Guide · Threat awareness
How cyber attacks actually happen.
Most cyber attacks on UK SMEs do not look like the films. They are quiet, opportunistic and almost always start with a person — not a piece of clever code. This guide walks through how real incidents unfold, so your team knows what to look for and what to do.
The four ways most attacks start
Phishing and business email compromise
An attacker sends a convincing email — a fake invoice, a Microsoft 365 login prompt, a 'CEO' asking finance to move money. One click or one entered password is enough to start the chain.
Ransomware
Once inside, attackers move laterally, disable or delete backups, then encrypt files across the business. The real cost is days of downtime and lost trust, not the ransom itself.
Weak and stolen credentials
Passwords reused on breached websites are replayed automatically against cloud accounts. Without MFA, a single reused password can compromise the whole business.
Staff risk and human error
Misaddressed emails, lost laptops, approving a fraudulent MFA prompt, sharing a file with the wrong client. Most reportable incidents start with an honest mistake.
The anatomy of a real attack
Most incidents follow the same four stages. Understanding the pattern is the quickest way for non-technical decision makers to spot where defence and detection actually need to live.
- 01
Reconnaissance
Attackers scrape LinkedIn, your website and breach databases to learn who works where, who handles finance, and which email addresses to target.
- 02
Initial access
A phishing email, a stolen password replayed against Microsoft 365, or an unpatched remote access tool gives them their first foothold.
- 03
Escalation
They look for admin accounts, weak permissions and unprotected backups — quietly, often over days or weeks.
- 04
Impact
Funds are diverted, data is stolen, or ransomware is deployed across the network. By the time anyone notices, the damage is done.
What actually stops these attacks
No single control is enough on its own. The SMEs that avoid serious incidents combine staff behaviour, technical controls and ongoing monitoring:
- Cyber awareness training — short, regular lessons that change day-to-day behaviour rather than ticking an annual compliance box.
- Phishing simulation — controlled, benign tests that show where the real risk sits in your team and bring click rates down over time.
- Cyber security assessments — a ranked view of where you are exposed today, with a prioritised plan to fix it.
- Cyber Shield — a fixed monthly programme that bundles awareness training, monitoring, reporting and incident support into one managed service for SMEs.
Where to go next
If you would like an honest view of where your business currently sits, book a no-obligation free cyber security review. You can also read our companion guides: Cyber Security for UK SMEs and What is Cyber Essentials?
Frequently asked questions
What is the most common type of cyber attack on SMEs?
Phishing remains the most common starting point. A staff member receives a convincing email, clicks a link or shares a password, and the attacker uses that foothold to access email, cloud storage or finance systems.
How does ransomware infect a business?
Ransomware usually arrives through a phishing email, a compromised remote access tool, or a stolen password. Once inside, the attacker spreads across the network, disables backups where possible, and encrypts files.
Why are passwords still a problem?
Staff reuse passwords across personal and work accounts. When one site is breached, those credentials are replayed against business cloud accounts. Multi-factor authentication blocks the majority of these attacks.
Are most breaches caused by staff mistakes?
Most breaches involve a human element. That is why short, regular awareness training reduces real-world risk far more than a single annual session.
