UK firm nearly loses £500,000 to complex year-long scam
Key Points
- A UK travel firm nearly lost £500,000 to a vishing scam built on 12 months of attacker research, according to the Cyber Security Breaches Survey 2025/2026.
- Vishing replaces email phishing with voice calls and uses harvested personal details to trick targets into authorising payments or sharing credentials.
- Phishing accounts for 93% of all cyber crimes against UK businesses, with an estimated 5.13 million incidents in the past year.
- 43% of UK businesses experienced a cyber breach or attack in the last 12 months, equating to roughly 612,000 firms.
- UK consumers face the same techniques through fake bank calls, HMRC scams and bogus parcel delivery notifications.
A UK travel firm nearly lost £500,000 to a voice phishing scam built on a year of attacker research, the government’s latest Cyber Security Breaches Survey reveals.
The unnamed travel and tourism business shared the incident through qualitative interviews for the Cyber Security Breaches Survey 2025/2026, which the Department for Science, Innovation and Technology (DSIT) and the Home Office commissioned and research agency Ipsos conducted.
Attackers spent 12 months compiling background information on a specific employee before placing fraudulent phone calls designed to authorise a £500,000 transfer.
Vishing swaps the email element of traditional phishing for voice calls or voice messages that exploit trust in phone conversations, and the survey presents the case as evidence of growing attack sophistication targeting UK organisations.
A rise in sophisticated attacks
The Department noted that it is unclear whether the perceived increase in phishing attacks, particularly among larger organisations, was due to an actual increase in targeted attacks, or due to the growing sophistication of IT resources and software that were able to monitor phishing attacks.
UK businesses experienced approximately 5.13 million phishing cyber crimes in the past 12 months, the survey of 2,112 organisations estimates.
Phishing accounted for 93% of all cyber crimes against UK businesses and 95% of those against charities, with 18% of all UK firms falling victim to phishing cyber crime in the year.
The median business hit by any cyber crime experienced three incidents, but the average reached 19, pointing to heavy repeat targeting at a minority of firms.
Qualitative respondents told the survey that phishing has also become easier and more accessible for attackers, with one large business reporting a noticeable rise in amateur attempts using freely available scripts alongside more advanced cases like the £500,000 vishing attack.
What to watch out for
Vishing techniques mirror those targeting UK consumers daily through fake bank calls, fraudulent HMRC tax demands and bogus parcel delivery notifications.
The year of background research that nearly cost the travel firm £500,000 takes a less elaborate form against consumers, where attackers harvest personal details from social media or earlier data breaches before placing convincing calls.
The National Cyber Security Centre’s Cyber Aware campaign offers free guidance for individuals and small businesses, and recognition of the campaign rose to 30% of UK businesses and charities this year, reversing several years of decline.
Consumers facing a suspected vishing call should hang up and dial the organisation back on a verified number from official correspondence rather than any number the caller supplies.
