New data has revealed that 85% of all business cybersecurity breaches in the UK involve phishing attacks, and almost a third of British businesses have suffered a remote working-related phishing incident in the past year.
Analysis from secure networks specialist, Nasstar, drawing on the UK Government’s Cyber Security Breaches Survey 2025 and 21 years of Google Trends data, paints a picture of a threat landscape that has outpaced the security architectures most organisations still rely on. UK searches for “phishing” hit an all-time record in December 2025, eclipsing even the October 2020 peak during peak pandemic-era remote working, while searches for a “phishing link checker” surged 600% and queries for “what is spear phishing in cyber security” rose by 1,500%.
Leigh Walgate, Managing Director of Secure Networks at Nasstar, argues that the persistence of phishing as the dominant attack vector is a direct consequence of security strategies that have failed to keep pace with how modern infrastructure is actually consumed.
“Despite the widespread adoption of traditional network perimeter security controls, phishing remains the dominant attack vector because it targets users, identities, and cloud applications rather than exploiting network vulnerabilities,” he explains. “Phishing exploits identity and trust, not network vulnerabilities, which is why security needs to be designed around identity rather than perimeter assumptions.”
The government survey data sets out the scale of the problem in granular terms. While overall breach rates have declined slightly to 43% of UK businesses, medium and large enterprises remain disproportionately exposed, with breach rates of 67% and 74% respectively. Among organisations that experienced incidents, phishing was identified as the most disruptive attack type by 65% of affected businesses, and the pattern extends beyond the private sector, with 86% of charity breaches also involving phishing.
Walgate locates the root cause in the accelerated shift to cloud and SaaS platforms, which has effectively dismantled the network perimeter that traditional security tools were built to defend.
“The real shift over the last few years hasn’t just been where people work from, but how organisations consume applications and data,” he said. “As businesses have moved rapidly towards cloud and SaaS platforms, identity has effectively become the new perimeter. That fundamentally changes the risk profile, because attackers no longer need to break into a private network, they just need to abuse a legitimate user account.
“What’s particularly notable is the level of concern we’re seeing around phishing today. The surge in search interest suggests organisations and individuals are increasingly aware that these attacks are harder to detect and more difficult to defend against using traditional approaches.
“That’s why modern SASE architectures are so important. They don’t replace email security or VPNs, but they apply layered, identity- and context-aware controls wherever users access applications, reducing risk when phishing or credential abuse occurs.
“In that context, the 600% surge in searches for a ‘phishing link checker’ reflects a growing demand for real-time, identity-aware protection, even if most people don’t yet recognise it as part of a broader SASE approach.”
SASE (Secure Access Service Edge) combines network security functions with URL filtering, malware detection, and data loss prevention in a single cloud-delivered service. Unlike VPNs, which create encrypted tunnels without inspecting or contextualising traffic, SASE applies continuous identity verification and enforces access controls at the point of use, a distinction that Walgate says becomes critical once credentials have already been compromised.
“Email security reduces exposure, but modern SASE architectures apply multiple layers of control at the point of access, limiting risk even when users interact with malicious content,” he explains. “Modern phishing attacks aren’t limited to email, they increasingly arrive via cloud services, shared files, messaging platforms, and social engineering techniques that all aim to abuse legitimate user identities. SASE doesn’t replace email security; it enforces identity- and context-aware access controls at the point of use, limiting what an attacker can do even when credentials are compromised.”
