Close this search box.

Email phishing: Why do we still get hooked?

We all know about phishing attacks. They’re not new, in fact they’ve been an issue for (about) the last 15 years – and are probably the most talked about security threat in the media at the moment.  So, why, in a world driven by technical progression, have we not managed to address such a fundamental problem? There’s no one answer to this question, unfortunately. But here are four problems people often fall victim to.

1. Human psychology

In some ways, it seems unlikely that people could fall for a phishing email. Awareness is high, organisations have dedicated phishing prevention/reporting pages, and people are becoming much more attuned to what a phishing email generally looks like. Yet, email phishing attacks are still being successful. Why? Because they tap into people’s fears and curiosities.

The number of phishing emails spiked during the Covid-19 pandemic, as cyber criminals took advantage of the population’s anxieties and remote workers’ lack of enterprise controls. Unashamedly, they impersonated well-known organisations such as the WHO, the UK Government and HMRC to achieve ‘the click’.

Humans are hardwired to be curious, and this instinct is generally attributed to our overall development as species: what lies across the water? What happens if I fly beyond the clouds? Ideas like this have led us to build boats, space-ships and explore the unknown. But the unknown can be fraught with danger – and could end up installing a malware virus onto your computer. Or unlock ransomware, encrypting your files.

It’s difficult to resist that “free coffee voucher”, especially if it’s from a place you recognise and visit. Our curiosities take over. That’s not to mention playing on people’s fears and emotions. It’s been argued that fear and pressure are the most effective factors to get someone to click a link, open an attachment or reply with sensitive and private information.

I mean, what would you do if the Head of Finance or Legal from within your organisation, asked you to send X information, or follow the link ASAP? Would you respond or click? I’m going to guess that you might…

2. Simplicity

The most common advice is “don’t click links or open attachments”. Whilst this is true, attacks can be as simple as a spoofed email designed to look like somebody else, someone you might know in your own organisation. Take, for example “” wants you to call the ServiceDesk to investigate some account activity. Or – as I mentioned above – the Head of Finance is asking you to check tax details in the following link.

There’s a dark art to attacks like this (otherwise known as spear phishing): they take time, research and an understanding of who is likely to fall victim; but they happen. One case in the US saw a phishing scam convince a US military supplies contractor to ship millions of dollars’ worth of iPads, TVs and sensitive comms equipment to a 3rd party – simply through an email conversation and a cleverly named email address! It can happen to anyone.

3. Simulation training

Businesses do what they can to educate their end-users around phishing attacks. This normally includes sending simulated phishing emails accompanied by training material for those that make the faux pas of opening them. This seems like an elegant solution but, is it really that effective? Certainly not on its own.

Whilst training reduces successful attacks, no training can teach users to spot every phish. Spotting phishing emails is hard. Spotting social engineering emails is even harder. Not to mention time consuming! Imagine how many emails are sent/received every day – asking people to stop and consider every email in depth won’t leave enough hours in the day to do work. Remember – it only takes one email to have a potentially catastrophic effect on an organisation.

4. Social media

It’s no secret – people like to share their lives with others. Be it through Facebook, Twitter, Instagram or LinkedIn (to name a few). We tell the world what we like, dislike, our opinions, where we are, what we’re doing… And, for the most part, it seems harmless and safe. But do you consider who reads these social posts? Friends. Family. Colleagues. Total strangers?

These channels are treasure troves for cyber criminals and have made it easier to collect necessary pieces of information to weave an individually-crafted attack on their victims. They’re also known as social engineering. Take the example of the coffee voucher above. A simple post saying “coffee before work”, with an image of a Starbucks, tells us that a “free voucher” link might just work.

Phishing is remarkably successful and is still the prevalent technique across the majority of cyber breaches. Simply put, until this changes, criminals will continue to do it. Business email compromise (BEC) has cost businesses, so you might say benefited cyber criminals, $26 billion in just 3 years. This equals an extraordinarily profitable venture – meaning cyber-criminals are becoming wealthier.

As the money rolls in, their technical resources and malware variants become more sophisticated. Educated and informed employees are the beginning, but not the all. Organisations need to consider multi-layered defences – giving you multiple opportunities to stop a phishing attack, potentially causing serious damage.

Let’s talk… The human factor in email phishing

91% of all cyberattacks begin with a phishing email and it’s becoming increasingly difficult to identify these through the human eye. But why haven’t we addressed this problem that with just one click, can create a huge threat to an organisation?

On 19 October, join us as Tim Simons, our Head of Security Services, and special guest Eyal Benishti, CEO of Ironscales, as they explore how emails can be one of the largest threats to an organisation and the steps you can take to avoid becoming a victim. Available on demand >


Updated October 2021

Original author: Lara Huddless, Sales Enablement Coordinator (October 2019)