In the last 12 months, 39% of UK businesses experienced a cyber-attack—the most common being phishing attacks, which accounted for 83% of these incidents.* As scammers become more sophisticated in their tactics, phishing attempts are becoming increasingly difficult to detect.

Author: Johnty Mongan


Human error is the most common cause of information security incidents and yet responding to emails and clicking on links is a big part of the modern workplace. It is therefore important that businesses educate their employees on how to prevent phishing attacks, which can lead to data theft and/or the installation of malware.

What is phishing?

Phishing is a common form of ‘social engineering’, where a victim receives an email or text message, which may seem legitimate, asking them to click on a link that goes to a fraudulent website where they are asked to provide sensitive information, such as login or bank account details. Cybercriminals can also seek to trick their victims using scam adverts on social media, search engines, news sites and other legitimate websites. In many cases, clicking on a phishing link can pose the additional danger of inadvertently installing malware, such as ransomware.

Attacks are becoming more sophisticated and using different channels such as voice messages (vishing) and text message ‘chatbots’ which encourage interaction similar to that expected of a legitimate company or service before directing the target to a harmful link. Whatever the phishing method, once the sensitive information is handed over, it can be used to commit fraud, extortion or identity theft.

Spear phishing

While regular phishing attacks are designed to scam masses of people, spear phishing is a more targeted attack, and can therefore be more difficult to detect. Attacks are aimed at a specific person or select number of people, and can appear to come from a known source, such as a trusted brand or service, or even a work colleague. Spear phishing will usually include information known to be of interest to the target, such as a current event or topic or an attachment that looks legitimate.

Why are phishing attacks on the rise?

Phishing incidents rose sharply during the height of the pandemic, increasing by 220%, compared to the yearly average,1 and according to a survey by software company, Tessian, a quarter of workers admitted to clicking on a link in a phishing email while working from home during this period.2 This was likely down to a combination of factors, including the distractions that came with home working, lower levels of security for employees using their own devices, and scammers taking advantage of the people’s concerns and desire for information related to the pandemic. Add to this the constantly evolving methods cybercriminals are using and phishing scams are not only more prevalent, but are also becoming harder to spot.

With a hybrid working approach now being the norm for many organisations, it is more important than ever for businesses to ensure sufficient security procedures and protocols are being adhered to—whether employees work on site, at home, or from other remote locations.

Phishing simulations as a preventative measure

In addition to cybersecurity awareness training, we offer a phishing simulation service that tests your employees’ ability to identify and report phishing emails. Using phishing simulations will ensure that this subject is at the forefront of your employees’ minds and enable your organisation to assess how well they are helping to protect your business.

The phishing simulation itself comprises an email campaign undertaken over a period of three months, where users will be targeted and encouraged to click on links or open attachments.

Following each simulation exercise, we will provide you with a short report detailing what percentage of your workforce is cybersecurity aware and what percentage is vulnerable following a social engineering attack. The results will provide you with the data you need to determine whether any further training in this area may be required for your employees.

  1. Target Users
  2. Deliver Simulation
  3. Analysis and Reporting
  4. Awareness and Training

These simulations are aimed at changing the behaviour of your people so that they can recognise, avoid and report potential threats that could compromise the critical business data and systems of your organisation.

Gallagher offers risk management strategies for every size of business and every budget, from multinational corporations to SMEs. We recognise that every organisation is unique, and we will work with you to determine the most appropriate services for your cyber risk.

Author Information


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.