Phishing used to be easy to spot. Bad grammar, suspicious links, a Nigerian prince. Those days are over. AI-generated phishing emails are now virtually indistinguishable from legitimate communications — personalised, well-written, and targeted at specific individuals in your organisation.
The scale of the problem
In the UK, 43% of businesses experienced a cyber breach or attack in the past 12 months, with phishing being the attack vector in 85% of cases. Business email compromise alone costs UK businesses over £470 million annually. And AI-powered phishing attacks have increased by over 1,200% since generative AI became widely available.
For small businesses, the average breach costs £4,200 — but that figure doesn't account for the operational disruption, the lost client trust, or the weeks spent cleaning up.
Why spam filters aren't enough
Modern phishing emails are crafted to bypass filters. They come from legitimate-looking domains, contain no obvious malware attachments, and use social engineering rather than technical exploits. The email asks your accounts team to update a supplier's bank details. It looks exactly like a real request. Because it was written by AI that studied your supplier's actual communication style.
What actually works
Layered email security. Not just a spam filter — proper email authentication (SPF, DKIM, DMARC), advanced threat detection that analyses links and attachments in real-time, and impersonation protection for key staff.
Staff awareness. Not a one-off training session — regular, practical guidance on what to look for. The single most effective defence is a team that pauses before clicking.
Process controls. Bank detail changes confirmed by phone. Wire transfers requiring dual approval. IT access requests verified through a second channel. These low-tech measures stop high-tech attacks.
Endpoint protection. If someone does click a malicious link, business-grade endpoint security can detect and isolate the threat before it spreads. Consumer antivirus won't cut it.
The bottom line
You can't stop phishing emails from arriving. But you can build layers of defence that make a successful attack extremely unlikely. It starts with acknowledging that your team — not your firewall — is the primary target.
For a full picture of how we protect small businesses from email-borne and network-level threats, see our network security service.