Phishing remains one of the most pervasive and effective threats in the cybersecurity landscape. Despite the proliferation of advanced malware, ransomware and cloud-native exploits, phishing continues to outpace many other attack types because it targets human behaviour rather than technical vulnerabilities.

Around the world, phishing is by far the single most common type of cyber crime they experience, underlining just how resilient this attack vector has become. It’s estimated that around 3.4 billion phishing emails are sent every single day across the world, accounting for roughly 1.2% of all email traffic.

Modern phishing emails are crafted to look benign, personalised and contextual, and increasingly use artificial intelligence to refine their impact. In this era of AI-assisted attacks, attackers can send messages that sound like genuine communication from a colleague, vendor or trusted service.

Why phishing still works

The success of phishing stems from its exploitation of human psychology. Attackers manipulate trust, urgency and cognitive overload to create scenarios where recipients act first and think later. At scale, even a small click rate can yield significant returns. In fact, phishing emails account for over 90 per cent of successful cyber attacks globally, confirming its central role as the initial access method for threat actors.

The sheer volume of phishing attempts increases the likelihood of success. Recent data suggests that 57 per cent of organisations face phishing scams weekly or daily, and that phishing messages account for approximately 1.2 per cent of all emails sent worldwide – equivalent to billions of malicious messages each day.

Human error remains a critical factor. Even organisations with robust security practices report that most employees have encountered at least one compromised email account owing to phishing activity. A survey indicated that 92 per cent of businesses had at least one business email compromise, and 93 per cent experienced data leaks due to compromised credentials or negligence. These figures highlight that technical controls alone are not enough; if people are tricked into handing over credentials or clicking on a link, attackers can bypass otherwise strong defences.

The evolution of Phishing tactics

Phishing has evolved far beyond the poorly worded scams of the early internet. Attackers now use detailed information pulled from social media, corporate websites and professional networks to craft messages that are highly relevant to specific individuals or roles. This approach, known as spear phishing, improves success rates significantly compared to generic messages.

Phishing campaigns have also diversified across channels. SMS phishing (known as smishing) and voice phishing (vishing) exploit mobile devices and phone systems, while messaging platforms such as Teams and Slack are being used to deliver malicious links in environments users inherently trust. These multi-modal campaigns increase the attack surface and make phishing harder to detect.

AI has supercharged this evolution. Research indicates that AI-generated phishing emails have a click-through rate of around 54 per cent, compared with just 12 per cent for human-written attacks, and that recipients are much more likely to enter credentials after clicking on an AI-generated link. This stark difference highlights how automation and natural language generation can make attacks feel more authentic and plausible to recipients.

The impact of AI on Phishing

Artificial intelligence has not only increased the volume and quality of phishing content but made messages harder to flag. Language models enable attackers to craft text that mirrors corporate tone, branding and context with impressive fluency. AI-driven personalisation means phishing messages can reference internal projects, specific contacts, or sector-specific jargon with minimal manual effort, further reducing the chances they are spotted as malicious.

AI is also being used to automate entire phishing campaign lifecycles, from generating sender names and email bodies to tailoring landing pages that harvest credentials. Emerging technologies such as deepfake audio and video have already been reported in fraud cases, where victims receive calls or messages that convincingly mimic executives and colleagues. As these capabilities continue to advance, distinguishing between genuine and fraudulent communication without technical controls will become even more challenging.

Strengthening human defences with managed security awareness

Because phishing targets people, not just technology, awareness and training remain essential. Security awareness initiatives help employees recognise suspicious messages and understand appropriate responses, but training must be ongoing and adaptive. A managed approach can embed awareness into regular business routines and help organisations build behavioural resilience.

For example, Integrity360’s Managed Security Awareness service supports organisations with continuous, targeted training, realistic phishing simulations and actionable reporting. By regularly exposing teams to simulated threats and reinforcing best practice through timely training modules, organisations can reduce the likelihood of human-error-driven breaches and see measurable improvements in how employees respond to phishing attempts. This type of ongoing support helps turn awareness into a consistent mindset rather than a one-off exercise.

Why technology alone is not enough

No email filtering solution or security control will block every phishing attempt. Some malicious messages will always reach inboxes, and under pressure employees can make mistakes. Strengthening technology and educating users must go hand in hand.

Organisations should adopt layered defences including identity protection, multi-factor authentication and conditional access policies that make it harder for attackers to pivot even if initial access is gained. Monitoring tools that alert on suspicious logins and unusual activity can further reduce the impact of social engineering success. Rapid detection and containment are critical when phishing does succeed, as it inevitably will.

Adapting to a changing threat

Phishing is not going away. As digital communication becomes ever more central to business operations, adversaries will continue to exploit it. But the impact of phishing can be reduced significantly by combining continuous education, strong technical safeguards and an operational culture that treats phishing as a core security challenge.

If your concerned about the risks posed to your organisation by phishing get in touch with the experts at Integrity360.