The challenges in combating phishing have intensified as cyberattackers combine generative AI, deepfake technology, and industrialized phishing-as-a-service kits to bypass traditional defenses at unprecedented scale. A single mistaken click now triggers consequences that unfold in minutes rather than days. According to the CrowdStrike 2026 Global Threat Report, the average adversary breakout time, the window between initial access and lateral movement, dropped to 29 minutes, with the fastest measured at just 27 seconds.

A defense strategy that addresses root causes instead of surface symptoms is the only response that keeps pace with that speed. This guide examines the challenges in combating phishing, including:
- The sheer daily volume of phishing cyberattacks and the economics that sustain it;
- The expanding taxonomy that now spans email, voice, SMS, QR codes, and social media;
- The structural limits of email gateways, authentication protocols, and browser-based protections;
- The cognitive biases cyberattackers weaponize and the cultural barriers that suppress reporting;
- The regulatory and insurance pressures that complicate phishing response across jurisdictions;
- The measurement gap between awareness and behavior, and how a cybersecurity awareness training program closes it.
A workforce that cannot spot a phishing cyberattack in seconds hands cyberattackers the only opening they need. Adaptive Security builds detection instincts across email, voice, and SMS through realistic, multi-channel phishing simulations.
The Sheer Volume and Scale of Modern Phishing Cyberattacks
The challenges in combating phishing begin with raw arithmetic. An estimated 3.4 billion phishing emails are sent every day, making phishing the single largest-volume cyberattack vector in cybersecurity. That volume represents roughly 1.2% of all global email traffic, meaning approximately one in every 83 emails is malicious. The scale alone overwhelms manual triage long before any single credential is compromised, which is why volume itself functions as a cyberattack method.
Phishing by the Numbers: The Scale of the Modern Cyber Threat
The scale of phishing has moved past steady growth into a sustained high plateau. According to the APWG's Phishing Activity Trends Report, Q1 2025, online payment and banking institutions together accounted for 30.9% of all phishing cyberattacks, reflecting a cold calculation of return on effort. The volume no longer spikes in bursts; it has become a permanent pressure on every organization.
Google alone blocks approximately 100 million phishing emails daily, yet most belong to previously unseen campaigns never catalogued in any threat intelligence database. Even the world's most advanced detection infrastructure plays catch-up against a cyber threat that mutates faster than signatures can be written. Cyberattackers are not simply sending more emails; they are diversifying targets, rotating domains faster, and cycling through fresh infrastructure to evade blocklists.
The financial sector absorbs a disproportionate share of this activity, and velocity compounds the problem. A phishing domain can be registered, deployed, harvest credentials for hours, and burn before most threat intelligence feeds even flag it. This combination of volume and speed defines why challenges in combating phishing resist any single technical fix.
Signature-based filters cannot catch a cyber threat that reinvents itself faster than analysts can document it. Adaptive Security trains employees to recognize novel phishing cyberattacks that automated defenses miss.
The HTTPS Deception: Why the Padlock Icon No Longer Signals Safety
For two decades, cybersecurity awareness training programs taught employees one simple rule: look for the padlock. That rule is now actively dangerous because the overwhelming majority of phishing websites display the HTTPS padlock icon. Free certificate authorities made SSL/TLS certificates trivially easy to obtain, and phishing kit developers automated certificate provisioning into their deployment workflows.
The trajectory is instructive. Phishing sites adopted HTTPS at scale once certificates became free, and a phishing site without HTTPS is now the exception rather than the norm. Google recognized this collapse of the padlock's signaling value and removed the icon from Chrome's address bar in 2023, replacing it with a tune icon for security settings. Google's own research found that most users misunderstood what the padlock meant, equating it with legitimacy rather than mere encryption.
The encryption itself is real. The connection between the victim's browser and the phishing site is genuinely encrypted, which means network-level inspection tools cannot see the credential harvesting in transit. The padlock confirms only that nobody is eavesdropping on the theft, rather than confirming that the site is who it claims to be. Effective training must therefore shift from "look for the padlock" to "verify the sender through a second channel, regardless of how legitimate the page appears."
The Phishing-as-a-Service Economy: When Sophisticated Cyberattacks Become a Subscription
The most consequential structural shift among the challenges in combating phishing is economic rather than technological. Phishing-as-a-service (PhaaS) platforms have commoditized what was once skilled tradecraft into a subscription product. Anyone with a cryptocurrency wallet can rent fully operational phishing infrastructure complete with pre-built templates, traffic filtering, geofencing, and real-time victim dashboards.
Group-IB's investigation into the Phoenix System, a centralized PhaaS platform distributing kits via Telegram channels with nearly 13,000 members, revealed an operation that would be familiar to any SaaS entrepreneur. Buyers receive onboarding guidance, structured tutorials, technical debugging support, and pre-built source code packages targeting companies across multiple regions. The platform includes IP-based geofencing, crawler interception to block security scanners, and live dashboards that alert operators the moment a victim reaches an OTP entry page, enabling real-time multi-factor authentication bypass.
The barrier to launching a multi-channel phishing campaign across email, SMS, and voice has dropped to near zero. A single operator can manage dozens of simultaneous campaigns across different geographies and industry verticals from one administrative console. This infrastructure is not a future concern; it exists, it is mature, and it is scaling.
Cyberattackers now rent turnkey infrastructure that bypasses scanners and harvests credentials in real time. Adaptive Security replicates these industrialized phishing cyberattacks so employees recognize them before the credential prompt loads.
Why Volume Alone Overwhelms Organizations
Sheer quantity is its own cyberattack vector, and the operational cost lands before any breach occurs. A mid-sized company receiving hundreds of suspicious messages per week spends heavily on triage alone. Multiplied across an enterprise, the cost of processing phishing before a single credential is stolen becomes a line item security leaders cannot ignore.
Alert fatigue compounds the financial drain. Security teams process alerts at a volume-to-analyst ratio that makes thorough investigation of every flagged message impossible, and when most phishing emails belong to never-before-seen campaigns, signature-based detection fails. The analyst is left manually separating signal from noise across hundreds of near-identical alerts, which guarantees that some malicious messages reach inboxes.
The arithmetic favors the cyberattacker. Cyberattackers need one click from one employee, while defenders must catch every attempt across email, SMS, voice, and collaboration platforms. That asymmetry of effort is what makes phishing volume so effective, and it collapses only when every employee can recognize and report a phishing attempt in seconds. Realistic phishing simulations that expose employees to the same multi-channel tactics cyberattackers use build the detection instincts that scale across that volume.
Every unverified suspicious message is a triage cost an organization absorbs before a breach even begins. Adaptive Security turns employees into a reporting layer that shrinks that volume into manageable signals.
The Expanding Phishing Attack Taxonomy and Its Combat Challenges

The phishing taxonomy has expanded far beyond deceptive email into a multi-channel threat surface spanning voice calls, SMS messages, social media platforms, and domain-level deception. Organizations now face simultaneous cyberattacks across all these vectors, each exploiting distinct psychological triggers and technical blind spots that demand different detection and response strategies. Security teams that train only for email-based cyber threats leave every other channel exposed, which is why the challenges in combating phishing start with mastering the full taxonomy.
Email-Based Variants: Spear Phishing, Whaling, Clone Phishing, and Barrel Phishing
Email remains the highest-volume phishing vector, but contemporary cyberattacks look nothing like the generic scams of the early 2000s. Spear phishing uses open-source intelligence (OSINT) scraped from LinkedIn profiles, corporate websites, and social media to craft messages that reference real projects, colleagues, and internal tools. Whaling targets C-suite executives and finance directors with personalized messages that impersonate legal counsel, board members, or major investors, exploiting the authority gradient that makes subordinates reluctant to verify urgent-sounding requests from leadership.
Clone phishing duplicates a legitimate email the target already received, swaps the original attachment or link for a malicious version, and resends it from a spoofed or lookalike address. Because the message mirrors a real conversation, even security-conscious employees often click without scrutiny. Barrel phishing takes the opposite approach: cyberattackers send a benign, trust-building email first, wait for the recipient to engage, then deliver the malicious payload in a follow-up. By establishing a thread before deploying the cyberattack, barrel phishing bypasses the suspicion a cold inbound email would normally trigger.
The volume behind these variants is staggering. According to the FBI Internet Crime Complaint Center's 2025 Internet Crime Report, phishing and spoofing generated 191,561 complaints, the highest number of reports in any category. Email variants account for the bulk of that volume, yet the attack surface keeps expanding into channels that email defenses never touch.
Multi-Channel and Cross-Platform Cyberattacks: Vishing, Smishing, and Quishing
Cyberattackers now coordinate campaigns across channels to overwhelm skepticism and exploit the verification gaps between platforms. Vishing, or voice phishing, has surged as AI voice cloning makes calls indistinguishable from a real executive's voice, and cyberattackers pair them with a preceding email or chat message to establish legitimacy before the call connects. The cross-channel sequencing is deliberate: each channel lends credibility to the next.
Smishing, or SMS phishing, exploits the fact that mobile messaging lacks the visual inspection cues of email, with no sender address bar, no hover-to-preview links, and shortened URLs that mask the destination. An employee who would never click a suspicious email link often responds immediately to a text purporting to be from IT support about a locked account. Quishing, or QR code phishing, weaponizes the trust people place in QR codes, embedding malicious URLs in codes sent via email, posted in conference rooms, or placed on parking meters and restaurant menus. Because QR codes bypass URL filters entirely, they represent a blind spot in most organizations' perimeter defenses.
Detection across these channels requires phishing simulations that replicate the same multi-channel coordination cyberattackers use. Training that covers only email-based cyber threats leaves voice, SMS, and QR code vectors completely unguarded, which is precisely the gap a modern cybersecurity awareness training program is built to close.
Voice, SMS, and QR codes now carry coordinated campaigns that email defenses never see. Adaptive Security runs simulations across every channel so no vector goes untested.
Platform-Specific Social Engineering: Angler Phishing and Catfishing
Angler phishing targets customers who publicly complain about a brand on social media. Cyberattackers monitor platforms for frustrated posts directed at banks, airlines, and tech companies, then respond within minutes from fake support accounts using near-identical handles and profile images. The victim, expecting a customer service reply, willingly shares account details, passwords, or payment information. Social media platforms now absorb a substantial share of global phishing activity, reflecting how readily public complaints become cyberattack openings.
Catfishing, long associated with dating platforms, has evolved into a reconnaissance and credential-harvesting vector. Cyberattackers build fake personas on LinkedIn, dating apps, and professional networking platforms, cultivating relationships over weeks or months. The goal is to extract internal company information, travel schedules, and personal details that fuel targeted spear phishing and whaling cyberattacks later. The OSINT gathered through catfishing is uniquely dangerous because it comes from voluntary disclosure: the target shares information in a social context, never recognizing it as intelligence collection for a future cyberattack.
Domain Deception Techniques: Homograph Exploits, Typosquatting, and Pharming
Homograph cyberattacks exploit Unicode characters to create domain names visually identical to legitimate URLs, replacing the Latin "a" with a Cyrillic counterpart, for example. The result is a fake domain impossible to distinguish from the real one without inspecting the certificate or the Punycode encoding. A Zscaler ThreatLabz analysis found that the top 500 most-visited domains had over 30,000 registered typosquatting domains targeting them, with more than 10,000 confirmed as actively malicious.
Typosquatting registers common misspellings, transpositions, or hyphenated versions of legitimate domains, casting a wide net that catches users making keyboard errors. These domains host credential-harvesting portals that mirror the real login page exactly. Pharming takes domain deception further by compromising DNS servers or injecting malicious entries into host files, redirecting users silently from legitimate URLs to attacker-controlled sites without any visible indicator in the browser.
Unlike phishing that requires a user to click a link, pharming can compromise a session even when the employee types the correct URL manually. Training programs that cover only suspicious links in email miss the reality that the browser address bar itself can lie. Effective defense requires teaching employees to verify TLS certificates, inspect domains for character-level anomalies, and trust a second verification channel whenever a login page requests credentials.
Flawless lookalike domains defeat every employee taught to trust the address bar. Adaptive Security trains the second-channel verification habit that domain deception cannot survive.
Why Technical Defenses Alone Cannot Solve the Challenges in Combating Phishing
Every technical control layer organizations deploy against phishing has a structural blind spot. Secure email gateways miss cyber threats that use legitimate infrastructure, authentication protocols cannot distinguish a compromised legitimate account from its rightful owner, and URL scanners are blind to links embedded inside QR codes. The reason is fundamental: phishing exploits human trust instead of software vulnerabilities, and trust cannot be patched with a configuration change.
How Cyberattackers Bypass Secure Email Gateways

Secure email gateways operate on a detection model built around reputation scoring, content analysis, and attachment sandboxing, all of which cyberattackers have learned to systematically evade. The most effective bypass technique abuses legitimate infrastructure that gateways are trained to trust. Cyberattackers host phishing pages on reputable platforms whose domains carry high reputation scores, so when a phishing email links to these services, the gateway sees a trusted domain and permits delivery.
Compromised legitimate domains present an equally difficult detection problem. When a cyberattacker hijacks a real business's email server or website, the phishing content arrives from infrastructure with established sending history and positive reputation. No amount of gateway tuning can separate the cyberattacker's messages from the legitimate owner's traffic without generating an unacceptable volume of false positives. Business email compromise exploits this same dynamic, often containing no links, no attachments, and no detectable payload, just plain text impersonating an executive requesting a wire transfer.
Image-based phishing represents a third evasion vector. Cyberattackers render the entire phishing message as an embedded image rather than HTML text, defeating keyword scanners and natural language analysis. Optical character recognition adds latency and cost, and even when deployed it struggles with obfuscated, distorted, or layered images. The cumulative effect forces a recognition that signature-based defenses will always trail cyberattacker innovation, because the attack surface is human judgment.
What DMARC, SPF, and DKIM Cannot Stop
DMARC, SPF, and DKIM form the backbone of email authentication, and their adoption has meaningfully reduced domain spoofing. Their protection radius stops sharply at a boundary most security teams overlook: they verify only whether an email came from the domain it claims, not whether the sender is genuine; they cannot confirm whether the sender is who they say they are. Domains that leave authentication in monitoring mode rather than enforcement still allow spoofed messages to reach inboxes unimpeded.
Lookalike domains expose the most obvious limitation. A cyberattacker registers a domain visually similar to a trusted brand, configures SPF, DKIM, and DMARC correctly for that domain, and sends authenticated emails that pass every protocol check. The authentication passes, the gateway delivers the message, and the only defense left is the recipient's ability to spot the subtle discrepancy in the sender address. Detection tools for newly registered lookalike domains operate post-registration and require continuous tuning to keep false positive rates manageable.
The compromised legitimate account problem is harder still. When a cyberattacker gains access to a real employee's Microsoft 365 or Google Workspace account through credential theft or session hijacking, every outbound email passes SPF, DKIM, and DMARC with perfect scores. According to Verizon's 2026 Data Breach Investigations Report, stolen credentials were involved in 13% of all breaches, much of the resulting fraud flowing through authenticated, protocol-compliant accounts that no technical control flagged.
Authentication protocols wave through every email from a compromised legitimate account. Adaptive Security trains employees to question the request itself, the one signal protocols cannot read.
The Quishing Blind Spot: Why QR Codes Bypass URL Scanners
QR code phishing exploits a fundamental architectural gap: traditional email security tools scan text for URLs rather than embedded images for encoded links. When a cyberattacker pastes a QR code into an otherwise benign email body, the gateway's URL scanner sees only an image file. There is no clickable link to rewrite, no domain to check against reputation databases, and no redirect chain to follow, so the malicious destination remains optically encoded and invisible to the scanning engine.
The Unit 42 research team at Palo Alto Networks documented how cyberattackers compound this blind spot by exploiting legitimate URL redirection services and deploying human-verification challenges on phishing landing pages. Security crawlers that attempt to follow the decoded URL hit the challenge, fail it because they are automated, and never reach the credential harvesting page. The attack site remains unscanned and unclassified while human victims, who pass the verification trivially, walk straight through to the phishing form.
The device-shift dynamic makes quishing especially dangerous. Employees scan QR codes with personal smartphones that sit entirely outside corporate security controls, with no secure web gateway, no DNS filtering, and no endpoint detection. The phishing page loads on a device the security team cannot see, harvests credentials, and the user returns to their desk unaware. Because the cyberattack never crossed a monitored surface, no log records it and no alert fires, leaving the security team blind to a compromise that already succeeded. The corporate email gateway never blocked anything because, from its perspective, the cyber threat never materialized on a monitored surface.
Browser-Based vs. Gateway-Based Protection: Why Neither Is Enough Alone
Organizations running Microsoft 365 or Google Workspace face a structural choice between gateway-based and API-based email security, and neither approach provides complete coverage. Gateway-based solutions sit inline with mail flow, scanning every message before delivery. This architecture works well where the organization controls the MX record, but it introduces latency, creates a single point of failure, and struggles with cloud-native environments where the provider already applies its own filtering before a third-party gateway sees the traffic.
API-based protection integrates directly with the cloud email provider post-delivery, analyzing messages already in user inboxes. This approach avoids MX record changes and deploys quickly, but it introduces a detection delay during which the phishing email may sit in the inbox for seconds or minutes before remediation. For time-sensitive cyberattacks that convert victims within minutes of delivery, that window is wide enough to cause damage. Both approaches rely on detecting known-bad patterns, and both miss cyber threats that look legitimate until a human interacts with them.
Mobile devices widen the gap further. Employees checking email on phones bypass the desktop browser protections corporate security teams rely on, including browser extensions, endpoint agents, and DNS-layer filtering. A phishing link that would trigger a block page on a managed laptop may load without obstruction on a phone's native mail app. When the credential form appears, the user's training becomes the only defense that can prevent compromise, which is why security awareness training and phishing simulations must operate as a control layer in their own right rather than a compliance checkbox layered on technical defenses that have already been shown to fail.
No single security architecture catches a phishing cyberattack that only activates when a human clicks. Adaptive Security supplies the human detection layer that gateway and API defenses structurally cannot.
The Psychology Behind the Challenges in Combating Phishing
Phishing succeeds not because employees are careless but because cyberattackers exploit cognitive machinery that evolved for survival, not for cybersecurity. The human brain relies on mental shortcuts to process thousands of decisions daily without exhausting itself, and those same shortcuts create predictable vulnerabilities that phishers weaponize with clinical precision. According to Verizon's 2026 Data Breach Investigations Report, 62% of confirmed incidents involve a human element, with phishing consistently ranking among the top initial access vectors precisely because it targets psychology rather than infrastructure.
What Cognitive Biases Do Cyberattackers Weaponize in Phishing?

The overconfidence bias, the gap between perceived and actual phishing detection ability, ranks among the most dangerous cognitive distortions in cybersecurity. Employees who understand phishing conceptually often believe they can spot every attempt, a conviction that crumbles the moment an email arrives impersonating their actual manager with context-specific detail drawn from OSINT. This gap between self-assessment and behavior leaves organizations systematically underprepared, because individuals who underestimate their own susceptibility disengage from training.
The Dunning-Kruger effect, where individuals with limited competence overestimate their abilities, has been empirically demonstrated in phishing contexts. Confidence in phishing detection does not correlate with actual detection accuracy, so employees who believe they are immune become the organization's most exposed surface. The illusion of control reinforces the problem, convincing capable employees that conceptual understanding equals practical immunity.
Optimism bias provides the third leg of this cognitive stool. People systematically believe negative outcomes are less likely to happen to them than to others, so the same employee who acknowledges phishing as a serious organizational cyber threat subconsciously exempts themselves from that risk. This bias explains why generic phishing warnings rarely change behavior: the warning feels as though it applies to someone else.
How Do Psychological Triggers Drive Phishing Engagement?
Cyberattackers do not invent new psychological tactics; they repurpose the same principles of persuasion that Robert Cialdini documented decades ago, applied through digital communication. Urgency is the most frequently deployed trigger, with emails warning that an account will be deactivated within 24 hours or that a wire transfer must clear before quarter-end, bypassing analytical thinking by imposing artificial time pressure.
Authority operates in parallel. When an email appears to come from a CEO, CIO, or regulatory body, the recipient's deference to hierarchy overrides the scrutiny they would apply to an unknown sender. In the Arup deepfake fraud, a finance employee joined a video call where every participant was a synthetic clone of company executives, and the authority signal was so thoroughly fabricated that suspicion never activated. The employee authorized 15 transfers totaling roughly $25.6 million before the fraud surfaced.
Fear and scarcity function as emotional accelerants. A phishing email claiming suspicious account activity, paired with a link to verify credentials immediately, triggers a reflexive emotional response before deliberate reasoning can intervene. Social proof normalizes compliance by suggesting that colleagues have already acted. Each trigger exploits a neural pathway that fires faster than conscious deliberation, which is exactly why awareness posters alone never neutralize them.
Deepfake technology now amplifies every one of these triggers. Voice cloning requires only a few minutes of recorded audio, easily harvested from earnings calls, conference talks, or podcast appearances, to generate a convincing replica of an executive's voice. An early documented case involved cyberattackers cloning a German energy executive's voice to deceive a subsidiary chief into transferring roughly $243,000, with the victim later reporting that the synthesized voice captured the executive's accent and cadence. When cloned voices combine with AI-generated scripts capable of real-time conversational adaptation, the result is a vishing cyberattack indistinguishable from a legitimate call, and the human tendency to trust a familiar voice does the rest.
Engineered urgency and false authority fire before reason engages. Adaptive Security conditions employees to pause and verify at the exact moment those triggers activate.
Why Do Trained Employees Still Fall for Phishing?
The answer lies in cognitive load and the attention-capacity tradeoff. Security is virtually never an employee's primary task; it is overhead imposed on top of their actual job. When an employee manages a high-volume inbox while responding to chat messages and preparing for a meeting, working memory is already saturated, and the brain's capacity to scrutinize every email for deception cues collapses. Research published in Frontiers in Psychology by Montañez, Golob, and Xu in 2020 found that high cognitive workload increases vulnerability to social engineering by causing individuals to overlook elements not associated with their primary task.
Acute stress further degrades phishing resistance by favoring fast, heuristic-driven decisions over slow, analytical reasoning. Under stress, controlled processing cedes ground to automatic responses, which is precisely the mental state phishing triggers are designed to induce. Annual training modules cannot override these deeply wired behavioral responses because they operate at the wrong timescale; no lecture can override a reflex activated in milliseconds by a message that looks, sounds, and feels like a legitimate request from an employee's manager.
This timescale mismatch is why point-in-time training fails to move behavior. The knowledge sits in long-term memory while the cyberattack exploits split-second automatic processing, and the two never meet under real-world pressure. Closing that gap requires reinforcement delivered at the moment of decision rather than once a year in a conference room.
The Habituation Problem: When Phishing Simulations Create Complacency
Organizations that run the same phishing simulation templates month after month inadvertently train employees to recognize the simulation rather than the cyber threat. When employees learn the telltale markers of a corporate phishing test, such as consistent sender patterns, unchanging preview text, and identical landing pages, they develop a false sense of security that applies only to the test environment. Research by Sawyer and Hancock published in Human Factors in 2018 demonstrated that when phishing events are perceived as rare, detection accuracy drops, so effective perimeter filtering can paradoxically make the cyberattacks that do land more dangerous.
The habituation dynamic becomes self-reinforcing. Employees who ace every phishing simulation feel no urgency to engage with training, while cyberattackers continuously evolve their tactics and now produce grammatically flawless spear phishing emails indistinguishable from legitimate correspondence. A phishing simulation program that never updates its templates becomes a compliance checkbox rather than a genuine defense.
The AI dimension widens this gap. According to the National Cybersecurity Alliance's 2025–2026 Oh Behave! The Annual Cybersecurity Attitudes and Behaviors Report, 52% of employed participants reported they have not received any training on the security or privacy risks of AI tools, despite 65% now using AI and 43% admitting to sharing sensitive work information with AI tools. That gap concentrates risk precisely where visibility is lowest, since employees experiment with generative tools faster than training can address the new exposure.
Breaking this cycle requires phishing simulations that match the sophistication, channel diversity, and psychological manipulation of real cyberattacks. When training replicates the conditions under which cognitive biases actually fire, employees build the unconscious habit of scrutiny across every communication medium they use daily, which is the outcome a well-designed cybersecurity awareness training program is engineered to produce.
Static phishing tests teach employees to spot the test rather than the cyberattack. Adaptive Security rotates realistic, evolving scenarios that keep detection instincts sharp instead of habituated.
Organizational Culture and the Barriers to Effective Phishing Defense
Organizational phishing defenses collapse when culture punishes rather than protects, and that cultural dimension sits at the center of the challenges in combating phishing. When employees fear repercussions for reporting security mistakes, incidents go underground and fester undetected for weeks or months. Even the strongest technology stack cannot compensate when the workforce learns that silence is safer than transparency, and cyberattackers have grown adept at exploiting these cultural fractures.
How Does Fear of Punishment Suppress Phishing Reporting?

When organizations treat every clicked phishing email as a performance failure, they create a reporting vacuum that cyberattackers exploit. A ThinkCyber survey conducted at Infosecurity Europe 2024 found that half of employees fear repercussions for reporting security mistakes, and a workforce that fears blame chooses silence over disclosure nearly every time.
The damage compounds quickly. An employee who clicks a phishing link and fears disciplinary action faces two options: report it immediately and risk formal consequences, or stay quiet and hope nothing happens. In a blame-oriented culture, silence usually wins, and the security team loses its most valuable early-warning system, the people on the front line who saw the cyberattack first. Because most incidents begin with honest mistakes, not malicious insiders, treating those mistakes as punishable offenses does not reduce them; it hides them.
The psychological mechanism is well documented. The UK National Cyber Security Centre states that blaming users for clicking links does not work, because people click for reasons rooted in personality traits, cognitive load, and situational pressure. Threatening punishment changes none of those factors. What it changes is whether anyone reports the click before the cyberattacker moves laterally through the network.
Blame cultures bury the very incidents security teams most need to see. Adaptive Security pairs realistic phishing simulations with shame-free feedback that turns reporting into reflex.
How Does MFA Fatigue Undermine Authentication Defenses?
Multi-factor authentication is a defense with an exploitable human fatigue curve rather than a complete barrier. Cyberattackers know this and have turned push notification bombardment into a reliable bypass technique that requires no technical sophistication at all.
The playbook is simple. A cyberattacker obtains valid credentials through credential stuffing, infostealer malware, or a previous phishing success, then floods the target's device with repeated push notifications until the user approves one to stop the noise. In 2022, a cyberattacker used this exact technique to breach Uber, spamming a contractor with push requests through the night before escalating with a message impersonating Uber IT support. The exhausted contractor approved the next notification, and the cyberattacker walked into Uber's internal network.
The tactic works because it exploits a fundamental asymmetry: the cyberattacker can fail indefinitely without consequence, while the user must remain vigilant every single time. One moment of fatigue, one reflexive tap to silence a buzzing phone at 2 a.m., and the authentication barrier collapses. Organizations that deploy push-based authentication without number matching, geographic context, or anomaly detection are running authentication theater instead of authentication security.
What Are the Legal and Ethical Risks of Phishing Simulations?
Phishing simulations occupy ethically complex terrain that most security teams navigate without HR or legal input, and that absence creates genuine organizational risk. The NCSC warns that since no one can be expected to spot every phishing email, punishing people for clicking on simulated emails starts to resemble entrapment, and the agency explicitly advises consulting HR departments before running any phishing simulation.
Three risk vectors deserve attention. The first is privacy exposure: simulations that track click behavior, dwell time, or credential entry patterns generate sensitive employee performance data, and without clear governance on what is collected and how long it is retained, organizations may violate internal policies or regulatory requirements. The second is trust erosion: employees who discover they have been tricked by their own security team often feel deceived instead of educated, and that damage can take years to repair. The third is weaponization risk: simulation results shared with managers without context become de facto performance evaluations, turning a learning exercise into employee surveillance.
Simulations that use real-world emotional triggers such as fake bonus announcements or executive crisis messages amplify all three risks. The more realistic the simulation, the greater the ethical obligation to handle results with care and to frame the exercise as learning instead of as a trap. A mature cybersecurity awareness training program documents these guardrails before the first simulation launches.
Poorly governed phishing tests erode trust faster than any cyberattack. Adaptive Security frames every simulation as shame-free learning with governance built in from the start.
How Can Organizations Build a Positive Security Culture Around Phishing Reporting?
The organizations that catch phishing cyberattacks fastest are the ones where employees hit the report button without hesitation, confident that submitting a suspicious email, even one they already clicked, earns recognition instead of reprimand. Building that culture is one of the most durable answers to the challenges in combating phishing.
Four concrete shifts make the difference. First, replace click-rate shaming with reporting-rate celebration by tracking and publicly acknowledging how many phishing reports each department submits. Second, implement transparent feedback loops so employees who report a suspicious email learn within hours whether it was a simulation or a real cyberattack. Third, design simulations as learning moments instead of gotcha tests, delivering immediate, shame-free microlearning when an employee clicks. Fourth, involve HR and legal early and openly, documenting phishing simulation policies and reviewing them annually rather than burying them in an acceptable-use policy nobody reads.
The payoff is measurable. Organizations that shift from punishment-oriented programs to positive reinforcement see reporting rates climb, and higher reporting rates correlate directly with faster incident response. A workforce that reports freely becomes an active detection layer no technology can replicate, and the organizations that treat it that way stop cyberattacks before they become breaches.
Reporting culture is the detection layer no firewall can replicate, yet most organizations punish it into silence. Adaptive Security builds the reinforcement loops that make reporting automatic.
Industry-Specific Targeting and the Mounting Financial Challenges in Combating Phishing
Phishing does not distribute its damage evenly. Cyberattackers concentrate campaigns on industries where the financial return per compromised credential is highest, creating sector-specific risk profiles that make defense far more complex than any one-size-fits-all strategy. The financial challenges in combating phishing extend well beyond the initial incident, as lost business, regulatory penalties, and reputational damage compound for years after a breach. Organizations that fail to calibrate defenses to their sector's threat profile absorb costs that ripple long after containment.
Which Industries Are Most Targeted by Phishing, and Why?
Cyberattackers do not distribute phishing campaigns evenly. Financial services has consistently ranked as the most-targeted sector, absorbing nearly a quarter of all phishing campaigns globally, because financial institutions sit on liquid assets and vast stores of personally identifiable information that make every compromised credential a potential path to a wire transfer or account takeover.
Healthcare has emerged as the second-most-targeted sector, driven by the black-market value of electronic protected health information. A single medical record commands far more than a stolen credit card number because it contains fixed identifiers such as Social Security numbers, birth dates, and medical histories that cannot be reissued. The Change Healthcare breach demonstrated how catastrophic that concentration of value becomes when phishing-delivered credentials unlock a clearinghouse touching a large share of the population.
Technology and SaaS companies face a different dynamic. Cyberattackers target them not primarily for direct financial theft but for supply chain access, because a single compromised developer account can cascade into dozens of downstream breaches through API integrations, shared repositories, and customer environments. That multiplier effect makes technology firms disproportionately attractive despite smaller direct financial holdings, since the real prize is every customer that trusts the firm's software.
What Does a Phishing-Initiated Breach Actually Cost?
The headline figures obscure how the damage actually accumulates. Detection and escalation costs arrive first, often incurred before the organization understands the full scope of the intrusion, and they represent only the opening wave of spending. The total climbs steadily as each downstream consequence materializes.
Lost business costs run higher and accumulate for months after the breach is contained, as contracts are re-evaluated, prospective deals stall, and brand damage depresses acquisition. Post-breach response adds further cost covering legal defense, regulatory fines, credit monitoring, and help-desk operations. The notification process alone surprises many organizations, since mailing letters to millions of affected individuals runs into substantial sums before a single lawsuit is filed.
The detection lag compounds every one of these line items. Breaches initiated through phishing and stolen credentials are among the slowest to identify and contain, in part because the cyberattacker enters through a legitimate account that generates no malware alert and triggers no signature. The longer the intrusion persists undetected, the more data is exfiltrated, the more systems are touched, and the larger the eventual notification population and remediation bill become. Containment cost therefore scales with dwell time, which is precisely the variable a fast human reporting layer is designed to shrink.
Time is the multiplier that makes phishing-initiated breaches so expensive. The slower the detection, the wider the window in which fraudulent transfers clear, and phishing-initiated intrusions are among the slowest to surface because the initial compromise leaves no obvious trace.
The broader fraud picture shows the stakes. According to the FBI's 2025 Internet Crime Report, cyber-enabled fraud accounted for almost 85% of all losses reported to the agency, totaling $17.7 billion, up from $13.7 billion the prior year. Phishing is the entry point for a large share of that activity, because a single harvested credential or spoofed instruction can set the entire fraud chain in motion.
Phishing-initiated breaches bleed cost for months across legal, regulatory, and reputational fronts. Adaptive Security reduces that exposure by cutting the click rate that opens the door.
Colonial Pipeline and Change Healthcare: What Phishing's Worst Outcomes Look Like
The Colonial Pipeline ransomware attack in May 2021 began with a single compromised VPN password, credentials investigators believe were obtained through an earlier phishing campaign and sold on the dark web. The DarkSide ransomware group used those credentials to access Colonial's network, which lacked multifactor authentication. Within hours, the company shut down 5,500 miles of pipeline supplying 45% of the East Coast's fuel, the President declared a state of emergency, panic buying drained stations across the Southeast, and Colonial paid a $4.4 million ransom to recover operations.
The Change Healthcare ransomware attack in February 2024 followed an eerily similar pattern. An affiliate of the BlackCat/ALPHV group accessed the company's remote-access portal using credentials purchased from a channel specializing in stolen logins, credentials almost certainly harvested through phishing, and multifactor authentication was not enabled on the portal. The cyberattackers spent nine days moving laterally and exfiltrating data before deploying ransomware, and the breach exposed 192.7 million individuals, the largest healthcare data breach in U.S. history. Providers across the country went weeks without the ability to submit claims or verify patient eligibility.
In both cases the breach did not require a sophisticated zero-day exploit. It required a single set of valid credentials, no second authentication factor, and an employee who was never given the opportunity to recognize the cyber threat before acting on it. That combination is exactly what a cybersecurity awareness training program is designed to break.
Why SMBs Absorb a Disproportionate Financial Blow from Phishing
Large enterprises dominate the headlines, but the economics of phishing hit small and midsize businesses far harder relative to their size. According to Verizon's 2026 Data Breach Investigations Report, 96% of ransomware victims were small and medium-sized businesses, because SMBs present unpatched devices, compromised credentials, and limited recovery capabilities. A breach cost that represents a rounding error for a multinational bank can be existential for a 30-person firm.
The paradox is structural. SMBs are often targeted less frequently than the largest enterprises yet lack the dedicated security personnel, financial reserves, and insurance coverage to recover when an incident lands. The result is payroll disruption, client attrition, and in many cases permanent closure.
Cyberattackers understand this asymmetry and increasingly treat SMBs as soft entry points to larger supply chains, using phishing-compromised email accounts at small vendors to launch business email compromise against their enterprise customers. The SMB bears the immediate financial damage while the enterprise bears the downstream intrusion, and neither is fully protected until both invest in human-layer defenses, including multi-channel phishing simulations that mirror the specific attack patterns targeting their sector.
There is one encouraging countertrend. According to Verizon's 2026 Data Breach Investigations Report, 69% of victims refused to pay ransoms in 2025, up from 65% the prior year, and the median payment fell to $139,875 from $150,000. Refusal is only viable, however, for organizations that can recover without the decryption key, which means the SMBs least able to maintain tested backups remain the most likely to pay. Reducing the phishing entry point is therefore the most reliable way for a resource-constrained organization to avoid the choice entirely.
For a small business, a single phishing-driven ransomware event can be a closure-level event. Adaptive Security delivers enterprise-grade phishing simulations scaled to teams without dedicated security staff.
Regulatory, Legal, and Insurance Challenges in Combating Phishing

Organizations defending against phishing face overlapping regulatory frameworks that impose conflicting breach notification timelines and defense requirements. Insurers increasingly deny cyber claims for missing or unverifiable security controls, while cross-border fraud routes through dozens of jurisdictions that make investigation structurally difficult before a single regulation is triggered. Compliance alone creates a dangerous illusion of security, because regulators and carriers now demand evidence of behavioral risk reduction rather than policy binders.
How Do GDPR, HIPAA, SEC Rules, and PCI DSS Shape Phishing Defense Obligations?
Each regulatory framework approaches phishing differently, yet all four converge on a single operational demand: organizations must detect, contain, and disclose phishing-driven breaches quickly. The SEC's cybersecurity disclosure rules, adopted in July 2023, require public companies to report material cybersecurity incidents within four business days of determining materiality, a clock that starts the moment a phishing compromise is confirmed. The rule also mandates annual disclosure of risk management strategy and governance, forcing boards to articulate their phishing defense posture in public filings.
GDPR imposes a separate 72-hour notification requirement to supervisory authorities following discovery of a personal data breach, a timeline phishing incidents routinely stress-test because the initial compromise is often invisible until funds move or data exfiltrates. HIPAA's Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovering a breach, and also mandates notification to HHS and, for breaches affecting more than 500 individuals, prominent media outlets. PCI DSS imposes its own merchant notification obligations and forensic investigation requirements when cardholder data is exposed through a phishing compromise.
The overlap is punishing. A single phishing breach at a healthcare provider that processes payments could trigger simultaneous SEC, HHS, state attorney general, PCI forensic, and GDPR notification obligations, each with different deadlines, thresholds, and documentation requirements. Navigating that thicket while an incident is still unfolding is among the most underestimated challenges in combating phishing.
Why Do Phishing Investigations Stall Across Borders?
Phishing is jurisdictionally promiscuous. A cyberattacker in one country compromises a cloud tenant hosted in a second, impersonates an executive in a third, and convinces a finance employee in a fourth to wire funds to an intermediary account that forwards the money to a cryptocurrency exchange in a fifth. Every step crosses a legal boundary, and each boundary adds procedural friction.
Business email compromise scams have been reported across dozens of countries, with international banks frequently serving as intermediary stops for stolen funds. The friction is procedural as much as geographic, because the formal mechanisms for cross-border evidence gathering routinely take many months to produce results while phishing-driven wire transfers clear in hours.
Law enforcement in victim jurisdictions often cannot compel foreign email providers, hosting companies, or cryptocurrency exchanges to preserve evidence without navigating bilateral agreements that cyberattackers deliberately exploit. The United Nations Office on Drugs and Crime has flagged that cybercriminals choose infrastructure locations specifically to exploit gaps in international cooperation. Even well-documented phishing cases with identified perpetrators rarely result in asset recovery, because the money is gone before the first subpoena crosses a border.
Once a fraudulent transfer clears, cross-border recovery is measured in months, if it happens at all. Adaptive Security stops the loss at the source by training employees to catch the request before funds move.
What Do Cyber Insurers Actually Cover for Phishing Losses?
Cyber insurance has transformed from a simple questionnaire into a formal security audit. Carriers now demand documented evidence of controls before issuing or renewing a policy, including MFA enforcement, endpoint detection and response, tested backups, incident response plans, and ongoing security awareness training with phishing simulations. Missing or unverifiable MFA has become one of the most common reasons for claim rejection.
What phishing-related losses are actually covered depends on policy language that has narrowed each year. First-party coverage typically includes funds lost to social engineering fraud, forensic investigation costs, legal notification expenses, and business interruption. Common exclusions are widening, with many policies now excluding losses where employees failed to follow documented verification procedures, where MFA was not active on the compromised account, or where security awareness training was not completed within the policy period. Some carriers have added specific deepfake and AI-enabled fraud exclusions.
Organizations that demonstrate continuous phishing simulation programs with measurable risk reduction data tend to see premium stabilization, while those relying on annual compliance training alone face steep increases or outright declination. The insurer now treats a mature cybersecurity awareness training program as a measurable underwriting input rather than a checkbox.
Why Does Regulatory Compliance Not Equal Effective Phishing Defense?
Compliance frameworks were designed to prove that controls exist rather than that they work. A SOC 2 report confirms an organization has a security awareness training policy, and a HIPAA risk assessment documents that training was assigned, yet neither answers whether employees actually recognize and report a credential-harvesting email or a deepfake voice call. That gap between documented process and demonstrated behavior is where phishing cyberattacks succeed.
The evidence is unambiguous. Most breached organizations had passed at least one compliance audit within the prior 12 months, which demonstrates that compliance measures what an organization documented instead of what its employees do under pressure. According to the World Economic Forum's Global Cybersecurity Outlook 2026, 52% of organizations indicate that board members receive regular cybersecurity updates and 48% report that board members are actively engaged with cybersecurity issues, with the report emphasizing that board members hold personal liability in the event of cyber breaches; 30% of board members in high-resilience organizations hold liability compared to only 9% in low-resilience organizations. That liability shift is pushing boards to demand behavioral proof instead of paperwork.
Organizations that bridge this gap treat compliance as the floor instead of the ceiling. They run phishing simulations across email, voice, SMS, and video channels because cyberattackers target every one of those channels, they track reporting rates and click rates over time rather than completion percentages, and they present risk reduction data to insurers during renewal. The most effective phishing defense strategy satisfies every regulatory obligation while spending most of its energy on what compliance checklists never measure: whether people actually spot the cyberattack.
Passed audits and breached networks routinely coexist, because compliance measures paperwork rather than behavior. Adaptive Security proves defense with reporting and click-rate data instead of completion certificates.
Measuring Effectiveness: The Metrics Challenges in Combating Phishing

Measuring whether anti-phishing programs actually work requires shifting from click rate as the primary success metric to behavioral indicators that capture reporting, resilience, and genuine threat recognition. A measurement framework must connect simulation data to observable risk reduction over time, because a program that cannot show whether an employee would report a real phishing email faster today than six months ago is measuring the wrong thing. This measurement gap is one of the most overlooked challenges in combating phishing.
Why Is Click Rate a Flawed Metric?
Click rate, the percentage of employees who click a simulated phishing link, has dominated security awareness reporting for over a decade because it is simple to calculate and easy to chart. The problem is that it answers none of the questions that determine whether an organization is safer.
A low click rate can have three entirely different explanations. It can mean employees recognized the phish and deliberately avoided it, it can mean they deleted the email without understanding why it was suspicious and gained no lasting instinct, or it can mean the simulation was so obviously artificial that no reasonable person would have been fooled. None of these scenarios are distinguishable by the click rate number alone, which makes the metric a poor proxy for real-world readiness.
Click rate also fails to capture the most valuable employee behavior, which is reporting. As NIST computer scientist Julie Haney and University of Maryland Associate Professor Wayne Lutters concluded in their peer-reviewed analysis published in Computer in October 2020, compliance metrics do not tell the whole story and fail to measure a program's effectiveness in producing sustained change in employee attitudes and behaviors. An employee who clicks a link, recognizes the mistake, and reports it produces a far better organizational outcome than one who silently ignores the cyber threat, yet a click-rate-obsessed program records that employee as a failure.
Technical noise erodes click rate reliability further, because automated link scanners and email security appliances routinely click simulated links during inspection, inflating failure counts with non-human interactions. Security teams then waste remediation on users who never interacted with the email at all.
The Limitations and Risks of Phishing Simulation Campaigns
Phishing simulations are indispensable when designed and interpreted correctly, but poorly constructed programs actively undermine the security culture they claim to build. Frequency is the first structural challenge, because testing too rarely provides no meaningful reinforcement while testing too often breeds simulation fatigue, where employees learn to spot the test rather than the cyberattack.
When employees begin scanning for telltale signs such as a specific sender domain or a known testing cadence, the exercise trains pattern recognition against the test itself rather than against real phishing tactics. Embedded just-in-time training produces only modest gains when it is delivered in isolation, and annual training delivered as a standalone intervention shows little measurable effect on whether employees click. The conditions of a real cyberattack differ fundamentally from a known-safe exercise conducted at predictable intervals.
Predictable simulations are actively harmful. When employees learn that phishing tests always arrive on the first Tuesday of the month or always mimic a specific template, they stop engaging with the underlying skill and learn to pass the test rather than recognize the cyber threat. The program becomes a compliance checkbox in which dashboard metrics improve while genuine phishing resistance stagnates, creating a dangerous gap between reported safety and actual exposure.
Predictable phishing tests train employees to recognize the test, while real cyberattacks arrive unannounced. Adaptive Security varies timing, channel, and lure so resilience reflects reality.
KPIs That Actually Matter
A set of behavioral indicators, tracked together, reveals whether employees are building genuine phishing resistance. Each one measures an aspect of behavior that click rate alone cannot capture, and together they form the backbone of a measurable cybersecurity awareness training program.
- Reporting rate measures the percentage of employees who actively report a suspicious email, simulated or real, and it is the single strongest indicator of a healthy security culture; a rising reporting rate means employees are transitioning from passive avoidance into active defense.
- Report-to-click ratio compares how many employees reported a simulation against how many clicked it, so a program where 40 report and 10 click is fundamentally healthier than one where 5 click and nobody reports.
- Time-to-report captures the duration between email delivery and the first report; when one employee reports a real phishing email within 90 seconds, the security team can quarantine it organization-wide before others even open their inboxes.
- Resilience rate measures the percentage of employees who correctly identify and report a phishing simulation without clicking, showing over time whether the workforce is becoming collectively harder to deceive.
- Repeat offender trends identify the small cohort that accounts for disproportionate risk, enabling targeted intervention without punishing employees who made a single mistake and then improved.
These indicators move the conversation from activity to outcome. Tracked over consecutive quarters, they reveal whether training is building durable muscle memory or merely generating completion records.
Moving From Completion Tracking to Risk Reduction Measurement
The most damaging metric in security awareness is training completion percentage, because it measures activity instead of outcome. A 98% completion rate on annual modules tells leadership nothing about whether anyone can recognize a deepfake video call or an AI-generated vishing attempt, which is why completion tracking persists as one of the quieter challenges in combating phishing.
Effective measurement connects simulation data to a unified human risk score that moves over time. Every simulation click, every reported phish, every completed module, and every OSINT exposure data point feeds into an individual risk profile, shifting the question from whether an employee finished the training to whether that employee's risk score is declining quarter over quarter.
This approach lets security leaders answer the question boards actually ask, which is whether the organization is measurably safer than it was a year ago. When risk scores trend downward across departments, reporting rates climb while time-to-report shrinks, and fewer real phishing events reach the security operations center, the program has measurable proof of value. Building that measurement infrastructure requires simulations that mirror real attack complexity and training that adapts to what the data reveals about each employee's behavior.
Completion certificates prove attendance rather than defense, and boards have stopped accepting the difference. Adaptive Security ties simulation, reporting, and exposure data into a human risk score leadership can track.
How Adaptive Security Resolves the Challenges in Combating Phishing

Knowing that a phishing email looks suspicious and acting on that knowledge when a message lands in an inbox at 4:52 p.m. on a Friday are two entirely different cognitive events. Under cognitive load, time pressure, or emotional manipulation, the brain defaults to heuristic shortcuts that override training recall, which is why annual awareness sessions alone rarely reduce real-world failure rates. The outcome organizations actually need is a workforce whose safe behavior persists when nobody is watching, and that outcome comes from continuous reinforcement instead of point-in-time instruction.
Continuous risk measurement is what produces that durable behavior change. Adaptive Security routes intensive intervention to the people who need it and maintenance-level reinforcement to those who do not, turning a blunt instrument into a precise one. According to Sumsub's Identity Fraud Report 2025–2026, deepfake-based phishing attacks increased 2,100% in the most affected single country and sophisticated fraud surged 180% year over year, which is exactly the kind of evolving threat that personalized, role-based training is built to counter.
Adaptive Security ties simulation data, reporting behavior, OSINT exposure, and training engagement into a single human risk score that makes culture measurable across email, voice, SMS, and emerging channels. When security leaders can see risk decline on a dashboard, they can prove the value of every dollar invested and demonstrate behavioral risk reduction to insurers, boards, and regulators alike. That measurable, continuous, multi-channel model is how Adaptive Security converts the challenges in combating phishing into a program that demonstrably lowers risk over time.
Awareness without reinforcement is a snapshot that fades long before the next cyberattack arrives. Adaptive Security delivers continuous, personalized, multi-channel defense that turns phishing readiness into measurable risk reduction.
Frequently Asked Questions About the Challenges in Combating Phishing
What Are the Biggest Challenges in Combating Phishing Cyberattacks Today?
The biggest challenges in combating phishing are AI-generated cyberattacks that eliminate traditional detection cues, multi-channel campaigns that bypass email-only defenses, and the persistent gap between security awareness and real-world behavior. Generative AI lets cyberattackers produce grammatically flawless, contextually relevant phishing emails at scale, while campaigns now span SMS, voice calls, QR codes, and social media, forcing security teams to defend an expanding surface.
Intrusions also move from initial access to lateral movement in minutes rather than hours, leaving almost no margin for slow detection. The human factor compounds all of it, as employees face cognitive load pressures that override training and organizations struggle to convert annual awareness into sustained behavioral change.
What Is the Financial Cost of Phishing-Initiated Cyberattacks?
The financial toll of phishing has reached record levels. According to the FBI Internet Crime Complaint Center's 2025 Internet Crime Report, internet crime drove $20.877 billion in reported losses, a 26% jump over the prior year, up from $16.6 billion in 2024. Business email compromise, which frequently begins with a phishing or spoofing lure, accounted for $3.046 billion of that total across 24,768 incidents, averaging roughly $123,000 per case.
The impact extends well beyond the immediate theft to regulatory fines, legal fees, customer notification costs, and reputational damage that can erode business for years, and organizations without phishing-specific incident response plans consistently incur higher costs because of delayed containment.
Can Phishing Cyberattacks Bypass Multi-Factor Authentication?
Yes, phishing cyberattacks bypass multi-factor authentication through several established techniques. The most prevalent is adversary-in-the-middle phishing, where cyberattackers proxy a victim's login session through a fake authentication page, capturing both credentials and the session token once MFA completes. Another common technique is MFA fatigue, also called push notification bombing, where cyberattackers flood a user with repeated authentication requests until the user approves one out of frustration, the same tactic used in the 2022 Uber breach.
While MFA remains essential and blocks most automated credential cyberattacks, it is not a complete defense, and phishing-resistant methods such as FIDO2 security keys provide stronger protection against these bypass techniques.
What Percentage of Phishing Emails Get Past Email Security Gateways?
Secure email gateways do not stop all phishing emails, and the evasion rate has climbed sharply as cyberattackers adopt legitimate infrastructure. Gateways are routinely bypassed by malicious emails that originate from compromised domains, trusted file-sharing services, and HTTPS-enabled phishing sites, all of which carry the reputation signals gateways are trained to trust.
Healthcare and finance organizations face the steepest increases because the return per compromised credential is highest in those sectors. The evasion problem compounds because distinguishing a malicious message from legitimate traffic becomes increasingly difficult when the cyberattack arrives through authenticated, reputable channels that automated filters were never designed to flag.
How Is Generative AI Making Phishing Cyberattacks Harder to Detect and Combat?
Generative AI eliminates the traditional giveaways that users and security tools relied on to identify phishing. Large language models produce grammatically flawless, contextually accurate emails with no spelling errors or formatting inconsistencies, and they enable hyper-personalized spear phishing by scraping publicly available data to reference real colleagues, projects, and internal events. Beyond text, AI adds a physical dimension through deepfake voice and video; the Arup fraud, in which a finance employee wired roughly $25.6 million after a video call populated entirely by synthetic executives, demonstrated that AI-powered social engineering can deceive even experienced professionals.
According to Sumsub's Identity Fraud Report 2024, deepfake fraud incidents grew four times year over year, and the combination of scale, speed, and personalization has fundamentally raised the bar for what organizations must detect.
Key Takeaways on the Challenges in Combating Phishing
- The challenges in combating phishing now span email, voice, SMS, QR codes, and social media, so any defense that trains for email alone leaves most channels exposed.
- No technical control stops phishing on its own, because secure gateways, authentication protocols, and URL scanners each have a structural blind spot that only human judgment can cover.
- Cyberattackers exploit cognitive biases and emotional triggers that fire faster than deliberate reasoning, which is why a cybersecurity awareness training program must reinforce behavior at the moment of decision rather than once a year.
- A blame-oriented culture buries incidents, while a reporting culture turns employees into an active detection layer that shrinks cyberattacker dwell time.
- Regulatory compliance proves controls exist rather than that they work, so a mature cybersecurity awareness training program treats compliance as the baseline and behavioral risk reduction as the goal.
- Click rate is a vanity metric, and durable progress shows up in reporting rate, time-to-report, resilience rate, and a declining human risk score tracked over consecutive quarters.
- Continuous, personalized, multi-channel cybersecurity awareness training converts awareness into the sustained behavior change that measurably lowers phishing risk.
The challenges in combating phishing outpace any defense that stops at annual training and email-only tests. Adaptive Security unifies multi-channel phishing simulations, shame-free reporting, and human risk scoring into one measurable program.




As experts in cybersecurity insights and AI threat analysis, the Adaptive Security Team is sharing its expertise with organizations.
Contents









