UK Cyber Security 2024: The Rise of Quishing and MFA Fatigue

In the fast-paced world of UK business, the cyber threat landscape moves quicker than most organisations can keep up with. We’ve seen a significant shift in recent months; as traditional email filters become more adept at spotting malicious links and attachments, cybercriminals are pivoting to more creative and deceptive tactics. From the busy high streets of Doncaster to the corporate hubs of London, no business is too small to be a target. At Jibba Jabba, we are seeing a marked increase in sophisticated identity-based attacks that bypass traditional security measures.

The New Frontier: Quishing and Social Engineering

One of the most concerning trends we are monitoring is 'Quishing'—or QR code phishing. Because QR codes are essentially images, they often bypass standard email security gateways that scan for malicious URLs. An unsuspecting employee might receive an email claiming to be from a trusted supplier or a UK government body like HMRC, asking them to scan a code to 'verify their identity' or 'view a secure document'.

Once scanned, the user is directed to a fraudulent site designed to harvest login credentials. Because the user is switching from their desktop to their mobile device to scan the code, they are often less vigilant and away from the protection of the corporate network's security layers. It is a simple yet effective way for attackers to bridge the gap between business and personal devices.

MFA Fatigue: When Your Security Becomes a Burden

Multi-Factor Authentication (MFA) remains one of the single most effective ways to secure your business, but it isn't infallible. We are currently seeing a rise in 'MFA Fatigue' attacks. This occurs when a hacker, who has already stolen a user's password, sends dozens of push notifications to the user's phone in quick succession, often in the middle of the night.

The goal is to wear the user down until they click 'Approve' just to make the notifications stop. High-profile breaches across the UK have proven that even the most tech-savvy employees can fall victim to these psychological tactics under pressure. Modernising your MFA to use 'Number Matching' or hardware security keys can significantly reduce this risk.

Cyber Essentials: The 2024/25 Outlook

For UK businesses, the Cyber Essentials scheme remains the gold standard for foundational security. The National Cyber Security Centre (NCSC) has recently tightened the requirements regarding cloud security and bring-your-own-device (BYOD) policies. If your staff use personal phones to access work emails or Teams, those devices are now firmly under the microscope during an audit.

• Asset Management: You must have a clear record of all devices accessing your data.
• Software Updates: Critical updates must be applied within 14 days to remain compliant.
• Cloud Services: Any service holding your data, from Microsoft 365 to Dropbox, must be secured with MFA.

At Jibba Jabba, we help many of our clients navigate the Cyber Essentials certification process, ensuring that these technical controls are not just a 'tick-box' exercise but a robust shield for the business.

Ransomware: Data Theft Over Encryption

The ransomware model has shifted. While encrypting files and locking systems used to be the primary goal, attackers are now increasingly focused on 'Extortion-only' attacks. They steal sensitive data—customer records, financial statements, or intellectual property—and threaten to leak it on the dark web unless a ransom is paid. This bypasses the need for the hacker to deploy complex encryption software and puts immense pressure on the business due to GDPR implications and UK ICO (Information Commissioner's Office) reporting requirements.

"The average cost of a data breach for a UK small business has risen significantly, but the reputational damage is often what proves fatal. Prevention is always more cost-effective than recovery."

Practical Advice for Business Owners

Security is not just an IT issue; it is a business continuity issue. Here are three immediate steps we recommend every UK business owner takes today:

1. Implement Number Matching MFA: Move away from simple 'Approve/Deny' notifications. Number matching requires the user to type a code displayed on their login screen into their mobile app, effectively killing MFA fatigue attacks.

2. Conduct 'Quishing' Awareness Training: Educate your team on the dangers of scanning unexpected QR codes. If an email seems out of the ordinary, they should verify the request through a different communication channel.

3. Review Your Backup Strategy: Ensure you have offsite, immutable backups. If your primary network is compromised, an immutable backup cannot be deleted or changed by a hacker, giving you a guaranteed 'clean' restore point.

How Jibba Jabba Supports Your Security Journey

We believe that high-level cyber security should be accessible to every business, regardless of size. Our managed IT services are designed to proactively monitor for threats, manage your patch cycles, and ensure your team is trained to spot the latest scams. Whether you are looking to achieve Cyber Essentials certification or simply want a security audit to see where your vulnerabilities lie, we are here to provide straight-talking, expert guidance based right here in South Yorkshire.