UK firms hit by surge in phishing tied to remote work

UK businesses reported a sharp rise in security incidents linked to remote and hybrid working over the past year, with phishing the most common method used by attackers.

Government findings from the Cyber Security Breaches Survey 2025 show that 29% of UK organisations experienced at least one incident connected to remote or hybrid working in the past 12 months. Phishing accounted for 85% of all breaches recorded.

Charities reported a similar pattern, with phishing making up 86% of breaches in the sector, suggesting the threat extends beyond commercial organisations and into the voluntary economy.

The survey also found that exposure increases with organisational size. It recorded breaches at 67% of medium-sized businesses and 74% of large businesses, compared with an overall rate of 43% across all UK businesses. Among organisations that experienced incidents, 65% said phishing was the most disruptive attack.

Search interest

Separate analysis by Nasstar of 21 years of Google Trends data found that UK searches for "phishing" hit a record high in December 2025, surpassing the peak in October 2020 when pandemic restrictions pushed large parts of the workforce into remote work.

The analysis also showed strong growth in searches for practical guidance. Queries for a "phishing link checker" rose by 600%, while searches for "what is spear phishing in cyber security" increased by 1,500%.

The search patterns suggest wider concern among workers, including those outside the office. Remote work relies heavily on cloud applications, file sharing, and collaboration tools, now central to day-to-day operations for many employees. These channels also create more entry points for attackers seeking to steal credentials or exploit user decisions.

Identity focus

Leigh Walgate, Managing Director of Secure Networks at Nasstar, said phishing continues to succeed because it targets users and accounts rather than weaknesses in network infrastructure.

"Despite the widespread adoption of traditional network perimeter security controls, phishing remains the dominant attack vector because it targets users, identities, and cloud applications rather than exploiting network vulnerabilities."

He said phishing aligns with how modern organisations access data and applications. Many business systems now sit behind cloud logins rather than inside corporate networks, increasing the value of stolen credentials and session access to attackers.

"Phishing exploits identity and trust, not network vulnerabilities, which is why security needs to be designed around identity rather than perimeter assumptions," Walgate said.

Cloud use

Walgate linked the persistence of phishing to the shift to software-as-a-service and cloud-hosted platforms. In that environment, compromising a legitimate account can provide access without the need to penetrate corporate networks.

"The real shift over the last few years hasn't just been where people work from, but how organisations consume applications and data," he said.

"As businesses have moved rapidly towards cloud and SaaS platforms, identity has effectively become the new perimeter. That fundamentally changes the risk profile, because attackers no longer need to break into a private network; they just need to abuse a legitimate user account."

"What's particularly notable is the level of concern we're seeing around phishing today. The surge in search interest suggests organisations and individuals are increasingly aware that these attacks are harder to detect and more difficult to defend against using traditional approaches," Walgate said.

Security approach

Nasstar is promoting Secure Access Service Edge (SASE) as an architectural approach for organisations managing dispersed workforces and cloud-based services. SASE combines network security functions with URL filtering, malware detection, and data loss prevention, delivered as a cloud service.

In practice, the model applies controls closer to where users access applications and data, rather than assuming most activity happens inside a corporate perimeter. It also fits a working model where staff connect from home networks, shared spaces, and mobile connections.

Walgate said newer phishing attempts use multiple channels and rely on social engineering, not just malicious email. He described SASE as a way to limit what criminals can do after obtaining valid credentials.

"Modern phishing attacks aren't limited to email; they increasingly arrive via cloud services, shared files, messaging platforms, and social engineering techniques that all aim to abuse legitimate user identities," he said.

"SASE doesn't replace email security; it enforces identity- and context-aware access controls at the point of use, limiting what an attacker can do even when credentials are compromised," Walgate said.