What has actually changed
Phishing is not new. What is new is how convincing it has become. AI tools are now widely used by attackers to craft emails that are grammatically perfect, personalised, and increasingly difficult to distinguish from legitimate messages. Research published in late 2025 found that the substantial majority of detected phishing emails now incorporate AI in some form, and that these AI-generated messages achieve a meaningfully higher click rate than traditionally written phishing emails.
The UK Government’s Cyber Security Breaches Survey 2025 confirmed that phishing remains the most prevalent cyber threat facing UK businesses, responsible for over 85% of all reported breaches. Ransomware, which is frequently delivered via phishing, doubled in prevalence among UK businesses between 2024 and 2025.
What has changed practically
You can no longer rely on spotting poor spelling or awkward phrasing as your primary defence. Modern phishing emails read as if they came from your bank, your supplier, your accountant, or your IT provider. The tone is correct. The context is plausible. The urgency feels real.
Attackers are also increasingly targeting collaboration tools such as Microsoft Teams, Slack, and WhatsApp, because people instinctively trust internal-feeling messages more than email. That trust is exactly what is being exploited.
The defences that work
The practical defences are well understood. Technical controls reduce how many attacks reach your staff. Training and awareness reduce how often staff act on the ones that do get through. Verification procedures, particularly around financial requests, catch the ones that slip through both layers.
What this means for you
- The quality of phishing attacks has improved significantly. Do not rely on obvious tells.
- Phishing is the starting point for the majority of serious cyber incidents, including ransomware.
- Collaboration tools are now active attack surfaces, not just email.
- Businesses with regular security awareness training see a meaningful reduction in successful attacks.
What Carden IT Services already has in place for you
- DMARC reject, SPF, and DKIM are already configured on your domain ✓ – All Carden IT Services managed clients have these controls in place as part of the standard package. Attackers cannot impersonate your domain, and your email is authenticated end-to-end.
- MFA is already enforced across your Microsoft 365 environment ✓ – Multi-factor authentication is configured and enforced for all users on your account, not just administrators. This is one of the most effective single controls available against credential-based attacks.
- Your email platform already scans links and sandboxes attachments ✓ – Threat protection is active on your inbound email, blocking the majority of malicious content before it reaches your team’s inbox.
Actions for you and your team
- Brief your finance and operations teams on CEO and supplier impersonation scams – These are the highest-value targets for attackers. A short five-minute brief is often all it takes to stop a successful attempt.
- Establish a payment change verification rule – Any request to change payment details, bank accounts, or supplier information must be verified by a separate phone call using a known number. Not by email. Not by Teams message. This one rule prevents the majority of business email compromise losses.
Take your phishing defence further with Phishing Simulation Training
Technical controls stop a lot. But the most effective long-term defence is making sure your team can recognise and report an attack when one does get through.
Carden IT Services offers phishing simulation training: realistic, controlled phishing campaigns sent to your own staff, followed by targeted training for anyone who interacts with them. Organisations that run regular simulations see a significant reduction in successful phishing attacks.
If you would like to discuss adding phishing simulation to your security programme, get in touch with our cybersecurity team.
