You get an email from HMRC. There is a tax refund waiting – over £700. There is a reference number, a paragraph lifted directly from the HMRC website, and a helpful link to start your claim. You are busy. It looks exactly right. You click.
Gordy McDonald demonstrated this scenario in Aviemore. He walked through a real phishing email line by line for 74 business owners. The latest UK government cyber-breach survey found that 93% of businesses said phishing was the primary attack method they faced. It starts more attacks than anything else because, at a basic human level, it works.
WHAT A BUSINESS OWNER SEES
A convincing email arrives from HMRC, a supplier, a courier, your bank, or your IT provider. The language is urgent: payment overdue, account suspended, delivery failed, action required. There is a link or an attachment. Everything looks plausible. You deal with emails like this every day.
WHAT IS REALLY HAPPENING
The sender’s address looks real. It might have one character changed or use a subdomain that hides where it comes from. The link goes to a cloned login page that is visually identical to the real one. The moment you enter your credentials, they are sent to a server, often overseas. Gordy gave an example of how, by reading the URL from right to left, security experts are trained to see that it was routed through China.
Criminals then try the same username and password on your email, Microsoft 365, banking portal, and accounting software. They do not rush. They get in quietly, and they watch.
THE DETAIL MOST PEOPLE DON’T KNOW ABOUT
Once inside your inbox, criminals do not just read your emails and leave. They set up a hidden forwarding rule. This rule, unnoticed in regular use, secretly copies or redirects financial messages to them. You keep receiving your emails as normal. You have no idea. They sit and study how your business operates, how payments are approved, how you write, for weeks or months before making a move.
This is not a theoretical technique. It is exactly how Ken Ross’s six-figure loss happened. The criminals had been inside his email system long before anyone noticed.
Phishing is not primarily a technical attack. It is a psychological one. It exploits urgency, trust and distraction — the three things that define every normal working day.
ACTION THIS DAY
1. Turn on Multi-Factor Authentication for all accounts that offer it: email, banking, accounting software, Microsoft 365, and more. MFA means that even if someone steals your password, they still cannot get in without a second confirmation from your phone. If you do one thing from this entire series, make it this.
2. Please forward the address report@phishing.gov.uk to your team today. Add this note: if you get a suspicious email, send it here first. Do not forward a phishing email to colleagues to ask their opinion – if you do, you may spread the threat. Take a screenshot and report it. Since the service started, the UK public has sent in over 51 million scam emails. It works because people use it.
3. Check your inbox right now for any email rules you did not set. In Outlook: Settings > View all Outlook settings > Mail > Rules. In Gmail: Settings > See all settings > Filters and Blocked Addresses. If you see anything you do not recognise, call your IT provider today and do not wait.
CONVERSATION TO HAVE WITH YOUR TEAM
At your next meeting, ask everyone: if you got an email that seemed to be from me, asking for an urgent payment, what would you do? The right answer is to call a number you already know. Don’t reply to the email or call the number in the message. If that is not the instinctive answer from everyone in the room, that is what you need to build.
This is Article 4 in the Cyber Resilience for Business Owners series. It’s based on the Highlands and Moray Chambers Joint Cyber Resilience Event held in Aviemore in February 2026. Speakers: Gordy McDonald (Police Scotland), Mark Gallagher (Police Scotland), Ken Ross OBE DL.
