Phishing: Why trusting your gut matters

You might think cyber security is a sophisticated cat and mouse game between criminals and IT professionals. Hackers sit hunched in dark rooms, staring at screens of green text and trying to penetrate the latest defences.

But that’s no longer true for the vast majority of cybercrime. At an epidemic level, criminals are targeting people. That means you, your colleagues, your family, and your friends.

95% of all successful cyberattacks have a human element involved.

What can be done? Put simply, you need to trust your gut so that, when phishing is attempted, you know instinctively something isn’t right.

Getting to that point involves understanding the threat, and how to respond. That’s what this article is about.

Here’s what we discuss:

Businesses are ripe for phishing

Businesses are an increasingly popular target for phishing.

The government’s Cyber Security Breaches Survey 2025 revealed that in 2024, 20% of businesses and 14% of charities had been victims of at least one cybercrime in the past year.

The survey found phishing was the most prevalent cybercrime, with 93% of affected businesses and 95% of affected charities encountering it.

The government’s Suspicious Email reporting Service (SERS) has received over 41 million reports since its inception in April 2020.

And this is probably scratching the surface. According to the CIFAS Global Anti-Scam Alliance report, 71% of victims do not tell the police. Often this is out of shame: “How could I have been so ignorant to fall for it?”

Consumers lose £1,400 per scam on average, the CIFAS report continues, with £11.4 billion being stolen in the 12 months up to November 2024.

What is phishing?

Phishing is best understood as social engineering: criminals manipulate you into doing something you wouldn’t choose to do otherwise.

This might be clicking a link, opening an attachment, sharing a password, providing a one-time authentication code, or moving money out of your account and into that of the scammer. Often it’s all of these!

Phishing attempts can arrive by text, social media messaging, emails, or even actual physical letters that arrive at your address.

You might think you would never fall for anything like this. After all, you’re nobody’s fool, right?

The UK Information Commissioner’s Office (ICO) explains that phishing relies on your belief that the message comes from someone you trust. That familiar branding is weaponised to lower your guard.

A friend texting you having lost their mobile. Your boss messaging you on WhatsApp, having setup a new account. Your bank calling you out of the blue to say your account has been hacked. Microsoft emailing to say your computer needs a vital security update.

In other words, phishing is fundamentally an exercise in extremely effective deception, rather than code-breaking.

Therefore, the most effective defences are human ones:

• Slowing down.
• Noticing inconsistencies.
• Listening to that “this feels off” sensation.

Why phishing is so effective

Phishing isn’t new. It’s been around since the mid-1990s, when scams like AOHell targeted AOL users by impersonating staff. That’s when it got its name – it took the ph- prefix from an earlier form of cybercrime known as phreaking, where hackers targeted the telephone infrastructure to get free calls.

The goal back in the mid-1990s was to harvest login passwords.

What’s changed since isn’t the psychology, but the scale and polish: spoofed websites involving flawless copycat branding, urgent pretexts, and – increasingly nowadays – AI-generated voice, text, images, or even video (including live video calls). These are known as deepfakes, and scammers are always quick to exploit the very latest technologies.

The site they send you to will look exactly like your bank. The voicemail message you get will sound exactly like your colleague, family member or friend. The text message will seem to authentically have come from your bank, with the correct spoofed name or number.

Sometimes the scammers won’t request money directly but will request you buy online giftcards, and share the codes with them.

But the core pitch is the same, and has been since those AOL days: “Act now before something bad happens.” Recognising that pattern is half the battle.

What a phishing scam looks like

Here’s a real-world, worked through example of what a phishing attempt on a business looks like.

1. The phishing hook

You get a text claiming to be from your business banking: “We’ve detected a suspicious payment. To secure your account, confirm here.”

There’s a link that looks right at a glance (e.g. santander-secure-bank.net).

Moments later, your phone rings. Caller ID displays your bank’s name. The caller calmly references the text and quotes a “case ID.” They may even tell you some personal details like your address or date of birth – all harvested from vast hacker databases that are easily accessible.

2. Applying the pressure

The caller says funds are moving right now, and they need to “secure” your account.

They may steer you to a very professional login page that’s a perfect clone of the bank.

Once you login, your phone pings – even though you’re still on the phone to the “bank” – and you find a one-time passcode has arrived.

You’re asked to read it out to them, “to verify security”.

Alternatively, you might be asked simply to login to your banking using your usual link or app, and transfer money to a special “holding account” where it’ll be “secure” until the bank can fix the issue.

3. The compromise

If you enter credentials on the fake site, they’re captured instantly. If you read out a passcode (or approve a push notification) the scammers use it in real time.

And just like that, they have control of your bank account. It’s that easy.

If you transfer money yourself from your bank account to the scammer’s account, that’s authorised push payment (APP) fraud. This is where victims are manipulated into sending funds and it’s easily one of the UK’s most prevalent types of fraud.

4. The exit

The caller “ends the case” and thanks you for your vigilance.

You hang-up and wipe a little sweat from your brow. Wow, that was close. Glad it’s sorted, though.

Minutes or hours later you see unauthorised transactions, or find that the “safe” account was the criminal’s.

Needless to say, if this happens in real life then you should call your bank immediately. Keep reading to find out how to do so.

What you could’ve done

The right move at the first sign of doubt – that feeling in your gut that something isn’t quite right – is to disconnect and dial 159 from a phone.

Dialling 159 routes you to an official automated service by which you can say the name of your bank. You’ll then be routed straight to them.

If you worry about remembering that number, think of it as a diagonal slash, from top left to bottom right on the phone keypad.

Ideally, dial it from a separate phone from the one you were called on. Scammers can keep the line open on landlines, for example, making you think you’ve hung up when you haven’t. They even play fake dial tones to make you think the line is free.

If there is genuine suspicious activity then, great news: by dialing 159, you’re now speaking to the correct people to fix it.

There’s also a service for suspicious texts and emails – forward emails to [email protected] and texts to 7726. Although this won’t provide instant feedback, it can help authorities close down the scammer accounts.

Advice for avoiding phishing scams for business

Here’s some tips for keeping yourself and your business safe from phishing:

1. Pause for thought: Urgency is a red flag. If it’s really your bank, it’ll still be true after a five-minute pause while you verify through your app or by dialling 159.
2. Channel switch to verify: Don’t reply. Don’t click their link. To investigate, use a trusted route you ordinarily use, such as your banking app, your usual online baking bookmark, or the bank’s official phone number (e.g. the one on the back of debit and credit cards – but definitely not the one in the email you might’ve received!).
3. Never, ever share a one-time passcode: One-time passcodes you receive through text messages or retrieve from an authenticator app should never, ever be shared – or even spoken aloud! It’s a prime way scammers authorise their frauds. If someone’s asking for one, stop. Nobody legitimate would ever do so. Similarly, if you get an authentication request out of the blue then don’t approve it.

Ensure you and your colleagues are educated with the government’s Cyber security advice for small to medium sized organisations. It’s an excellent and accessible resource.

But above all, never forget: We are all equipped with gut feelings, and when we listen they are a powerful defence mechanism.

Final thoughts

The online world is an amazing place, but increasingly, it’s a wild-west frontier where scammers exploit victims on a minute-by-minute basis.

Staying vigilant is key and, while this shouldn’t get in the way of your online activities, it should always be present.