Blog

According to Deloitte research, 91% of cyber attacks still start with an email.

That number hasn’t moved much in years. We’ve deployed spam filters, secure email gateways, AI-powered anomaly detection, and a dozen other technical controls. Attackers don’t care. When one tactic gets blocked, they try another. When detection catches a pattern, they change the pattern.

The technology arms race is unwinnable on its own. Trained employees add a different kind of defense, one that applies judgment and recognizes context. A well-crafted spear phishing email might slide past every filter you own, but an employee who knows to verify unexpected requests kills the attack anyway.

You know what phishing looks like. Misspelled words, suspicious links, Nigerian princes. You’ve done the training. You’ve passed the tests.

And yet.

Somewhere, right now, someone who knows all of this is clicking a link they shouldn’t. Not because they’re careless or stupid, but because they’re busy, distracted, and the email looked just legitimate enough.

Phishing detection isn’t about knowledge. It’s about habits that kick in automatically, even when you’re not thinking clearly.

Your phone buzzes. A text from your “bank” says suspicious activity was detected on your account. Click here to verify. The link looks legitimate. The message is urgent.

You’re already reaching for the link before you’ve finished reading.

That reaction is exactly why smishing works. SMS phishing succeeds where email fails because we’ve spent years training ourselves to distrust our inboxes. Nobody taught us to be suspicious of texts.

When attackers want maximum impact, they don’t send mass emails hoping someone clicks. They research a CEO, CFO, or board member for weeks. They craft a perfect message. They wait for the right moment to strike.

This is whaling: spear phishing that targets executives. It accounts for some of the largest individual fraud losses in cybersecurity history.

The phone rings. IT support says there’s a security incident on your account. They need your password to reset it and protect your data. The caller sounds professional, maybe a little stressed. Your caller ID shows your company’s actual number.

You give them your password.

I’ve seen this happen to smart, security-aware people. They knew better. In the moment, it didn’t matter. That’s what makes vishing so effective.