How do cyber attacks usually start in small businesses?

Cyber risk in small businesses often grows before any incident is visible. It may begin with ordinary activity or ordinary decisions: a convincing email, a reused password, an exposed online service, a supplier account, fake support details, a browser session, a mobile message, a personal device used for work, or a system that has not been reviewed for some time.

This guide uses public breach reporting, vendor advisories and documented examples to explain common starting points for cyber attacks, without treating them as the only possible ways attacks can begin. The aim is to show why layered security matters in practice and why prevention, detection, limitation of impact and recovery planning need to work together.

The guide is not a complete list of every possible attack method. It focuses on common and well documented starting points that are relevant to small organisations, professionals and individuals who rely on email, websites, cloud services, mobile devices, suppliers and shared systems.

Use the links below to jump to the section most relevant to your question.

• Why cyber attacks often start with ordinary activity
• How phishing and fake messages lead to account access
• Why passwords, MFA, passkeys and session tokens all matter
• How fake support numbers and AI generated answers can mislead users
• Why suppliers, plugins and third party platforms can become part of the risk
• Why websites, hosting panels and public facing services need review
• Why accountability and unmanaged devices matter
• How AI makes familiar cyber attacks faster and more convincing
• Why one security product is not enough
• What small businesses can review first
• What this guide does not mean
• Supporting references
• Further Guidance and Support

Many cyber attacks begin with something ordinary. A person may open an email, follow a link, approve a sign in request, install a tool, reuse a password, grant access to a cloud application, or contact what appears to be a genuine support service.

The problem is not always that someone has done something obviously reckless. Modern systems rely on email, browsers, mobile phones, cloud accounts, suppliers, plugins, remote access tools and public facing services. Each of those areas can become part of the security chain.

This is why small organisations should not think only in terms of one device or one product. A small weakness in one area may become more serious if it connects to accounts, shared files, email, websites, backups, payment systems or supplier access.

Phishing remains one of the most common ways attackers try to gain access to accounts or information. The message may arrive by email, text message, chat message, social media, fake login page, or a link that appears to come from a familiar organisation.

The aim is often to make the user take an action. That action may be entering a password, approving a sign in prompt, opening an attachment, calling a number, making a payment, or visiting a page that collects account details.

Recent UK breach reporting continues to show phishing as a major issue for businesses. This matters because phishing is not only a technical problem. It relies on timing, trust, pressure, familiarity and the fact that people are trying to get work done.

A familiar platform does not automatically make a message safe. Some phishing campaigns use trusted services, document links, website builders, workflow tools or cloud hosted pages to make the request appear more credible. A warning about an account closure, copyright complaint, verification review, recruitment message or security alert should still be verified through a separate trusted source before entering passwords, approving sign in prompts, uploading identification, or sharing recovery information.

Email validation also matters because fraud often relies on trust in familiar domain names. If SPF, DKIM and DMARC are missing or weakly configured, criminals may find it easier to send messages that appear to come from an organisation’s domain, even though the messages were not authorised by that organisation. That can contribute to invoice fraud, payment redirection, fake login requests and other impersonation attempts.

SPF helps publish which sending systems are allowed to send email for a domain. DKIM adds a cryptographic signature to help prove that a message was authorised and has not been altered during delivery. DMARC ties SPF and DKIM to the visible From address and tells receiving servers what to do when a message fails validation. A DMARC policy of reject is the strongest anti spoofing position, but it should normally be reached through a staged process so legitimate email is not accidentally disrupted.

A Toronto Police investigation into mobile SMS blasters showed that fraudulent messages may sometimes be delivered through rogue mobile network equipment rather than ordinary messaging systems. Police reported tens of thousands of affected devices and more than 13 million network disruptions, with possible temporary impact on access to 911. This does not mean every text message is dangerous, but it shows why familiar looking messages still need careful verification.

For more detail, see our guide:

Email validation and security explained

Account access is one of the most important parts of modern security. A business may use cloud email, shared files, websites, payment platforms, supplier portals, remote support tools and administrative accounts. If one important account is misused, the effect may spread beyond one person.

Weak or reused passwords create risk because a breach at one service may be used to attempt access elsewhere. Multi factor authentication reduces that risk, but not every method gives the same level of protection. Passkeys and modern security keys can make the sign in process much more resistant to phishing because the user is not typing a reusable password into a website.

Even stronger sign in does not remove every other risk. Attackers may try to steal session cookies, abuse device code flows, persuade a user to approve an application, or make changes to account recovery settings. For that reason, authentication should be reviewed alongside device security, browser security, app permissions, recovery methods and monitoring.

Where a business uses single sign on, one compromised identity may provide access to several connected services. Attackers may try to impersonate IT support, direct users to fake sign in pages, capture MFA codes, register a new device, change recovery options, or create inbox rules to hide security alerts. Account security should therefore include monitoring for unusual device registration, suspicious inbox rules, unexpected application consent, changes to recovery methods, and changes to privileged roles, not only password strength.

Access should also follow the principle of least privilege. Administrative, domain level or sensitive permissions should be given only where they are genuinely needed, and to the minimum number of users. This reduces the impact if an account is compromised, misused or used by mistake.

For more detail, see our guide:

Are passkeys and security keys the same thing?

Not every attack begins with a malicious file or a fake invoice. Some begin when a person looks for help. A user may search for a customer service number, click an advert, read a forum post, ask an AI tool for support details, or respond to a message that appears to come from a known provider.

Fraudsters may try to place fake phone numbers, fake support pages or misleading instructions where users are likely to find them. The risk is greater when the user is under pressure and wants to fix a payment, account, delivery, banking, broadband, email or device problem quickly.

Virgin Media O2 has warned that fake customer service numbers can be surfaced by AI tools and search engines. Microsoft also warns that technical support scams may use phone calls, fake warnings, spoofed caller ID, remote access requests or payment pressure.

For support requests involving passwords, recovery codes, remote access, payments or account changes, contact details should be verified through the provider’s official website, app, bill, customer portal or known documentation.

For more detail, see our guide:

Can websites in Google search results still be dangerous?

Small organisations often depend on suppliers and third party platforms. These may include website plugins, cloud applications, browser extensions, payment providers, backup systems, email services, hosting platforms, outsourced support tools and AI tools and services.

This does not mean third party services are unsafe by default. The issue is the amount of trust and access given to them. A service may hold delegated permissions, API access, administrator rights, customer data, email access, file access or the ability to change website behaviour.

Recent WordPress plugin incidents show why this matters. A plugin that was previously trusted may become risky after a change in ownership or a compromised update path. A cloud application may also create exposure if it is granted broader permissions than necessary.

Supplier risk therefore needs to be reviewed as part of the wider security picture. Organisations should know which suppliers and third party tools have access, what permissions they hold, whether they are still needed, and how access would be removed if something went wrong.

For more detail, see our guides:

How do software supply chain attacks happen?

WordPress Hardening for Small Organisations

Public facing systems deserve regular attention because they can be reached from outside the organisation. This may include websites, hosting control panels, DNS portals, VPNs, remote access services, email admin portals, supplier dashboards and cloud administration interfaces.

A website may look simple from the outside, but it may depend on a domain registrar, DNS provider, hosting provider, content management system, plugins, themes, email services, scripts, analytics tools, backup storage and administrator accounts.

Hosting control panels are also part of this chain. A cPanel or WHM vulnerability, for example, may be managed by the hosting provider rather than the website owner, but the organisation still depends on the provider applying patches and protecting administrative access.

The practical lesson is to know who manages each layer. Website security is not only about WordPress, plugins or visible content. It also includes DNS, hosting, account access, backups, provider patching, monitoring and recovery planning.

For more detail, see our guides:

Why DNSSEC matters and how DNS attacks can redirect internet traffic

Email validation and security explained