Phishing – Why it’s Still One of the Biggest Cyber Threats

New research shows the prevalence of email phishing as the top cyber threat, tricking firms into revealing information through reputable sender disguises.

Archie Singh
Archie is a Penetration Tester with expertise in web application, API, and infrastructure security. At OnSecurity, she performs comprehensive assessments across Azure, Microsoft 365, Google Workspace, and containerised environments, alongside social engineering and OSINT engagements that help organisations strengthen their overall security posture. Before moving into cybersecurity, Archie spent over 20 years in paediatrics and paediatric oncology within the NHS.

Phishing has been a dominant cyber threat for decades. Despite widespread awareness training and increasingly advanced security tools, it hasn’t gone away – in fact, it’s become more effective.

Today, phishing remains the most common way attackers gain access to organisations – one report found that 90% of businesses that had experienced cybercrime in the last 12 months had experienced phishing. And with the rise of AI, it’s only getting harder to detect.

Key takeaways

Phishing remains the most common and effective entry point for cyberattacks, despite widespread awareness efforts
Attackers now use AI to create highly convincing, scalable, harder-to-detect campaigns
Human behaviour (not technical weakness) is the main reason phishing continues to succeed
Reducing risk requires a layered approach: strong technology, ongoing training, realistic phishing simulation, and clear internal processes

The current phishing landscape

Phishing continues to account for a significant proportion of cyber incidents across all sectors, accounting for 15% of all breaches. Phishing emails remain the primary attack vector (71%), and for many organisations, it’s the easiest path into the business.

Attack volumes are increasing year-on-year. Millions of phishing campaigns are launched annually, driven by automation and readily available tooling. At the same time, the financial impact remains severe. Business email compromise (BEC) alone is responsible for billions in losses globally each year – over $3 billion, according to one report.

What’s more concerning is that phishing still works. Employees continue to open, click, and engage with malicious messages – despite training and awareness efforts. The 2024 State of the Phish Report found that 71% of users took a ‘risky action, despite 96% of them knowing they were doing something risky.

That’s why attackers keep using it – it’s simple, scalable, and effective.

Why phishing still works

Phishing succeeds because it targets people, not systems.

It exploits common behaviours

Phishing exploits common behaviours – urgency, trust, routine tasks – rather than technical vulnerabilities. Even well-trained employees can make mistakes, especially when an email looks legitimate or appears to come from a trusted source.

It’s easy to execute

Attackers don’t need advanced skills or significant resources. Phishing kits and “phishing-as-a-service” platforms allow campaigns to be launched quickly and at scale.

It has a high ROI

The return on investment (ROI) of phishing is high. One successful interaction can lead to compromised credentials, financial fraud, or access to internal systems. Compared to more complex attack methods, phishing remains one of the most efficient ways in.

It’s constantly evolving

Last, but not least – phishing constantly evolves. Attackers adapt their tactics to bypass security controls and reflect how organisations actually communicate.

The role of AI in modern phishing

AI has massively raised the bar for phishing attacks. The result is a shift from obvious scams to highly convincing communication that blends into everyday business activity.

In fact, the FBI has warned that “Attackers are leveraging AI to craft highly convincing voice or video messages and emails.” This means organisations can no longer rely on employees spotting ‘bad-looking’ emails – because many phishing techniques often no longer look suspicious at all.

Polished messaging

Messages that were once easy to spot are now polished, professional, and contextually relevant. Grammar mistakes and generic wording – traditional red flags – are no longer reliable indicators.

Easier to scale

Attackers can now generate large volumes of unique, tailored messages, making detection more difficult for both users and security tools.

Better, faster, and more optimised

AI is also enabling:

More realistic impersonation across email and voice channels
Faster creation and iteration of phishing campaigns
Continuous optimisation based on what gets through and what gets clicks

A universal risk across industries

Phishing affects every organisation, regardless of size or sector:

Large organisations face constant attack volumes due to their scale and visibility. Industries handling sensitive data or financial transactions are particularly attractive targets
Small and medium-sized businesses are often easier to compromise. With fewer security resources and less mature processes, they present an accessible entry point – not just for direct attacks, but as part of wider supply chain compromises.

No organisation is too small or too well-protected to be targeted.

How phishing is evolving

Phishing is no longer limited to basic email scams. Attackers are using more advanced and varied approaches to increase their success rates.

Common trends include:

Multi-channel attacks that combine email with other forms of communication
Use of legitimate platforms to host malicious content and bypass filters
Techniques designed to evade detection, including constantly changing content
Tactics that exploit user behaviour, such as repeated prompts or routine requests

These methods make phishing harder to detect and more difficult to defend against using traditional controls alone.

How to reduce your phishing risk

There’s no single solution to phishing. Effective defence requires a layered approach that combines technology, people, and process.

Technical controls

Email security tools are essential for filtering and detecting threats before they reach users. This includes link analysis, attachment sandboxing, and email authentication protocols such as SPF, DKIM, and DMARC.

However, it’s important to remember that no tool catches everything. Some attacks will always get through.

Security awareness training

Employees are a critical line of defence – but only if training reflects real-world threats.

Effective programmes cover current tactics, including AI-driven phishing. Training should be ongoing, practical, and relevant to how your organisation operates.

Phishing simulations

The most effective way to improve resilience is through realistic testing.

Phishing simulation exercises show how employees actually respond to attacks, identify high-risk areas, and reinforce learning through experience. They also provide measurable insight into your organisation’s human risk.

Clear verification process

Strong internal processes reduce reliance on individual judgment.

For example:

Verifying financial requests through a second channel
Requiring approval for high-risk actions
Standardising how sensitive requests are handled

When verification becomes routine, phishing becomes much less effective.

Zero-trust approach

Assume that phishing attempts will succeed – and limit the impact when they do.

Applying least-privilege access, continuous verification, and segmentation helps prevent a single compromised account from leading to a wider breach.

The bottom line on phishing

Phishing remains one of the most effective cyberattack methods because it targets the one thing every organisation relies on: people.

AI has made it more convincing. Scale has made it more persistent. And evolving tactics have made it harder to detect.

Organisations that rely solely on technology – or outdated awareness training – are increasingly exposed.

Reducing phishing risk requires a combination of strong technical controls, ongoing training, and realistic testing.

That’s where OnSecurity’s phishing simulation and social engineering testing add real value. They help you understand how your people respond under pressure, and where your vulnerabilities actually lie.

Phishing isn’t going anywhere. But with the right approach, it doesn’t have to be your biggest risk. Get a free, instant testing quote today and take the first step to protecting your business.

Latest Articles

Case Studies

From Checkbox to Commitment: How Orkastrate Turned Annual Pentesting into a Security Habit

How Breef used OnSecurity to strengthen its security posture with speed and simplicity

From Engineering to Enterprise Security: How a Renowned Automotive Business Closed Critical Gaps with OnSecurity

Secure and Streamlined: Why Countingup Chooses OnSecurity for Annual Testing