What Phishing Emails Actually Look Like in 2026
A few months ago, a business owner in Carlisle forwarded us an email they'd received from what looked like their accountant. It had the right logo, the right email signature, and a perfectly reasonable request: "Please review and approve the attached invoice before end of day."
It wasn't from their accountant. It was a phishing email, and the attachment contained malware that would have given an attacker full access to their systems. The only reason it didn't work was that someone in the office thought the wording felt slightly off and picked up the phone to check.
That instinct saved them. But here's the uncomfortable truth: 85% of UK businesses were hit by phishing attacks last year, and the ones that get through are the ones that look completely normal.
Why Cumbria Businesses Are Being Targeted
There's a common assumption that cybercriminals target large companies in London and Manchester. They do, but they also target accountancy firms in Penrith, solicitors in Carlisle, manufacturers in Workington, and holiday parks in the Lake District. Attackers don't care where you are. They care whether you'll click.
In fact, smaller businesses are often easier targets. They're less likely to have dedicated IT security, less likely to run regular training, and more likely to have someone wearing multiple hats who processes invoices, manages accounts, and handles emails: all the things that make phishing effective.
What a Modern Phishing Attack Looks Like
Forget the obvious scams with broken English and promises of Nigerian inheritances. The phishing emails landing in Cumbria inboxes today look like this:
- An email from "Microsoft" saying your password is about to expire, with a link to a login page that looks identical to the real thing. You type in your credentials, and they're gone.
- A message from your "boss" asking you to urgently buy gift cards for a client. Sounds daft, but this exact scam has caught thousands of employees across the UK.
- An invoice from a "supplier" with new bank details. You update your records and pay the next bill, straight into a criminal's account.
- A text message from "Royal Mail" about a missed delivery, with a link to rearrange. Your staff click it on their phone, which is connected to your company email.
These attacks work because they mimic everyday interactions. They don't need to be clever. They just need to catch one person on a busy Tuesday afternoon.
How to Protect Your Business From Phishing
No single measure will block everything. But these five things, done properly, stop the vast majority of attacks:
1. Train your team, but make it real
A one-off awareness talk doesn't cut it. We run simulated phishing campaigns for businesses across Carlisle. We send realistic fake phishing emails to your team and track who clicks. It's not about catching people out. It's about showing everyone (including directors) that it's easier to fall for than they think. The businesses that run these quarterly see click rates drop from 30-40% to under 5%.
2. Filter emails before they arrive
Good email filtering catches the majority of phishing emails before anyone sees them. Microsoft 365 has built-in protection, but the default settings aren't aggressive enough for most businesses. We configure advanced filtering rules, safe link policies, and attachment scanning that block threats without flooding your quarantine with false positives.
3. Turn on MFA, everywhere
If an attacker does steal a password, multi-factor authentication stops them using it. They'd need your phone as well, and they don't have it. MFA is free on Microsoft 365 and takes about 20 minutes to roll out across a small business. There's genuinely no excuse not to have it on.
4. Keep software up to date
Some phishing emails don't need you to enter a password. They exploit vulnerabilities in outdated software. An old version of Outlook or Chrome can be enough. Automated patch management keeps everything current without relying on staff to click "update now."
5. Create a culture where checking is normal
The single most effective thing you can do is make it normal to verify. If someone gets an email asking them to transfer money, change bank details, or share login credentials, the answer is always the same: pick up the phone and check. Use a number you already have, not one from the email. This should be a rule, not a suggestion.
Someone Clicked. Now What?
If you think someone on your team has clicked a phishing link or entered their credentials somewhere they shouldn't have, here's what to do straight away:
- Disconnect the device from the internet: pull the ethernet cable or turn off WiFi. This limits the damage.
- Change the compromised password immediately: do it from a different device. If they've reused that password elsewhere, change those too.
- Contact your bank: if financial details were involved, call them immediately. The faster you act, the more likely they can freeze the transaction.
- Report it: forward the email to [email protected]. It's the National Cyber Security Centre's free reporting service and helps protect other businesses too.
- Call us: we can check whether the attacker got in, what they accessed, and lock everything down. The sooner we look, the less damage there is to deal with.
The Uncomfortable Truth
Every business owner we speak to in Carlisle thinks their team wouldn't fall for it. Then we run a simulation and someone always does. That's not a criticism of the team, it's just the reality of how good these attacks have become.
If you haven't tested your team, you don't know where you stand. Get in touch and we'll run a simulated phishing test, and you'll see exactly how your business would hold up. We'll tell you what needs fixing.