Most cyber attacks on UK businesses do not begin with sophisticated code or technical exploits. They begin with an email that looked entirely routine — and someone who acted on it without pausing to check.
Understanding where attacks actually start changes the way you think about risk. It moves the threat from abstract to recognisable. And recognisable threats are the ones you can actually do something about.
This article walks through how attacks begin at the human level, what that means for your business in practical terms, and what you can do today to reduce the most common point of failure.
Hello, I’m Bogdan. WordPress has been my working environment for over 25 years. I won’t try to turn you into a technical expert.
My goal is simpler: to show how everyday website issues quietly cost businesses money. It’s often without hacks, drama, or obvious failures.
Missed updates, poor maintenance, or weak internal processes are usually enough.
What is happening (non-technical explanation)
Let me describe something I have seen, in different forms, several times.
A business owner receives an email. It appears to come from their hosting provider, their domain registrar, or a platform the business uses daily — accounting software, a courier service, a supplier. The subject line says something routine: Action required: your account needs verification or Invoice attached: please review before Friday.
The email looks correct. The logo is right. The language is professional. The sender address, at a quick glance, appears to match the company it claims to be from.
The owner is busy. They click the link, enter their details, and move on with their day. Nothing seems to happen. No alarm sounds. No warning appears.
That moment is where the attack begins.
What happened is called credential harvesting — the attacker has captured a real username and password from a real person who believed they were logging into a legitimate service. This practice is called phishing, and the UK Government's Cyber Security Breaches Survey 2025 confirms it remains the starting point for 85% of cyber attacks on UK businesses that reported a breach.
There is a specific variant worth understanding. Spear phishing is a targeted version where the attacker has researched their target in advance. Business owners are particularly exposed here: their name is on the website, their role is findable on LinkedIn, and their email address is often publicly listed. A convincing spear phishing email addressed to a named individual, referencing a plausible supplier or service, is genuinely difficult to distinguish from the real thing — especially under time pressure.
Once credentials are captured, the consequences depend on what those credentials unlock. For a business running a WordPress site administered via email, the chain is short. The attacker requests a WordPress password reset. The reset link arrives in the inbox they now control. Within minutes, they have admin access to the website. From there, contact forms can be redirected, content can be altered, malicious code can be injected — all while the site continues to look entirely normal to visitors.
The same logic applies to hosting accounts, domain registrars and DNS settings. A business that loses control of its email has effectively lost the ability to verify its identity to any connected service.
How this issue hurts your business
The damage from a successful phishing attack rarely arrives all at once. It accumulates while the compromise goes undetected — and the longer it goes undetected, the higher the cost.
- Lost enquiries and leads when contact forms are silently redirected or disabled, with no visible sign anything is wrong
- Business email compromise when an attacker operating from a captured inbox intercepts client communications or initiates fraudulent payment requests
- Full website takeover with content altered, credentials changed, or the legitimate owner locked out entirely
- Marketing budget wasted while campaigns continue to drive traffic to a site that has been compromised or is actively redirecting enquiries elsewhere
- GDPR and ICO obligations triggered if any client or prospect data was accessed or exfiltrated during the incident
- Reputation damage if clients or prospects encounter unexpected behaviour on the site, receive suspicious messages appearing to come from the business, or simply find the business unreachable
The aspect I find business owners most surprised by is how normal everything looks during the compromise. There is no error message. No obvious sign. The business carries on, unaware that enquiries are disappearing.
Cost of inaction (what this really costs your business)
Real-life scenario: A small professional services firm relies on its website to generate qualified enquiries. The managing director receives a convincing email appearing to come from their accountancy software provider, warning of a required verification step before the month end. They click through, enter their credentials, and continue with their day.
The attacker uses those credentials to access the connected email account and resets the WordPress admin password. Over the following 7 to 14 days, contact form submissions are redirected silently. The business continues operating normally, unaware that enquiries are not arriving.
The impact typically looks like this:
- Missed qualified enquiries: £2,000 to £5,000 in expected pipeline value
- Marketing spend still running throughout: £400 to £900 wasted
- Forensic investigation and site cleanup once discovered: £800 to £2,000
- Legal or compliance review where client data may have been exposed: £500 to £1,500
- Internal management time coordinating the response: invisible, but real
Total cost for one incident: easily £3,500 to £9,000, with no downtime, no visible error, and nothing that looked like an attack at the time it happened. That is the real cost of inaction.
Warning signs you should not ignore
These are the signals that, in my experience, precede or indicate that something has gone wrong at the email level:
- A staff member mentions receiving an unusual login notification but assumed it was a glitch and did not raise it
- The business receives a bounce notification for an email it did not send
- A client reports receiving a suspicious message that appears to come from the business
- Unexpected password reset emails arrive for services the business uses
- WordPress admin users or settings have changed in ways nobody can explain
- Enquiry volumes have dropped without any obvious reason
- An email that arrived recently prompted action — a login, a payment detail update — and now feels uncertain in hindsight
Any one of these in isolation may have an innocent explanation. Together, or in the context of a recent email someone acted on, they warrant investigation rather than reassurance.
Quick checks you can do today (5–10 minutes)
You do not need to be technical to reduce this risk significantly.
Review your own recent email activity first. Think about the last time an email asked you to log in somewhere, verify an account or update a payment method. Did you check the actual sender domain — not just the display name — before acting? Did you navigate directly to the service rather than clicking the link? If the honest answer is no, you have identified a habit worth changing.
Ask your team a direct question. Has anyone recently received an unusual login email, an unexpected supplier request, or a message that felt slightly off? These are often mentioned informally and never escalated. A direct question surfaces information that might otherwise stay hidden.
Check your WordPress admin user list. Log in and review every account. Is each one recognisable? Has any account appeared that you cannot explain?
Confirm two-factor authentication is active on the email accounts used to administer your website and business systems. This single step means that a stolen password alone is not sufficient to gain access.
Review who has access to your domain and hosting accounts. These control your website, your email and your online identity. When were those credentials last reviewed, and do former staff or agencies still have access?
If any of these checks produces an uncertain answer, treat it as a priority, not a task for later.
Fix options (from fastest to safest)
Immediate containment
If anyone in the business has recently acted on an email that now looks uncertain — clicked a link and entered credentials, responded to an unusual payment request — treat it as a potential incident rather than waiting for confirmation. Reset the relevant passwords immediately, starting with email, WordPress and any connected platforms. Enable two-factor authentication if it is not already active.
Proper fix (root cause)
Enable two-factor authentication on all accounts used to manage the business, prioritising email and WordPress. Audit admin access across all platforms: remove any accounts belonging to former staff, agencies or freelancers who no longer need it. Introduce monitoring so that unusual login activity triggers an immediate alert rather than being noticed weeks later.
Prevention
Establish one simple, shared habit across the team: when an email asks you to log in or take financial action, go to the service directly in a new browser window rather than using the link in the email. This takes five seconds and removes the most common mechanism attackers rely on. A brief conversation about this habit is more effective than any policy document.
How to prevent this from happening again
The most effective long-term defence against phishing is not software. It is a consistent habit, shared across the business, of pausing before acting on email requests.
A business-friendly approach includes:
- A clear, simple rule: log in to services directly, never through a link in an unsolicited email
- Two-factor authentication on all accounts connected to the website, domain and business email
- Regular review of who has admin access, particularly after staff changes or agency relationships end
- Monitoring and alerts on WordPress login activity so anomalies are caught the same day
- A named person responsible for security awareness — not a formal programme, but someone who asks the question and follows up when something feels uncertain
- A brief check-in after any incident or near-miss, so the lesson is captured rather than forgotten
None of this is technically complex. The barrier is not capability. It is the assumption that this kind of attack targets someone else.
Related issues to check next
- Phishing does not just steal passwords: it can take over your website and cost you clients
- You do not need to be hacked to have a security problem: the hidden cost of an unprotected WordPress site
- You don't need to be a big target: ransomware is rising in the UK and small businesses are paying the price
- Updates done wrong can break your site — updates skipped can break your business
Key takeaways
- Phishing is the starting point for 85% of cyber attacks on UK businesses — it is not a sophisticated threat, it is the standard one
- Business owners are high-value targets: their information is publicly visible and they hold the highest levels of access
- A convincing phishing email is designed to remove the pause before action — urgency and familiarity are the tools attackers use most
- A compromised email account is often sufficient to take full control of a WordPress site, a domain and connected business systems
- Two-factor authentication is the single highest-impact step available — it limits damage even when credentials are successfully stolen
- The most effective prevention is a simple habit, consistently applied: go to the service directly, never through the link
FAQ
How do I tell if an email is genuine or a phishing attempt?
Check the actual sender address, not just the display name — attackers can set the display name to anything they choose. Look for slight misspellings in the domain. If the email asks you to log in or take action, open a new browser tab and navigate directly to the service rather than using the link. If uncertain, call the organisation using a number you already have, not one provided in the email.
Is two-factor authentication difficult to set up?
No. On most platforms including WordPress and Google Workspace it can be enabled in under five minutes and requires only a smartphone authenticator app. Once active, a stolen password alone is not sufficient to access the account.
What should I do if I think I've already been phished?
Act immediately. Change the password for any account where credentials were entered, and for any other account using the same password. Enable two-factor authentication. Check your WordPress admin users for any accounts you do not recognise. Notify your hosting provider. If business or client data may have been accessed, take legal advice on your obligations under UK GDPR. Speed matters — the longer the gap between compromise and response, the higher the cost.
Can this happen even if I have anti-virus software?
Yes. Phishing attacks target people, not software. Anti-virus tools protect against malicious files and known threats, but they cannot prevent someone from voluntarily entering their credentials into a fake login page. The protection that matters most is awareness and the habit of verification, not software alone.
Closing
Until next time, keep your website productive, not just online.
If any of this feels uncomfortably familiar — an email you're not entirely certain about, a login you completed without checking twice — it is worth taking a moment to review the access points described here. Sometimes the most valuable intervention is not a technical one. It is a conversation.
