The UK Government's Cyber Security Breaches Survey 2025-2026 has just landed. Forty-three percent of UK businesses had a security incident in the past 12 months, around 612,000 organisations. Of those, 85% said phishing was involved. The headline rate is essentially flat year on year.
That last bit is the interesting one. Phishing has been the top attack vector for as long as anyone has measured it, and the numbers haven't moved. What has changed is the cost of producing phishing at scale.
What AI changes, and what it doesn't
Industry research now attributes the majority of phishing emails to AI-assisted generation. The mechanic is the same as it always was: a message, a link, a fake login page, a credential harvest. The difference is the production line. AI removes the two things that used to slow attackers down.
- Volume. A single attacker can now produce thousands of personalised messages in minutes. The grammar is fluent. The branding matches. The pretext is plausible.
- Targeting. Public information from LinkedIn, company websites, and breached datasets gets pulled together into messages that reference real colleagues, real projects, and real procurement processes. The lazy "Dear Customer" emails are still around, but they're no longer the floor.
What AI doesn't change is the underlying control gap. The Government survey found that two-thirds of UK organisations have basic protections (firewalls, malware defence, password policies). A minority use two-step verification. Only 15% review the security of their direct suppliers. The defences haven't kept pace with the attack economics.
What actually helps
There isn't a single fix; phishing is a layered problem and it needs a layered answer. In rough order of impact:
- Passkeys or phishing-resistant two-step verification. Codes texted to phones can be relayed by a fake login page in real time. Passkeys cannot. The NCSC now recommends passkeys as the default and we wrote about why in Passkeys first, passwords second.
- Conditional access on the things that matter. Email, finance systems, CRM, file storage. If a login arrives from an unexpected country, an unfamiliar device, or outside working hours, it should be challenged or blocked.
- A finance process that doesn't depend on email. Any change to bank details, supplier payments, or invoice routing should be confirmed on a phone call to a known number, not an address from the email thread.
- Drills, not just training. Simulated phishing run-throughs that include the AI-quality kind. The point isn't to catch people out, it's to build the habit of pausing before clicking and reporting suspicious messages without embarrassment.
- A clear "what to do if I clicked" route. People will click. The question is whether the next 10 minutes contain a contained incident or a six-month investigation.
Why the headline rate doesn't fall
Every year the survey lands and people ask why the rate isn't going down despite the spend on training, awareness, and tooling. The honest answer is that the attacker economics have got better at the same pace. AI has lowered the cost of a credible phish to roughly free. Defenders have to make the cost of a successful one higher: phishing-resistant logins, sensible conditional access, and a finance process that holds when an email is wrong.
How Steelwise can help
Working out which two or three of those changes would actually move the needle for your business, and which order to do them in, is the sort of review we run for clients. Get in touch.
Further reading
- The Register: Nearly half of UK businesses pwned last year
- DSIT: Cyber Security Breaches Survey 2025-2026