Why Phishing Attacks Still Work (And What Actually Stops Them)

Despite decades of awareness training, phishing remains the most common initial entry point in cyber attacks against UK businesses. According to the UK Government's Cyber Security Breaches Survey, phishing was involved in the majority of reported cyber incidents in the last year.

Understanding why it keeps working, and what the evidence says about stopping it, matters more than another email telling staff to "think before they click."

Why Phishing Still Works

Phishing works because it does not attack software. It attacks decision-making under time pressure, which is something humans are genuinely bad at. A well-crafted phishing email does not look suspicious. It looks like a password reset from Microsoft, an invoice from a supplier, or an urgent message from the CEO. The attacker has likely done research on your business and your staff before sending it.

Modern phishing attacks also bypass traditional email filters more effectively than before. AI-assisted generation means phishing emails increasingly have no spelling mistakes, no broken formatting, and no obvious indicators that used to trigger spam filters.

What Does Not Work

Annual security awareness training delivered as a compliance exercise does not work. Staff sit through a video, click through a quiz, and return to their inboxes. Retention is low and behaviour change is minimal.

Spam filters alone do not work. They catch a high proportion of commodity phishing, but targeted spear-phishing, particularly attacks that use legitimate cloud services to host malicious links, gets through far more often.

What Actually Reduces Risk

The controls that genuinely reduce phishing risk operate at multiple levels.

1. Multi-Factor Authentication on Everything

Even when a phishing attack successfully captures credentials, MFA prevents those credentials from being used to access your systems. It is not perfect, as session hijacking and MFA fatigue attacks exist, but enforced MFA removes the majority of the value from a successful credential theft. It is the single highest-impact control against phishing.

2. Email Authentication: SPF, DKIM, and DMARC

SPF, DKIM, and DMARC are DNS-based controls that make it significantly harder to spoof your domain in phishing emails. A fully configured DMARC policy in reject mode means that emails pretending to come from your domain will not reach recipients. Most businesses have partial implementation but have never pushed DMARC to rejection, leaving the door open.

3. Defender for Office 365 Safe Links and Safe Attachments

If you use Microsoft 365 Business Premium, you have access to Defender for Office 365. Safe Links rewrites URLs in emails and checks them at click time rather than at delivery, catching links that were clean when the email arrived but were later weaponised. Safe Attachments detonates email attachments in a sandbox before they reach the user. Both controls require configuration to be effective.

4. Simulated Phishing with Immediate Feedback

Phishing simulation, where staff receive realistic simulated phishing emails and receive immediate, contextual feedback when they click, is significantly more effective than classroom training. The feedback arrives at the moment of the mistake, which is when learning is most effective. Run regularly and without blame, it changes behaviour over time in a way that annual training does not.

5. A Clear Reporting Culture

If staff are afraid to report that they may have clicked something suspicious, incidents escalate. A culture where reporting is encouraged, and where doing so results in quick investigation rather than blame, means incidents get caught earlier. The cost of investigating a false alarm is much lower than the cost of a breach that went unreported for 48 hours.

Putting It Together

No single control eliminates phishing risk. The approach that works is layered: make credentials less useful if stolen, make it harder to spoof your domain, filter more effectively at the email level, catch attacks that get through at the link and attachment stage, train staff in a way that changes behaviour, and make it easy to report suspicion.

That is a managed security posture, not a one-off exercise.