Phishing statistics: Over half of workers can't detect phishing scams

Last year, 85% of UK businesses encountered a phishing attack^[1]. However, with over a quarter (27%) of surveyed organisations seeing cyber security as a low priority for directors, trustees, and other senior managers^[1], how many employees are able to differentiate scam attempts from legitimate emails? 

C-suite executives, with access to highly sensitive company and financial information, are prime targets for phishing scams. Meanwhile, employees involved in daily operations, such as administration tasks or taking payments through card machines in public-facing roles, may also regularly encounter scam attempts. Without proper training and awareness, both groups remain vulnerable to increasingly sophisticated ploys used by scammers.

To understand scam awareness, we surveyed 1,800 employees below the executive level and 200 C-suite executives to determine how well each group can identify scams and whether a gap in awareness exists between the two.

Key phishing statistics 

• On average, 56% of people couldn't spot the real emails amongst the fake ones
• C-suite executives were better at detecting legitimate emails from business messaging applications like Slack and password management applications like Dashlane: 58% on average, vs an average of 36% of non-executive employees 
• Entry-level graduates struggled the most in spotting the scam, with 68% failing.
• 27% of surveyed organisations see cyber security as a low priority for directors, trustees, and other senior managers^[1]
• 67% of people feel confident in their ability to spot an AI-generated scam
• Overall, most people were fooled by AI-generated scams: 64% of non-executive employees and 66% of C-Suite executives could not identify an AI-generated scam
• Nearly 90% of C-suite executives said they are confident they could spot an AI scam, yet 66% struggled to detect it when put to the test.

Naveed added, "On the need for investment, organisations are facing competing financial demands; however, not prioritising the protection of their data and capital can pose significant risks to the areas where investment is being placed. For businesses with the capacity to invest in cybersecurity, it’s essential to recognise the importance of proactive technical and non-technical (often in the form of training and SOPs) security strategies to mitigate long-term risks and avoid potential damage.”

Approximately 612,000 uk businesses faced a cyber attack in the past year

Just over four in ten businesses (43%)^[1] reported having experienced any kind of cybersecurity breach or attack in the last 12 months, equating to approximately 612,000 UK businesses.

Of these attacks, phishing has remained the most significant risk to businesses since 2020, experienced by 85% of businesses during this period^[1]. Alarmingly, the threat continues to grow - phishing attacks on UK businesses rose by 2% from 2024 to 2025^[1].

Overall costs for all businesses rose by 32% since 2024

Despite cyber attacks dropping by 10% for all businesses, total costs rose significantly. Overall, business costs increased by 31% over 3 years, on average. 

When looking at 2024, on average, businesses lost £1,600 compared to £1,205 in the last 12 months, which is a spike of 32%. 

However, it takes medium to large businesses more than twice the amount of money to recover compared to all businesses. On average, their most disruptive breach cost them £3,350. 

SMEs hit harder by cyber attacks as enterprise costs fall

While micro and small businesses fell victim to fewer cyberattacks (35% from 47% and 42% from 58%), their costs rose by 93%. The average total cost of micro/small businesses' most disruptive breach was £1,510 compared to £780 in 2023. 

When looking at the last 3 years, micro and small businesses saw cybercrime costs rise by 91%. 

Enterprise attacks have stayed relatively consistent since 2021 but their costs have dropped. In the last 12 months, costs have dipped by 69%: £3,350 compared to £10,830. 

Over half know what phishing is, but 56% couldn't detect the real emails from the scams

We gave 1,800 non-executive employees and 200 C-suite executives six mock emails overall; four were fake and two were real. When considering all six emails, 56% of workers couldn't detect the real emails from the phishing scams.*

Two groups - C-suite executives and non-executive employees were surveyed. Each group was shown six emails in total, including three identical emails that were shared across both groups. The remaining emails were unique to each group. Overall, the majority (53%) failed to detect the phishing scams. 

Both groups were also presented with a phishing email generated by AI to understand which group was more likely to spot an AI scam. The results below are based on the percentage of people who fell for each scam:  

Non-executive Employees:

1. AI-generated CEO scam 64%
2. Google Sheets scam 58%
3. Google alert 52%
4. Dropbox scam 48%

C-suite executives

1. AI-generated scam 66%
2. Google alert scam 58%
3. Google Sheets scam 52%
4. Dropbox scam 51%

If these emails had landed in their inboxes, falling for the scams could have led not only to potential financial loss but also exposed the recipient to the risk of reputational damage and operational disruption. 

In the last 12 months, the estimated average total cost for businesses from their most disruptive breach or attack was £1,600, underlining the value of training and informing staff^[1].

After a cybersecurity breach, taking action is crucial in minimising future risks and strengthening business security. However, just 32% of businesses have guidance on when to report a cyber breach or attack externally, meaning that reporting outside of organisations remains uncommon.^[1].

On average, nearly half of Brits missed the spelling mistake in this scam

48% of non-executive employees and 51% of C-suite executives were unable to correctly identify the Dropbox email as a scam. Respondents overlooked three key phishing techniques, which indicated that the email was not legitimate: A misspelling of “button” as “buton,” persuasive language encouraging the recipient to download an unknown folder, and a suspicious sender address. The address used in the fake email, “no-reply@dropboxhelp.com”, differs from Dropbox’s legitimate email domain, “no-reply@em-s.dropbox.com”, which also displays a blue verified tick and branded profile image.

Less than half (47%) identified this ‘Google alert’ email as a scam

Overall, 47% of Brits surveyed guessed this email was a scam. When broken down, 52% of non-executive employees and 58% of C-suite executives were unable to detect that this Google alert was actually a scam and that the link should not be clicked. Hypothetically, clicking ‘Check activity’ in this situation would have led to the receiver falling victim to a scam.

The key elements that respondents missed were an incorrect Google domain. Legitimate emails from Google will always come from their verified ‘no-reply@accounts.google.com’ email address. The website domain was inaccurate too; official Google notifications will direct users to ‘https://myaccount.google.com/notifications’. 

Over half (57%) couldn't spot this ‘Google Sheets’ scam

58% of non-executive employees and 52% of C-suite executives did not identify this email as a scam. This email contained several red flags: The sender used an incorrect Google domain ending in .net instead of Google’s legitimate .com; the sender’s email address didn’t match the brand name mentioned in the subject line and spreadsheet (Subject: Nextorasolutions, Email domain: Nextoresolutions); and, as a general rule, you should never open a spreadsheet from an unknown sender.

According to the UK Cybersecurity Survey, a significant gap in preparedness persists, as only 32% of UK businesses conducted any cybersecurity training or awareness sessions following their most disruptive breach or attack, leaving them vulnerable to further breaches^[1].

Who was better at detecting the real emails from the phishing scams?

Among the six emails that were shown to our pool of 2,000 respondents, there were two legitimate emails. Overall, just 38% correctly identified the two legitimate emails as real, but how does this differ when we compare non-executive employees to C-suite executives?

C-suite executives were better at detecting legitimate emails from business messaging application, Slack and password management application, Dashlane, 58% on average. Non-executive employees struggled a lot more, with only 36%, on average, thinking they were legitimate. 

More non-executive employees (40%) guessed the Dashlane email was real over the Slack email (37%); this could be due to fewer having access to Slack. 

Overconfidence in spotting AI scams is stopping brits from detecting them

We also asked ChatGPT to write us two AI-generated scams, one for non-executive employees and one to target C-suite executives. Although it only gave us examples of scams, these can easily be personalised by scammers to target businesses. 

Worryingly, ChatGPT informed us of the common tactics scammers use and how to incorporate them into an email. It also called out the red flags in the scam, which cybercriminals could use to their advantage by changing the content of the emails to make them harder to detect as a cyber attack. 

64% of non-executive employees couldn't detect the AI CEO scam

In the past 12 months, 34% of businesses have experienced an impersonation scam, which is when others impersonate, in emails or online your organisation or your staff. According to UK Finance, 7.8 million was lost to CEO fraud in the first half of 2024[2], highlighting that employees are a big target for scammers. 

We created a CEO scam, simulating when cybercriminals impersonate a CEO or other high authority positions in an attempt to trick employees into handing over sensitive payment information. 

64% of non-executive employees surveyed couldn't spot the red flags and thought the AI-generated scam was real. When looking at job roles, entry-level graduates struggled the most in spotting the scam, with 68% failing. 

They overlooked the urgent wording used by the scammer, such as ‘quick signature’ and ‘end of the day’. The scammer also pushed recipients to sign the suspicious attachment and urged them to stay on email without validating the request by other means, such as a phone call. 

Over half of C-suite executives were fooled by this AI scam

Our data revealed that C-suite executives are overconfident in spotting an AI scam. Nearly 90% felt confident they could spot an AI phishing email, but 66% struggled to detect it when put to the test. Out of all executives, founders found it the hardest to detect the AI-generated scam (73%). 

Cyber Protect Officer at City of London police advises on business cyber security

Daniel Houghton, Cyber Protect Officer at City of London police told Dojo:

“In a world where communications and businesses are moving more into the digital realm, cyber security has never been so important; and with the uptake in AI by cyber-criminals expanding their reach and capabilities, now more than ever cyber-crime needs to be at the forefront of our security posture. 

“However, the Hollywood image of a hacker furiously typing away on a computer is far from the truth - cyber criminals rarely hack systems, instead targeting people using phishing campaigns and social engineering. Up to 88%^[3] of cyber security breaches can be attributed to human error – be that weak passphrases, poor digital hygiene or clicking links in emails, clearly demonstrating that cyber security starts and finishes with the people in your organisation. 

“If you foster good practices and a positive mindset around cybersecurity, then your weakest link can become your strongest asset. Empowering staff to spot, highlight and report suspicious emails is the key to preventing your organisation from becoming a victim of crime, and with the average cost of a cyber breach being $4.88 million (approximately £3.8 million, based on the exchange rate at the time of the report) ^[4] – can your organisation afford to be complacent?”

If you are ever unsure about whether an email is untrustworthy, Daniel advises:

1. Do not click on links or open attachments from unknown senders
2. Be aware that even ‘unsubscribe’ buttons can be malicious links
3. Use password managers to assist you in keeping your login details secure
4. Do not allow yourself to be pressured into clicking links, paying invoices, or acting in a way you wouldn’t normally – Stop! Think Fraud
5. If in doubt, verify the sender before you take any other action

Methodology

The research was conducted by Censuswide, among a sample of 2,000 UK Workers, including 200 CEOs, aged 16+. The data was collected between 20.03.2025 - 25.03.2025. Censuswide abides by and employs members of the Market Research Society and follows the MRS code of conduct and ESOMAR principles. Censuswide is also a member of the British Polling Council.

*Average percentage of respondents who did not get each question correct; figures are the inverse of those who answered correctly, excluding questions not seen by all.

Sources:

[1]https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025 

[2]https://www.ukfinance.org.uk/system/files/2024-10/Half%20Year%20Fraud%20Report%202024.pdf 

[3]Stanford University and Tessian report 2020: “Psychology of Human Error" 

[4]​​https://www.ibm.com/reports/data-breach 

[5] Business size definitions: 

• Micro business: Businesses with 1 to 9 employees
• Small business: Businesses with 10 to 49 employees
• Medium business: Businesses with 50 to 249 employees
• Large business: Businesses with 250 
• or more employees