Phishing attacks are on the rise, according to the UK government’s Cyber Security Breaches Survey 2026. The stats, released in April, show phishing attacks remain the most prevalent type of breach or attack by far, experienced by 38% of businesses and 25% of charities.

Phishing incidents are also described as the most disruptive type of breach or attack, according to 69% of businesses. At the same time, ransomware attacks have declined compared with the previous two years.

So, why are phishing attacks surging and what should UK firms be doing in response to the survey results?

Easy Phishing 

The rise of phishing is partly down to the ease at which this type of attack can be performed successfully. The Cybersecurity Breaches Survey’s qualitative interviews highlight the perception that phishing attacks have become easier for attackers to commit.

Phishing is particularly effective since it can be done at scale, or on a targeted basis, says Steven Furnell, senior IEEE member and professor of cybersecurity at the University of Nottingham. “It exploits the fact that many organisations still overlook or give insufficient attention to the human user.”

He cites figures from the survey, which show only 19% businesses and 17% of charities have had cybersecurity training or awareness raising sessions for their staff in the last 12 months. “This creates an opportunity for attackers – and they know it.”

Patricia Egger, head of security at Proton concurs with this analysis. “Unlike ransomware, which has limited possible outcomes and is often an end in itself, phishing has the ability to give attackers a foot in the door, enabling a wide variety of harm.”

Several factors are driving the rise, says Egger. “Generative AI has made it much easier to produce convincing phishing messages at scale. With AI, many of the grammatical and spelling mistakes that once made phishing attempts easy to spot have disappeared. Messages can now also be highly personalised, adapting language, tone, and style depending on the target.”

Meanwhile, hybrid working has expanded communication channels and increased opportunities for attackers to gain a foothold, Egger adds.

However, Javvad Malik, lead CISO advisor at KnowBe4 offers a different analysis of the survey trends. Ransomware attacks are declining in relative terms not because they have gone away, but due to the fact that phishing has “become more effective as a first-stage attack that it is doing more of the heavy lifting earlier in the chain,” he says. “The two are not in competition – phishing is the initial vector through which everything else arrives, even ransomware.”

Better Phishing Attacks

There’s no doubt that phishing attacks are becoming more sophisticated.  As well as email, AI is being used for voice cloning and deepfake audio or video, supporting more sophisticated business email compromise and “CEO fraud” attacks that are increasingly difficult for employees to identify, says Egger.

Alongside AI, the growth of Phishing-as-a-Service kits has further lowered the barrier to entry. “These tools are widely available on criminal marketplaces and often include technical support, pre-built templates and imitation branding of trusted organisations,” explains Egger. “As a result, launching a phishing campaign can require little more than a payment method and a list of targets. This commoditisation of attack infrastructure has created a volume problem, as well as a sophistication issue.”

Attackers are continuously refining their infrastructure and delivery methods to avoid detection and takedown, says Joel Francis, intelligence analyst at Silobreaker. “Rather than relying on static phishing domains or infrastructure, many operators now rotate domains and hosting providers, allowing campaigns to persist.”

Manipulation of tech and software is making it easier for threat actors to impersonate trusted brands, adds Jason Steer, CISO at cyber threat intelligence specialists Recorded Future. “Cybercriminals can create websites and emails that look like the real thing and also dial-up their deception by leading victims to cloned sites through QR codes. Adversaries don’t need lots of coding or design skills to create a phishing campaign that tricks people into thinking they are dealing with a reputable, genuine organisation.” 

Addressing Phishing Risk  

The Cybersecurity Breaches Survey confirms how prevalent phishing attacks are becoming, but there are some steps firms can take to avoid being caught out. The basics are key, yet the survey highlights that “fundamental defences remain far from universal,” points out Egger. Only 47% of businesses use any form of two-factor authentication, and just 41% of small business undertake cyber security risk assessments. “These gaps represent clear, addressable exposure,” says Egger.

Protecting against phishing attacks requires a layered approach, says Malik. “Cloud email security, which can scan for context and intent, is valuable in flagging any suspicious emails that traditional filters will commonly miss. Then, user training needs to be relevant and timely, providing focused content at the right moment. More than that, a culture of security needs to be cultivated so that people know how to report any issues and know that they will not be blamed for any missteps."

But don’t just train and test staff with phishing simulations or try to condition them to spot what it looks like, says Furnell. Instead, focus on what phishing wants from them, he advises. “Aim to educate them about the value of data or the importance of actions that phishing may target. Emphasise the need to take a moment to stop, think and if needed check.”

Meanwhile, organisations should ensure they have clear incident response procedures in place so phishing attempts can be identified and contained quickly, according to Francis.

It’s also important that organisations keep pace with how phishing attacks are changing, says Steer. “The attacks are often effective because they catch employees off guard. A lack of knowledge means people won’t always be wary of the threat of cloned voices, deepfake videos or how adversaries add real-life references to attacks to make them seem genuine. Building and continually refreshing intelligence about evolving phishing techniques can be used to inform staff training or internal security alerts and briefings, so that employees know exactly what type of threat to look out for.”

Kate O'Flaherty Cybersecurity and privacy journalist