Phishing attacks thrive on human behaviour, not lack of skill

Phishing attacks continue to persist as a major cybersecurity threat, targeting even well-educated and digitally literate professionals.

Phishing has moved on from its origins as crude spam email to embrace personalisation and sophistication, successfully deceiving large numbers of users in organisations worldwide. The effectiveness of such attacks is not attributed only to a lack of awareness, but to social engineering tactics that leverage the way people think and act under pressure.

IBM's 2023 Cost of a Data Breach Report has highlighted the impact of phishing, identifying it as the second most common cause of data breaches globally. The report stated that phishing accounted for 16% of all incidents, incurring an average cost of USD $4.76 million per breach. These findings reinforce the argument that technological solutions alone are insufficient if human behaviour remains vulnerable to manipulation.

Phishing attacks are distinct from other types of cyber attacks in that they focus on exploiting emotional and cognitive biases rather than technical vulnerabilities. Attackers may deploy tactics such as urgency, authority, familiarity, or fear to manipulate the victim's decision-making at moments of stress or distraction.

Pivit Strategy observers note that phishing campaigns often use highly relevant messages, such as fake password reset notifications, fraudulent delivery confirmations, or counterfeit internal HR communications. These approaches are designed to provoke instinctive action before the recipient has time to consider whether the message is legitimate.

Phishing draws heavily from principles of psychology and classic social engineering. Attacks often play on authority bias, prompting individuals to comply with requests from supposed authority figures, such as IT personnel, management, or established brands. Additionally, attackers exploit urgency and scarcity by sending warnings of account suspensions or missed payments, and manipulate familiarity by referencing known organisations or colleagues.

Psychologs has explained that many phishing techniques bear resemblance to those used by traditional confidence tricksters. These attacks depend on inducing quick, emotionally-driven decisions that can bypass normal critical thinking defences.

The sophistication of phishing is furthered by increasing use of data-driven tactics. As highlighted by TechSplicer, attackers are now gathering publicly available information from sources like LinkedIn and company websites to make their phishing attempts appear more credible and tailored to the recipient.

Even experienced professionals often fall for phishing attacks, not due to a lack of intelligence, but because high workload, multitasking, or emotional pressure make it difficult to properly scrutinise every communication. Research reflects this, with a 2022 Verizon report identifying phishing as the primary means of social engineering breaches, and those with higher responsibility or data access frequently being most at risk.

Borderless CS, a Melbourne-based cybersecurity provider, has conducted phishing simulation programmes with participants from multiple organisational departments. These tests, which have included senior staff, demonstrate that even experienced users can succumb to sophisticated, context-appropriate phishing emails, especially when these arrive at busy or stressful times.

The key lesson is that the capacity to recognise phishing is not linked to technical skill or intelligence, but is heavily influenced by attention, context, and timing. As stated, "The takeaway: susceptibility to phishing isn't about technical skill or intelligence. It's about attention, context, and timing."

Organisations have traditionally relied on periodic awareness training, often delivered through static, annual learning modules. Experts caution that such methods have minimal effect on real-world behaviour unless they are frequent and reflect the kinds of high-pressure decision-making situations that phishing attacks exploit.

Current best practice increasingly involves dynamic and psychology-informed training, including exercises such as simulated phishing campaigns, behavioural workshops addressing emotional and cognitive responses, and fostering an environment in which staff feel comfortable reporting suspicious communications without the risk of blame. Borderless CS supports this methodology by embedding behavioural training in client programmes with the aim of facilitating cultural change within organisations. The approach is described as aiming to "help teams recognise manipulation, not just memorise red flags."

The complexity of phishing attacks is expected to intensify with the rise of AI-generated emails, advanced voice impersonation, and the use of deepfakes. While technology such as spam filters and multi-factor authentication remains important, it is recognised that technological controls alone cannot prevent all threats.

Building effective defences increasingly requires a human-centric approach centred around behaviour change and shared responsibility. This perspective is summarised as: "The most critical defence is awareness built through behaviour change. That starts with recognising that anyone can be manipulated, and that cybersecurity is a shared human responsibility, not just an IT issue."

The continued prevalence of phishing attacks serves as a reminder that the challenge is not a lack of technical knowledge, but the inherent susceptibility of human behaviour. As noted, "Phishing doesn't succeed because we're uninformed. It succeeds because we're human. And that's exactly what attackers count on."