn't one silver bullet, it's body armour made of many layers.
Phishing threats evolve rapidly, but so do our defences. At Apex, we go beyond the generic advice. We offer specialist services to bolster your anti-phishing stance:
Our solutions (like Microsoft 365 Advanced Threat Protection) filter out malicious emails and attachments before they reach your inbox. Advanced AI-based scanners click links in a sandbox and flag phishing pages in real time. This dramatically cuts down the odds of a staff member ever seeing a dangerous email.
Apex's Email Authentication Service ensures your domains are properly configured with DKIM and DMARC. This prevents cyber criminals from spoofing your company's email domain in phishing attacks. It also improves your genuine email deliverability by keeping you off spam lists. (Ever had your emails go to junk because someone faked your address? We fix that).
We provide interactive phishing awareness training for your team, plus controlled phishing simulations to continually test and improve vigilance.
Our cyber security team monitors dark web forums and breach dumps for signs that your company's emails or passwords have been compromised. Early warnings mean we can prompt you to reset credentials before criminals exploit them.
In the unfortunate event a phishing attack slips through and causes an incident, Apex has your back. Our rapid-response team will isolate infected machines, secure your network, and help you report and recover. We've seen it all - from ransomware outbreaks to email account takeovers - and know how to respond effectively and swiftly to minimise the damage.
Phishing scams aren't going away, but you can outsmart them with the right precautions and partners. As a. business leader, the next time you get an unexpected email or text, pause and think: is this authentic? Can I verify it another way? That simple habit can thwart the vast majority of phishing attempts.
Remember, cyber security is not just an IT issue - it's a business continuity issue. One errant click could cost thousands, or bring operations to a halt. On the flipside, a well-trained workforce and strong email security can turn phishing from a looming threat into an occasional annoyance.
We dive into "Cyber Hygiene 101" - simple, budget-friendly habits that protect your business every day.
Let's lock it down together.