UK small businesses are still being hit by phishing: is your Microsoft 365 setup secure enough?

Cyber security is still a small-business issue

Cyber security can sound like something only large organisations need to worry about. In reality, many of the risks that affect smaller businesses start with everyday tools: email, Microsoft 365 accounts, shared documents, domains, websites and passwords.

The UK Government's Cyber Security Breaches Survey 2025/2026, published on 30 April 2026, reported that 43% of UK businesses identified a cyber security breach or attack in the last 12 months. Phishing remained the most common type, affecting 38% of businesses.

That does not mean every small business needs complex enterprise security. It does mean the basics matter: account protection, email authentication, sensible permissions, backups and a clear plan for what to do if something looks wrong.

Why phishing still works

Most small-business cyber incidents do not begin with dramatic hacking. They often begin with a believable message, a weak password, a fake login page, an urgent payment request or a document link that looks familiar enough to click.

Phishing has also moved beyond the old idea of badly written scam emails. Attacks can now appear as Microsoft sign-in pages, invoice changes, file-sharing notifications, calendar invites, QR codes or messages that appear to come through collaboration tools.

That matters because small teams tend to move quickly. If a request appears to come from a supplier, customer, colleague or Microsoft 365 service, it can be easy to act before checking.

Microsoft 365 is a common target

Microsoft 365 is a strong platform for business email, files and collaboration, but it needs to be configured properly. A poorly protected mailbox can give an attacker access to sensitive emails, customer information, invoices, shared files and password reset messages.

Once inside, attackers may create forwarding rules, impersonate staff, send fake payment instructions, search for useful documents or attempt to access other services. The damage can spread quickly if admin accounts, shared mailboxes or old user accounts have not been reviewed.

Start with multi-factor authentication

Multi-factor authentication, often shortened to MFA, is one of the most important protections for Microsoft 365 accounts. It means a stolen password alone should not be enough to access an account.

MFA should be enabled for all users, but it is especially important for administrator accounts and anyone with access to finance, customer records or sensitive documents. It should also be introduced in a way staff understand, so prompts are not ignored or approved automatically.

• Enable MFA for every Microsoft 365 user.
• Protect administrator accounts first.
• Avoid sharing accounts between staff.
• Review sign-in methods and recovery details.
• Train users not to approve unexpected login prompts.

Review accounts, admins and shared mailboxes

Many small businesses accumulate access over time. A staff member leaves, a temporary mailbox stays active, an old admin account is forgotten or a shared mailbox has more permissions than it needs.

A security review should check who has access to what. Admin accounts should be separate from normal day-to-day accounts where possible, old users should be removed properly, and shared mailbox permissions should match current business needs.

• Remove old users when staff or suppliers leave.
• Check who has administrator permissions.
• Keep admin accounts separate from daily email use.
• Review shared mailbox access regularly.
• Look for unexpected forwarding rules or inbox rules.

Do not ignore SPF, DKIM and DMARC

Email authentication is one of the less visible parts of business security, but it is important. SPF, DKIM and DMARC are DNS-based controls that help receiving mail systems check whether messages claiming to come from your domain are more likely to be legitimate.

Microsoft's own guidance explains how SPF, DKIM and DMARC work together to authenticate email senders. In simple terms, they help protect your domain from being misused in spoofed emails and give receiving systems clearer instructions about what to do with suspicious messages.

These records need to be configured carefully, especially if your business sends email through Microsoft 365, website forms, booking platforms, marketing tools or other third-party systems.

• Check that SPF includes the services authorised to send mail for your domain.
• Enable DKIM signing for Microsoft 365 where appropriate.
• Add a DMARC record and build towards a sensible enforcement policy.
• Review website forms and marketing tools that send email on your behalf.
• Keep DNS records documented so future changes do not break email.

Backups and recovery still matter

Prevention is important, but businesses also need to think about recovery. If a mailbox, SharePoint library or important website is compromised, you need to know what can be restored, how quickly, and who is responsible for doing it.

Backups should cover the systems the business actually relies on. For some organisations that means website files and databases. For others, it means Microsoft 365 data, documents, email, accounting exports or operational spreadsheets.

A plain-English security checklist

A small-business security review does not need to start with scare stories. It can start with a practical checklist and a clear view of the main risks.

• Is MFA enabled for every Microsoft 365 user?
• Are administrator accounts protected and limited?
• Have old users and unused mailboxes been removed?
• Are shared mailbox permissions still correct?
• Are SPF, DKIM and DMARC configured for the domain?
• Are website forms and third-party sending tools included in email records?
• Are important files, mailboxes and website data backed up?
• Does the business know what to do if an account is compromised?

Key takeaway

The latest UK figures are a useful reminder that phishing and account compromise are still everyday business risks. The good news is that many of the most important protections are practical and achievable.

If you are not sure how your Microsoft 365, email or domain security is currently configured, a short review can usually highlight the main risks quickly. From there, the priority is simple: protect the accounts, protect the domain, keep backups, and make sure staff know what to check before they click.