Evidence confirms that threat actors predominantly leverage phishing and social engineering to access sensitive credentials and misappropriate funds illicitly. Spear-phishing, in particular, is their preferred instrument to penetrate organisations and exfiltrate valuable information and money.

Despite considerable investments in technologies for detecting and blocking phishing emails and user training, phishing remains alarmingly effective. It represents a complex problem woven from technological shortcomings and human failure to discern malicious emails. While large corporations have a wealth of controls to combat these issues, smaller businesses often require additional resources.

For a phishing attack to succeed, the malicious email must reach the victim's inbox. Numerous tools exist, employed by mail providers and corporations alike, to detect and filter most spam and phishing messages. These technologies scrutinise emails for typical phishing phrases, tone, domain names, and lifetime and employ bad IP lists, among other strategies, to eliminate most phishing threats. Some estimates suggest that spam filters intercept as much as 99.5% of phishing emails before reaching their intended recipient.

However, it's crucial to acknowledge that blocking all suspicious emails is virtually impossible. Some emails fall into a grey area where they could be legitimate or phishing attempts. Consequently, decision-making often falls upon the human recipient, who must evaluate a message's phishing status.

Various factors can influence this decision-making process, including the recipient's mental state, workload, time constraints, awareness of phishing risks, technical understanding, and distractions. Relying on automatic thinking processes and biases under high workloads and time pressures can inadvertently facilitate phishing success. The diagram below describes how the factors might combine to make a phishing attack successful. 

Even after clicking a link or downloading a suspicious attachment, technical controls on desktops, firewalls, and proxies can often prevent catastrophic outcomes. Anti-malware tools, data leakage prevention mechanisms, and regularly updated operating systems help safeguard against known vulnerabilities. However, their effectiveness is limited by unpatched systems, outdated malware signatures, and missing data leakage controls.

If all technical and human controls fail, the attacker succeeds. Their victory signals the next phase of their attack, which could involve malware infection or ransomware. However, fraud controls and multi-factor authentication can still potentially thwart an attacker even at this late stage.

To mitigate phishing risks, we must ensure the optimal functioning of all technical controls. Furthermore, 'nudges', reminders to read emails critically and carefully, could significantly reduce the risks. A culture of psychological safety in reporting errors and clear instructions about whom to contact can also encourage users to report issues promptly.

Other preventative strategies include reducing the volume of emails, prioritising them based on direct addresses or CCs, highlighting "only to you" messages, and minimising distractions from collaboration tools. Evaluate all technical controls to ensure the coverage of all critical risk areas in the phishing attack path. Trainers might consider targeting phishing training for at-risk people for specific awareness initiatives.

Phishing has seen exponential growth, outpacing advancements in anti-phishing technologies. With the advent of Generative AI, phishers can craft highly personalised, deceptive messages. Prevention, detection, response, and recovery controls are more crucial than ever in conjunction with human defence mechanisms.

While many vendors offer products claiming to solve the phishing problem, their real-world effectiveness is hard to figure out. Unfortunately, many vendors tend to exaggerate the risks of phishing to market their products. Hype creates confusion and impedes decision-making, a common issue with cybersecurity vendors.

In conclusion, tackling the burgeoning phishing problem requires a comprehensive, multi-faceted approach. The issue does not merely stem from technological limitations but is intertwined with human factors that need addressing. By reinforcing the efficiency of our technical defences, enhancing user education, encouraging a culture of alertness and error reporting, and optimising work environments, we can significantly reduce the success rate of phishing attacks. We must remain vigilant as threat actors continue to exploit advanced technologies like Generative AI, making their tactics increasingly sophisticated and hard to detect. As phishing threats evolve, so must our strategies to combat them. Despite the perplexing claims of cybersecurity vendors, it is upon us to conduct thorough risk assessments and make judicious decisions, striking a balance between human intuition and technological aid to ensure the security and integrity of our organisations.

The insights shared in this article draw upon various sources. The views and opinions shared are mine alone. If you have a phishing problem, please do your comprehensive risk analysis and make the right decisions to protect your organisation against phishing. I hope my thoughts will help you.

The books and articles I read when writing this:

1. Nudge, The Final Edition. Richard H. Thaler and Cass R. Sunstein, 2021. An excellent book to read, even if you don't like phishing.

2. Nudging and Phishing: A Theory of Behavioral Welfare Economics, David Jimenez-Gomez, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3248503#:~:text=David%20Jimenez%2DGomez,-Universidad%20de%20Alicante&text=In%20this%20framework%2C%20individuals%20suffer,be%20altered%20by%20the%20nudge., 2018.

3. 50+ Phishing Statistics You Need to Know – Where, Who & What is Targeted, Jo Rushton, https://www.techopedia.com/phishing-statistics#:~:text=Phishing%20Statistics%20Highlights,-Phishing%20attacks%20account&text=83%25%20of%20all%20companies%20experience,corporations%20%244.91%20million%2C%20on%20average, 2023.

4. The Latest 2023 Phishing Statistics (updated July 2023), Charles Griffiths, https://aag-it.com/the-latest-phishing-statistics/

5. Microsoft: Using multi-factor authentication blocks 99.9% of account hacks, Catalin Cimpanu, 2019, https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/

6. Ransomware Statistics, Trends and Facts for 2023 and Beyond,  Aleksandar Kochovski, 2023, https://www.cloudwards.net/ransomware-statistics/

7. Typology of Phishing Email Victims Based on their Behavioural Response, Ibrahim Mohammed Alseadoon et al., 2013, https://aisel.aisnet.org/amcis2013/ISSecurity/GeneralPresentations/19/

8. Phishing Happens Beyond Technology: The Effects of Human Behaviors and Demographics on Each Step of a Phishing Process, HOSSEIN ABROSHAN, JAN DEVOS, GEERT POELS, and ERIC LAERMANS, 2021, https://ieeexplore.ieee.org/document/9380285.

9. ChatGPT helped to explain concepts and with editing.