Email has always been the most reliable way to attack a business. It reaches every employee directly, it carries authority and urgency, and it exploits something that no firewall can patch: human judgement.
For years, the defence was reasonably straightforward. Train your staff to spot suspicious emails. Look for poor grammar, unexpected senders, odd requests for payment or login credentials. If something feels wrong, it probably is.
That playbook is now outdated. AI has changed phishing in a fundamental way, and the UK’s threat statistics make uncomfortable reading. Fortunately, there is a technical defence that does not rely on employees spotting fakes at all.
The Scale of the Problem in the UK
The 2025 UK Cyber Security Breaches Survey found that phishing remains the dominant attack method by a significant margin. Of all UK businesses that experienced a cyber breach in the past year, 85% were hit by phishing. Not malware. Not network intrusion. Phishing, via email.
That figure alone would be alarming. What makes 2026 different is what is behind those numbers. According to recent threat intelligence, 82.6% of phishing emails now incorporate AI in their construction, a 53.5% increase year on year. These are not emails dashed off by a fraudster in a hurry. They are carefully composed messages, personalised to the recipient, written in fluent English, and designed to pass casual inspection.
The old tell-tale signs, clumsy phrasing, generic greetings, implausible scenarios, are disappearing. Modern AI-generated phishing emails read like messages from a real colleague, a genuine supplier, or a trusted partner. And increasingly, they come from exactly those sources.
The “Harvest Now, Decrypt Later” Problem
State-sponsored cyber actors are already intercepting and storing encrypted data today, even though they cannot yet read it. The strategy is straightforward: collect everything now, then decrypt it once a sufficiently powerful quantum computer exists.
For data that only needs to be secret for a few months, this is not an immediate concern. But consider what many UK businesses hold: long-term contracts, intellectual property, financial records, patient data, employee information, legal communications. If any of that data needs to remain confidential for more than five to ten years, it is potentially already at risk.
This is why the NCSC’s position is not “wait until quantum computers arrive.” It is “start preparing now, because waiting until arrival is too late.”
Why “It Came From a Real Account” Is No Longer Reassuring
One of the most significant shifts in the current threat landscape is that phishing emails are increasingly sent from legitimate, compromised accounts rather than from spoofed or lookalike domains.
Recent analysis found that over 57% of phishing emails originate from accounts that have already been taken over, not from external, obviously suspicious senders. This completely undermines one of the most common pieces of email security advice: “check the sender’s address.”
If the email genuinely comes from your supplier’s actual email account, because that account was compromised last week, then the address looks perfectly legitimate. The domain matches. The email history is real. The tone is consistent with previous correspondence. Even a security-aware employee has very little to work with.
This pattern is increasingly used in a particularly damaging type of attack known as Business Email Compromise (BEC), where fraudsters intercept supplier or partner communications and at the right moment substitute their own bank account details for legitimate ones. The UK loses hundreds of millions of pounds to BEC attacks every year. The businesses that fall victim are not careless. They are simply operating without the right tools.
The Specific Threats Facing UK Businesses Right Now
Beyond generic phishing, several specific attack patterns are causing significant damage to UK organisations in 2026.
CEO and executive impersonation. AI can now analyse a senior leader’s writing style from publicly available material, LinkedIn posts, press interviews, published emails, and produce messages that mimic their tone convincingly. An employee receiving a plausible message from what appears to be their managing director, asking for an urgent payment or the transfer of login credentials, faces a very difficult judgement call.
Supplier fraud. Attackers research your supply chain, identify your key vendors, and send invoices or payment requests that match your real supplier relationships. At 72% engagement rates in tested scenarios, these attacks are devastatingly effective. Staff respond because everything about the message looks right.
Invoice redirect fraud. A variant of BEC in which fraudsters intercept a genuine invoice exchange and send a near-identical version from a spoofed or compromised account, with only the bank details changed. By the time the discrepancy is discovered, the payment has already been made.
Deepfake-assisted phishing. AI audio and video tools now allow attackers to generate convincing voice messages or short video clips appearing to show a trusted person making a specific request. These are increasingly used alongside email campaigns to add a layer of apparent authenticity.
None of these attacks are defeated by spam filters. They look legitimate because, in many cases, they use legitimate infrastructure. The only reliable defence is one that operates at the level of cryptographic proof rather than visual inspection.
What S/MIME Certificates Actually Do
S/MIME stands for Secure/Multipurpose Internet Mail Extensions. It is the established standard for email security at the message level, and it addresses the phishing threat in a direct and technically robust way.
When a sender has an S/MIME certificate installed in their email client, every email they send carries a digital signature. That signature is generated using the sender’s private key, which only they hold, and it can be verified by the recipient using the sender’s public key, which is embedded in the certificate issued by a trusted certificate authority.
What this means in practice is simple and powerful. When you receive a digitally signed email from someone with an S/MIME certificate, your email client can confirm with certainty that:
- The email genuinely came from the person named in the certificate
- The content of the email has not been altered in transit
- The sender’s identity was verified by a trusted third party when the certificate was issued
If any of those checks fail, your email client displays a warning. If an attacker compromises a colleague’s email account and sends a fraudulent message, it will not carry that colleague’s valid digital signature. The absence of a signature, or the presence of an invalid one, is an immediate, objective indicator that something is wrong.
This is the critical difference between S/MIME and every other email security measure. It does not ask employees to make a judgement call. It provides a definitive cryptographic answer to the question “did this email actually come from who it claims?”
S/MIME Also Encrypts Your Email Content
Digital signing is S/MIME’s most important anti-phishing capability, but the standard also provides end-to-end encryption for email content.
When you send an encrypted email using S/MIME, the message content is encrypted using the recipient’s public key. Only the recipient, holding the corresponding private key, can decrypt and read it. Not your email provider. Not any server the message passes through. Not an attacker who intercepts the message in transit.
For UK businesses handling sensitive information by email, whether that is legal correspondence, financial data, HR matters, or client information subject to GDPR, this is meaningful protection. The Information Commissioner’s Office has been clear that organisations are expected to take appropriate technical measures to protect personal data. Email encryption is one of the most direct ways to meet that expectation for communications sent outside your organisation.
Who Needs S/MIME Most?
Any business that communicates sensitive information by email benefits from S/MIME. But certain sectors and roles face elevated risk that makes the case particularly strong.
Finance teams are the primary target of BEC and invoice fraud. A digitally signed email policy for all finance communications, where unsigned payment requests or bank detail changes are automatically treated with suspicion, is a powerful procedural control.
Legal and professional services firms handle confidential client information daily. Email encryption provides a technical guarantee of confidentiality that supplements contractual obligations.
Healthcare organisations are subject to strict data protection requirements around patient information. Email encryption is a straightforward technical measure that demonstrates appropriate safeguarding.
SMEs working with larger clients or in supply chains are frequently targeted as the weakest link. An attacker who cannot get through a large corporation’s defences will look for a smaller supplier or contractor whose email communications with that corporation can be intercepted or spoofed.
Any business with remote or hybrid workers is communicating more by email than ever, across a wider range of networks and devices. Cryptographic verification of email identity is a more reliable control than expecting every employee to manually scrutinise every message they receive.
The Practical Case for S/MIME Over Staff Training Alone
Staff awareness training is valuable and should form part of any business’s security approach. But it has a structural limitation: it places the entire burden of defence on human judgement, at the moment when that judgement is most likely to be impaired.
Phishing attacks are engineered to create urgency, exploit authority, and mimic trusted relationships. They are timed to arrive when recipients are distracted, under pressure, or expecting a relevant communication. The attacker chooses the conditions. The employee has to respond in the moment, with whatever information is in front of them.
S/MIME shifts the balance. It provides an objective, automated check that runs on every signed email, every time, without requiring the recipient to do anything beyond noticing whether the signature indicator is present. A business where every employee knows that genuine internal emails and supplier communications carry valid digital signatures has a clear, simple rule: if the signature is missing or invalid, escalate before acting.
That is a trainable, enforceable procedure. It does not depend on spotting subtle linguistic tells in an AI-generated message. It depends on the presence or absence of a cryptographic proof that no attacker can fake without access to the genuine sender’s private key.Sources: NCSC “Timelines for migration to post-quantum cryptography” (2025); NCSC Post-Quantum Cryptography Pilot Scheme (2026); CA/Browser Forum Ballot SC-081v3.
Getting Started with S/MIME Certificates
S/MIME certificates are available for individual email addresses and can be deployed across an organisation. They work with all major email clients, including Microsoft Outlook, Apple Mail, and most enterprise mail platforms. The certificate is obtained from a trusted certificate authority, installed in your email client, and from that point forward your outgoing emails are automatically signed.
At an individual level, an S/MIME certificate from a recognised certificate authority is one of the most cost-effective security investments available. At an organisational level, deploying S/MIME across a team or company creates a network of mutual trust: everyone can verify everyone else, and departures from signed communications become immediately visible.
At buyssl.co.uk, we supply S/MIME certificates from leading certificate authorities, with straightforward setup guidance for individuals and businesses. If you are reviewing your email security in response to the growing AI phishing threat, or if you need to demonstrate appropriate technical safeguards for GDPR compliance, S/MIME is worth serious consideration.
Sources: UK Cyber Security Breaches Survey 2025 (DSIT/NCSC); KnowBe4 Phishing Threat Intelligence 2025; Verizon Data Breach Investigations Report 2025; ICO guidance on encryption and data protection.The technology to verify email identity has existed for years. In 2026, with AI making fraudulent emails harder to detect than ever, the case for deploying it has never been stronger.
