A third of British SMEs fell victim to phishing attacks during lockdown

Published on 21/05/2020 by Sonia Navarrete

Over half of the British workforce is now remote as a result of COVID-19. The transition from office to remote working has taken place successfully, however despite the majority of workers stating they are pleased with working from home, the adoption of security measures still has room for improvement.  


We surveyed British SMEs to understand how they are adapting to remote working since the beginning of the pandemic and what measures they have in place to make sure that information stays safe. 

Highlights of the study:

  • 30% of respondents have fallen victims to phishing attacks since the lockdown; with 45% of emails were related to Coronavirus.
  • A third of respondents use an identical password for all accounts.
  • SME employees share passwords with colleagues, and between personal and business accounts.

Phishing attacks on the rise since the beginning of the lockdown

One of the most significant results of the study was the increase of targeted phishing emails. Since the beginning of the lockdown, in the UK only, more than 30% of respondents have been victims of phishing emails, and almost half of those emails (45%) are related to coronavirus.

The National Centre for Cyber Security (NCSC) defines phishing emails as:

Phishing is when criminals try to convince you to click on links within a scam email or text message, or to give sensitive information away (such as bank details). Once clicked, you may be sent to a dodgy website which could download viruses onto your computer, or steal your passwords.

Cybercriminals can use real-world concerns for phishing emails to try and trick users into clicking on them and get personal information by taking them to a phishing site. Preparing employees to recognise this type of threat and potential attackers must be part of the routine of SMEs. 

Last month the NCSC launched a service to help individuals and companies that have been victims of a phishing scam. Emails that are suspicious of being malicious can be forwarded to the Suspicious Email Reporting Service (SERS), as a way to report any suspicious emails received. 

Tip: If you think you have been sent a phishing email, forward it to the SERS email address ([email protected]) to make sure it is not a phishing attack and compromises your company and your personal information.

Over a third of British SMEs use the same password across multiple sites

While SMEs are taking the necessary steps to ensure business continuity, Capterra’s research indicates that cyber security processes have been less efficient. Over a third of British SMEs (33%) have a main password that they use across multiple sites and over half of businesses share it always or in some cases (52%)  between personal and business accounts. 


According to the study, only 15% of respondents have strong passwords, with randomised letters, numbers, and characters. 


Passwords are often the only barrier to the most valuable data and information in your company. Educating employees about the importance of a strong password is a great way to encourage remote security in the workplace. 

Below we have outlined some do’s and don’ts for a strong and safe password: 


Password management software helps with managing and organizing passwords by synchronising them across devices and systems, generating random passwords based on best practices, and providing a centralised, secure location for them.
Authentication software stores information on users’ login details using two-factor authentication such as mobile phone or SMS to be able to access them. 

In addition to having a strong and secure password, it’s important to provide an extra layer of security. However, the results show the number of workers using firewalls (8%) and Virtual Private Network (VPN) (7%) is significantly low.

VPN software allows remote employees to access corporate network through an encrypted connection. VPNs are also a way to protect internal network servers from external, unauthenticated attackers, by limiting network access to authenticated devices. 

Tip: Using strong passwords is a great start, but looking at additional security while working remotely is vital. VPN software and authentication software is a good way to make sure that sensitive data such as passwords have an additional layer of security against potential attacks.

Raising employee awareness on security is key

The speed and the scale of the COVID-19 crisis has also had an impact on how companies prepared their employees for this new reality: 51% of the respondents indicate that someone within their organisation is responsible for cybersecurity and that they know who it is. However, a quarter, 24%, know that someone is responsible, but not exactly who. 


Tip: 15% of remote employees have not had any cybersecurity courses or training and that poses a significant risk to SMEs. These workers are the most vulnerable and can compromise company data. 

64% of remote workers have received training online or face-to-face, and with almost half of them using their personal device to work (40%), training is vital to avoid attacks. The results of the survey also demonstrate that the coronavirus crisis has shown the lack of preparation of SMEs for remote working.  

Employees that are trained doesn’t mean that they are experts in IT security. It is also important that they know who to contact in case of doubt or after a cyber attack. 

Employers and employees are equally responsible for protecting data and secure access to business applications. There are good cybersecurity tools to help companies with this, but there must also be a change in mentality. The consequences of a security breach can cause irreversible damage, and also harm the reputation of the business.

Want to know more about cyber security tools? Check out our list of cyber security software.

Survey methodology

To collect the data from this report, we conducted an online survey between 1st April 2020 and 8th April 2020. The responses come from a sample of the UK market. Of the 773 people who participated in the survey, we were able to identify 491 respondents that fit within our criteria:

  • UK resident
  • Employed by a small or mid-sized business
  • Employed full-time or part-time
  • Working remotely as a response to COVID-19.

The participants come from various business sectors and levels of seniority. 

This article may refer to products, programs or services that are not available in your country, or that may be restricted under the laws or regulations of your country. We suggest that you consult the software provider directly for information regarding product availability and compliance with local laws.

About the author

Senior Content Analyst at Capterra, helping SMEs choose the best software. Published in Raconteur, Computer Weekly and IT Pro. Journalist and PR. Nature, bike and dog lover.

Senior Content Analyst at Capterra, helping SMEs choose the best software. Published in Raconteur, Computer Weekly and IT Pro. Journalist and PR. Nature, bike and dog lover.


Get the latest software and technology news from the UK

Thank you for signing up!

You will receive a welcome email shortly.

We couldn't subscribe you.

An error occurred. Please try again later.

Follow Us