Catching the phish
How malicious messages evade email security
Today’s reality is dominated by and relies upon digital interactions. Top among the IT and security risks are phishing attacks, the initial vector for by far most cyber attacks. And in 2025, the average cost of a data breach where phishing was the initial vector was approximately $4.8 million.
Phishing works, period. And threat actors will never stop leveraging methods that lead them down the road of successful exploits.
Why? These attacks are focused against people, and people love a good story. In fact some argue that all of humanity is driven by stories. To make these attacks work, cyber actors have only one tactic to employ, and that is authenticity. Visual authenticity most directly tied to brand impersonation phishing, and organizational authenticity, most closely tied to business email compromise (BEC) phishing.
The first goal is attaining authenticity — e.g., targeting commonly known brands to make it increasingly difficult for people to tell what is genuine or malicious. Email attackers often impersonate well-known global brands, such as Microsoft, Stripe, Facebook, Amazon, and Costco.
Threat actors also capitalize and latch onto large-scale world events or trends tied to brands. For example, when there is a World Cup, there are campaigns that leverage assets related to the World Cup. When there is a G20 Summit, there are campaigns that leverage assets related to G20. During the pandemic, there were a slew of attacks leveraging pandemic-related trends. In some ways, threat actors are incredibly predictable, with physical events transcending into cyberspace. This ultimately underscores that phishing, like any attack, exploits avenues that are the weakest link — in these cases, the inherent human inclination to be trusting.
When threat actors disguise themselves as legitimate, their second major objective — to trick victims into clicking links or downloading harmful files — can be easily achieved. It’s natural to want to interact with a timely link or file from someone you think you know. For example, a few years ago, threat actors took advantage of the havoc spurred by Silicon Valley Bank’s collapse preying on customers. In a widespread phishing campaign, threat actors posed as SVB to send DocuSign-themed “links,” which when clicked, led users to a complex, attacker-owned redirect chain.
The stakes to combat phishing attacks have never been higher. And while the problem may seem insurmountable, there are three key actions to strengthen any organization’s security posture:
1. Implement modern prevention tools
One fraudulent email has the power to inflict significant harm on an organization — with standard email inbox security tools not viable for combatting these attacks.
Threat actors frequently use popular providers (e.g., Microsoft and Google) to originate their attacks, which allows them to evade typical authentication checks. Today’s email security procedure requires multiple protection layers to be enacted before, during, and after messages reach the inbox. While SPF, DKIM, and DMARC authentication standards are a crucial safeguarding step, they alone fail to provide comprehensive protection against phishing attacks. These standards were not designed to detect the presence of dangerous emails and / or links that are typical of phishing attacks — many unwanted messages have cleared through these tools.
The key to combating and keeping up with modern phishing tactics is adopting an assumed breach mindset — never trust, always verify. Organizations must implement a zero trust security model for every email. Implementing phishing-resistant multi-factor authentication, augmenting cloud email security with multiple anti-phishing barriers, and equipping employees with secure tools are all critical pieces of achieving this.
2. Attack the problem head-on
When processes and tools aren't working, the natural inclination is to throw more resources at the problem — more people, time, and money. This is the wrong move as taking reactive measures means it’s already too late. Take spam filters, for instance. While they were the primary focus of email security at one point, they are only the tip of the iceberg in what’s needed to proactively combat phishing attacks.
Categorizing phishing threats into different buckets, though successful in other contexts, is ineffective when taking a holistic view of phishing with the goal of confronting the problem. Many industry phishing reports divide the space granularly as if it is approaching and solving for 100 different problems — the same threat being discussed in 100 different ways can make it daunting to approach a solution.
A comprehensive approach is essential, and as proven by the rising number of attacks, splicing data isn’t leading to a solution. With security decision-makers in agreement that the type and scope of phishing threats are expanding, it’s clear that there needs to be a streamlined, holistic strategy to safeguard our digital environments.
3. Turn intelligence into tactical success
The cybersecurity landscape is inundated with solutions that each promise enhanced security, However, very few effectively address the exacerbated issue of phishing — one that no organization is immune to.
Phishing affects all industries, effectively dismantling traditional security investments with the click of a single link. Users are more susceptible to clicking links than downloading a file, as they perceive the link as a more authentic form of communication. Threat actors repeatedly capitalize on this human weakness, making malicious links one of the most common threats. These links and files can lead to credential harvesting, remote code execution that lets the attacker install malware or ransomware, steal data, or take other actions, and ultimately a full network compromise just by taking over a single workstation.
As phishing continues to surge, business leaders must leverage data points to enact solutions. This ensures that resources are being properly allocated to proactively defend against breaches resulting from successful phishing attacks. The data is clear that phishing is an overwhelming issue for businesses of all sizes, but there are pointed answers on how to apply resources to prevent phishing attacks from causing irreversible damage.
Modernizing the fight against phishing
The digital ecosystem is constantly evolving, and the ability to stay one step ahead of phishing attacks requires a direct, proactive approach. Organizations can secure emails with a zero trust security model so no user or device has complete, trusted access to email or other network resources. Organizations can integrate multiple anti-phishing controls to cloud email security to address high-risk areas for attack exposure, and implement phishing-resistant MFA security tools.
The tech stack is just as important as addressing your own organizational culture: Teams within large organizations have their own preferred tools, so meeting employees where they are by making the tools they already use more secure helps prevent potential phishing attacks. Encouraging a blame-free, transparent “see something, say something” approach to reporting suspicious activities is paramount because the minutes between reporting a suspicious activity and taking action are critical.
By implementing modern technical solutions, confronting the problem head-on, and leveraging data-driven solutions, organizations can break free of band-aid solutions and extensively protect themselves and their data from phishing attacks. Such solutions necessitate a cross-functional approach, blending technical measures with organizational awareness to create a formidable defense against the insidious threat of phishing.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Identify the types of phishing attacks your current email security systems miss with a free Phishing Risk Assessment.
Key takeaways
After reading this article you will be able to understand:
Phishing is still the initial vector for most cyber attacks
Many unwanted messages cleared SPF, DKIM, and DMARC
3 key actions to strengthen any organization’s security posture