UK Reports Warn of Persistent Basic Cybersecurity Gaps and Rising Social-Engineering Risk
UK reporting highlighted persistent weaknesses in baseline cyber hygiene and a growing expectation that phishing and social engineering will succeed against many organizations. A Vodafone Business-commissioned snapshot cited by Tech Radar/SC Media reported that 63% of UK businesses feel more exposed to cyberattacks than a year ago, 71% of leaders think employees are vulnerable to phishing, and staff reuse work passwords across an average of 11 personal accounts; only 45% of organizations said all staff had completed basic cyber awareness training. The same coverage noted increasing concern about AI-enabled scams and deepfakes, with 70% reporting greater suspicion of video calls impersonating senior leaders, and pointed to the UK government’s planned Telecommunications Fraud Charter as part of broader anti-fraud efforts.
Separately, the Bank of England’s 2025 CBEST review (summarized by The Register) found that regulated financial firms and financial market infrastructures (FMIs) still commonly fail on fundamentals observed during 13 CBEST assessments and regulator-backed penetration tests, including weak access controls, poor password practices, misconfigured and inconsistently patched systems, and gaps in intrusion detection and vulnerability management. The report emphasized that firms should be prepared to handle breaches rather than relying only on preventive controls, and that weak security culture enables attackers to bypass controls via social engineering; it also warned that inadequate helpdesk identity-verification processes can enable fraudulent credential access, with the NCSC noting such tradecraft aligns with groups like Scattered Spider.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
UK government prepares Telecommunications Fraud Charter
SC Media reported that the UK government's Telecommunications Fraud Charter was forthcoming as part of efforts to strengthen national defenses against cybercrime. The measure was presented as a regulatory response to evolving fraud and cyber threats facing UK businesses.
Vodafone Business data shows rising cyber risk for UK organizations
Vodafone Business reported that 63% of UK businesses felt more vulnerable to cyberattacks over the previous year, more than 10% might not survive a major attack, and only 45% had ensured all staff completed basic cyber awareness training. The findings also highlighted password reuse and growing concern over AI-enabled scams and deepfake impersonation.
BoE's 2025 CBEST review finds persistent basic security gaps in UK finance
The Bank of England's 2025 annual CBEST review, based on 13 regulator-backed assessments of regulated firms and financial market infrastructures, found recurring weaknesses such as poor access controls, weak password practices, misconfigurations, inconsistent patching, and inadequate monitoring. The review said many issues persisted from 2023 and 2024, though some improvement was noted, including MFA no longer featuring among the primary failures.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Email-Borne Social Engineering and Credential Theft Risk
Recent coverage emphasized that **phishing and social engineering via email** remain a primary initial access vector, with attackers increasingly blending into routine workflows (emails, meeting invites, and trusted SaaS notifications). TechTarget highlighted that user judgment is often the last control when filters fail, citing the *Microsoft Digital Defense Report 2025* claim that **28% of breaches** trace back to phishing/social engineering, and noting reports of spam relayed through **legitimate Zendesk domains/instances** (e.g., leveraging recognizable brands) to bypass filtering and drive credential theft or follow-on access. Separate reporting and guidance reinforced how attackers operationalize these patterns: The Hacker News described **Operation Nomad Leopard**, a spear-phishing campaign targeting Afghan government entities using government-themed decoys and a **GitHub-hosted ISO** that drops a **LNK** to execute a **FALSECUB** backdoor capable of remote command execution. Other items in the set were largely general best-practice or “common threats” explainers (password hygiene, generic threat overviews) rather than incident-specific intelligence, but they align with the same overarching risk theme: weak/reused passwords and routine email behaviors continue to enable account takeover and downstream compromise.
Mar 21, 2026
Reports Highlight Shift Toward Identity-First Attacks and Phishing-Driven Intrusions
Recent reporting and vendor research indicate threat actors are increasingly prioritizing **identity-based intrusion paths**—notably phishing, credential theft, and **Business Email Compromise (BEC)**—over traditional vulnerability exploitation as the most common initial access vector. A Darktrace report cited by SC Media describes identity breaches as the leading entry point, alongside broader trends including accelerated breach tempo, increased automation, and “converging” tactics; it also notes exploitation can occur **before public disclosure** and that overall **CVE volume rose by 20%+ year-over-year**. Email remains a dominant delivery mechanism in these identity-first campaigns. Darktrace telemetry referenced by SC Media reported **32M+ high-confidence phishing emails** across its customer base, with many messages bypassing baseline controls (including **70% passing DMARC**), targeting executives, using **malicious QR codes**, and leveraging newly registered domains. Separately, a SOCRadar analysis frames the U.S. financial sector as a disproportionate target for phishing and dark-web activity, emphasizing AI-enabled crime, persistent BEC, and third-party/supply-chain risk, and citing metrics such as **~48% of global financial phishing activity** and **~23.5% of finance-related dark web threat activity** attributed to the U.S. market.
Mar 21, 2026
Persistent Failures in Cybersecurity Awareness Training and Human-Centric Defenses
Despite years of investment in cybersecurity awareness campaigns and training, organizations continue to struggle with fundamental security issues such as poor password hygiene and susceptibility to phishing attacks. A recent discussion among cybersecurity journalists highlighted that nearly 30% of companies still rely on outdated password policies, while only a small fraction have adopted more secure passphrase approaches recommended by experts. The persistence of these problems underscores the limited effectiveness of current training programs, even as organizations face increasingly sophisticated threats targeting human vulnerabilities. The ongoing challenges are exacerbated by the shift to hybrid workforces, which has rendered traditional perimeter-based security models obsolete and increased the attack surface for social engineering and credential-based attacks. Security experts emphasize the need for organizations to move beyond checkbox training and adopt more robust identity and behavioral detection strategies, as threat actors like Scattered Spider exploit weaknesses in identity systems and cloud environments. The failure to address these human-centric risks leaves organizations exposed to both basic and advanced cyber threats, highlighting the urgent need for a strategic overhaul of security awareness and identity protection measures.
Mar 21, 2026