For most SMEs, phishing isn’t a new topic. Everyone had heard of suspicious emails, fake invoices, password reset scams and messages designed to create urgency. That familiarity can be useful, but it can also be misleading. The danger is that phishing becomes something a business feels it understands without ever properly measuring how prepared it really is. That’s one of the reasons it remains such a persistent problem. In the UK Government’s 2025 Cyber Security Breaches Survey, phishing was the most common type of cyber crime experienced by businesses that had identified cyber crime, affecting 93% of them. Despite that, only 18% of businesses said they tested staff using mock phishing exercises. Version’s 2025 Data Breach Investigations Report also found that phishing was still one of the most common initial access vectors in breaches, accounting for 16% of cases.
That gap tells an important story. Most businesses know phishing exists, but far fewer are treating phishing resilience as something that should be tested, reviewed and improved over time. Instead, it often sits in the category of “general staff awareness”, which usually means a training session once of twice a year, perhaps a policy document, and a broad assumption that people would probably spot something suspicious when it appears. The problem is that modern phishing attacks are rarely obvious in the moment. They’re designed to look normal, routine and relevant to the role of the person receiving them.
That’s why phishing resilience isn’t really about whether your staff have heard of phishing, it’s about what happens when someone is under pressure, moving quickly through a crowded inbox, responding to something that appears to come from a supplier, a colleague or Microsoft itself. In that moment, the question isn’t whether they passed a training module six months ago. The question is whether the business has created habits, controls and reporting processes strong enough to interrupt a bad decision before it becomes a serious incident.
For SMEs, this is especially important because people are often spinning multiple plates at once. Finance staff are processing invoices, managers are approving requests, operations teams are trying to keep service moving and senior leaders are making decisions quickly between meetings. Cyber criminals know that. They don’t need to create a perfect deception. They only need to create something believable enough to get a hurried user to click, reply, log in or open an attachment without pausing. The success of phishing often has less to do with technical sophistication than it does with timing, context and human pressure.
This is where a lot of cyber advice becomes too simplistic. Telling people to “be careful” sounds sensible, but it doesn’t actually change much on its own. Most people already believe they are being careful. Most employees don’t think they would fall for a scam. That’s exactly why real-world testing matters. A business can’t meaningfully improve phishing resilience if it’s relying on confidence, assumptions or broad awareness messaging. It needs evidence.
Evidence comes from testing and observation. Which types of phishing emails cause the most confusion? Are finance users more exposed to invoice fraud attempts? Do newer employees hesitate to report something because they don’t want to appear unsure? Are senior leaders being targeted with more convincing, more personalised messaged? Do staff know what to do with a suspicious message, or do they simply delete it and move on? Those are the questions that reveal actual risk. They also give businesses something much more valuable than a generic awareness statement: they give it a basis for improvement.
This is why phishing simulations, when handled properly, are useful. The point should never be to embarrass people or create a culture of blame. The best simulations aren’t about catching someone out. They’re about helping the organisation understand where support is needed and what realistic attacks might look like in the context of that business. A good exercise can reveal whether users are reacting to urgency, brand familiarity, authority or curiosity. It can also show whether a business is good at reinforcing positive behaviour after the test rather than simply recording a click and moving on.
The follow-up matters just as much as the exercise itself. If a user clicks a phishing simulation and the only response is a generic warning message, very little has been learned. If the business uses that moment to explain why the message looked convincing, what signs were missed and what the user should do next time, then the exercise becomes genuinely useful. Over time, that approach helps staff develop judgement, not just fear. That’s what mature phishing resilience looks like in practice. It’s not paranoia. It’s familiarity, confidence and better instincts.
There is another point here that many SMEs overlook, and that is reporting. A lot of businesses focus heavily on whether users click, but not enough on whether they report suspicious messages quickly. In reality, a good reporting culture is one of the most important defences a business has. Staff should know exactly where to send suspicious emails, how to escalate concerns and what will happen next. The process should be simple enough that someone can do it in a few seconds without worrying that they’re creating extra work or wasting anyone’s time. If reporting feels vague, overly technical or slightly embarrassing, people will stay quiet for too long.
That silence can be costly. A suspicious email that is reported quickly can sometimes be identified, contained and removed across the wider business before more users engage with it. A suspicious email that is reporting quickly can sometimes be identified, contained and removed across the wider business before more users engage with it. A suspicious email that’s ignored, deleted quietly or passed around informally loses that opportunity. In other words, phishing resilience isn’t just about prevention. It’s also about speed. It’s about how quickly the organisation notices something is wrong and how quickly it responds.
For SMEs, phishing resilience should also be seen as part of a wider security picture rather than a standalone training issue. Phishing becomes far more dangerous when it meets weak access controls, inconsistent MFA, poor visibility over sign-ins, or unclear incident response processes. If an attacker captures credentials through a convincing phishing email, the damage they do depends heavily on what other controls are in place. That means a sensible phishing strategy combines user awareness with technical protection, monitoring and response planning. One later without the others is rarely enough.
If your current approach to phishing is still built around annual training and general caution, there’s a good chance there is more work to do. Apex Computing helps SMEs assess how exposed they really are, strengthen reporting processes and put more practical protections in place so phishing becomes a managed risk rather than a recurring unknown. For readers who recognise the gap in their own business, that’s the right next step: not more theory, but proof.