How to Prevent Phishing Emails: A Complete Guide for Organizations

Preventing phishing emails requires more than a spam filter; it demands a layered defense that combines technical controls, security-aware employees, and a clear plan for when cyberattacks succeed despite every precaution.

Phishing is a social engineering cyberattack that manipulates recipients into surrendering credentials, authorizing fraudulent transfers, or installing malware by impersonating a trusted sender. According to CISA, more than 90% of successful cyberattacks historically have started with a phishing email.

This guide gives security leaders and IT administrators a complete, actionable framework for stopping phishing at every stage. It covers email authentication protocols including SPF, DKIM, and DMARC; the layered technical stack that reduces inbox exposure; and what effective cybersecurity awareness training and phishing simulations actually look like compared to compliance-checkbox programs that produce no measurable behavior change.

Explore how Adaptive Security's phishing simulation and human risk platform closes the gaps that technical controls cannot.

What Is a Phishing Email and How Does It Work?

A phishing email is a social engineering cyberattack delivered through email in which a cyberattacker impersonates a trusted sender (a colleague, vendor, bank, or executive) to manipulate recipients into revealing credentials, authorizing fraudulent transfers, or installing malware.

The cyberattack exploits human psychology rather than technical vulnerabilities, which is why it bypasses firewalls, endpoint detection, and spam filters with regularity. Understanding how to prevent phishing emails starts with recognizing that the underlying exposure is behavioral rather than merely technical.

According to the Verizon Data Breach Investigations Report 2026, phishing is among the leading initial access vectors in confirmed breaches. CISA identifies phishing as a primary delivery mechanism across ransomware, credential theft, and business email compromise (BEC) campaigns.

Phishing cyberattacks succeed because they replicate the look, tone, and authority of legitimate communication well enough to trigger action before skepticism engages.

How the Phishing Attack Lifecycle Works

Every phishing cyberattack follows a predictable four-stage sequence. A cyberattacker selects a target and collects identifying details through open-source intelligence (OSINT): LinkedIn profiles, company websites, press releases, and social media posts.

The cyberattacker then crafts a message that mimics a trusted sender, using a spoofed domain (for example, support@paypa1.com instead of paypal.com), a lookalike domain registered days earlier, or a previously compromised internal account.

The message reaches the inbox, often passing technical filters because it arrives from a recognized IP or authenticated domain. The recipient clicks a link, opens a malicious attachment, or submits credentials on a fake login page, completing the cyberattacker's objective without ever triggering a system-level alert.

What Are the Four Main Types of Phishing Emails?

Most phishing cyberattacks fall into one of four categories, each with a distinct targeting profile and risk level:

• Standard phishing: High-volume, low-personalization campaigns sent to thousands of recipients simultaneously. Cyberattackers cast a wide net using generic lures: "Your account has been suspended," "Verify your password," or "You have a pending delivery." Even a 1% click rate on a million-email campaign yields 10,000 compromised credentials;
• Spear phishing: Targeted cyberattacks that use recipient-specific details (their name, role, manager's name, or recent project) to manufacture credibility. Because the message appears tailored, recipients lower their guard;
• Business email compromise (BEC): Cyberattackers impersonate executives or trusted vendors to obtain authorization for fraudulent wire transfers or to redirect payroll. BEC does not require malware or malicious links; the entire cyberattack can live within a plausible email thread. According to the FBI IC3 2025 Annual Report, BEC generated over $3 billion in reported losses in 2025, ranking it among the costliest cybercrime categories by total financial impact;
• Whaling: A subset of spear phishing aimed specifically at C-suite executives, board members, and senior finance personnel. Whaling lures are well-researched, often citing real business deals, regulatory filings, or board meeting schedules to appear credible.

Why AI Has Made Phishing Significantly Harder to Detect

Traditional phishing detection relied on spotting grammatical errors, mismatched sender addresses, or generic salutations. Generative AI has eliminated most of those indicators. Cyberattackers now produce grammatically flawless, contextually accurate phishing emails at scale, indistinguishable from legitimate internal communications to the average employee.

AI also enables rapid personalization: a tool fed with an executive's public LinkedIn posts and earnings call transcripts can generate a convincing spear phishing email in seconds. Static email filters and annual cybersecurity awareness training cycles no longer provide adequate coverage because the threat landscape adapts faster than legacy defenses.

How to Recognize a Phishing Email: Warning Signs That Prevent Phishing Damage

Preventing phishing emails from causing damage starts with recognizing them before anyone clicks. Security teams should train employees on spotting phishing emails by inspecting the sending domain, scrutinizing the language of urgency, verifying every hyperlink before following it, and treating unexpected attachments and requests for sensitive data as automatic red flags.

Checking the display name against the actual sending address, hovering over links to reveal destination URLs, and confirming any high-stakes request through a second channel are habits that can prevent cyberattacks before they escalate.

Recognition alone reduces exposure, but AI-generated phishing has eroded several classic detection signals, making trained behavioral instincts more reliable than surface-level pattern-matching.

1. Check the Actual Sending Domain, Not Just the Display Name

The most consistently exploited gap between what recipients see and what is real lives in the email header. A cyberattacker can set any display name ("PayPal Security Team" or "Your IT Department") while the actual sending address routes through a domain like paypa1-secure.com or it-helpdesk-alert.net. Most email clients display only the friendly name by default, so recipients never see the sending domain unless they actively look for it.

Lookalike domains add another layer of difficulty. Subtle character substitutions (replacing a lowercase "l" with the number "1," swapping "rn" for "m," or inserting a hyphen) are invisible at conversational reading speed. Employees who slow down and read the full sending address before responding to any request involving credentials, payments, or data access remove this cyberattack vector entirely.

2. Identify Manufactured Urgency and Panic Language

Urgency is the single most effective psychological lever in phishing. Phrases like "Your account will be suspended in 24 hours," "Immediate action required," or "Final notice before legal proceedings" are designed to suppress deliberate thinking.

A 2020 paper published in Frontiers in Psychology by Montañez, Golob, and Xu at the University of Texas at San Antonio documents that urgency is among the most effective psychological triggers cyberattackers exploit.

The sentiment reduces recipients' deliberate processing and increases impulsive compliance before deception signals can be consciously evaluated.

The mechanism is straightforward: acute stress shifts decision-making from controlled, analytical processing toward automatic, heuristic-driven responses. An email that creates the feeling that something harmful will happen within the hour succeeds by preventing rational evaluation. Recognizing urgency as a manipulation tactic rather than a factual state is the behavioral shift that neutralizes this lever.

3. Spot Generic or Mismatched Greetings

Personalization failure is a reliable indicator in mass phishing campaigns. A bank that stores a customer's name will use it; an email from "your financial institution" that opens with "Dear Valued Customer" or "Dear Account Holder" signals the message was assembled from a template by an organization that has no authentic relationship with the recipient. The same applies to messages from internal HR or IT systems that address employees by job title rather than name.

Spear phishing, which uses OSINT gathered from LinkedIn, company directories, and social media, increasingly defeats this check by inserting real names, titles, and even recent activity details. Greeting personalization eliminates one category of cyberattacks, but not the most targeted ones.

4. Hover Before Clicking Any Link

Hyperlink misdirection is the most direct route from a phishing email to credential theft or malware installation. The anchor text displays a legitimate-looking URL (www.microsoft.com/reset-password) while the underlying destination resolves to a cyberattacker-controlled domain. Hovering over any link before clicking exposes the actual destination URL in the browser status bar or email client preview.

Flag links where the display text names a recognizable organization but the underlying URL uses a different domain entirely. Also flag links that use URL-shortening services, redirect chains, or subdomains designed to front-load a recognizable brand name before the actual malicious domain (for example, microsoft.com.account-verify.ru). If the hover destination does not match the anchor text, the link should not be clicked.

5. Treat Unexpected Attachments as Suspect by Default

File attachments remain a primary malware delivery channel. Attachments with extensions like .exe, .zip, .docm, or .xlsm in unsolicited emails warrant immediate suspicion, particularly when the accompanying message creates urgency around opening them ("Invoice attached, due today").

Password-protected archive files are a common evasion tactic, designed to prevent automated scanning tools from inspecting the payload before the recipient extracts it.

The baseline rule: never open an attachment from an unexpected source without confirming the request through a separate communication channel: a direct phone call or a known internal chat system, never a reply to the suspicious email itself.

6. Flag All Requests for Sensitive Information

Legitimate organizations (banks, government agencies, IT departments, payroll providers) never request credentials, Social Security numbers, payment card data, or multi-factor authentication codes via email. A message asking recipients to "verify your account" by supplying a password, or to "confirm your identity" by entering a one-time passcode, is a phishing attempt regardless of how official it appears.

Finance and HR teams face this risk most acutely, as they are disproportionately targeted with business email compromise (BEC) cyberattacks: fraudulent wire transfer or payroll redirection requests sent by cyberattackers impersonating executives or vendors.

7. Understand Why Grammar Errors Are No Longer a Reliable Signal

Spelling mistakes and awkward phrasing were once a dependable indicator of phishing. Cyberattackers operating from non-English-speaking regions produced emails that read unnaturally, and recipients learned to use those flaws as a filter. Generative AI has eliminated that signal.

A 2025 systematic review published in AI (MDPI) by Jabir, Le, and Nguyen at the University of Wollongong's Institute of Cybersecurity and Cryptology finds that generative AI has fundamentally shifted the phishing threat landscape by enabling cyberattackers to produce emails that eliminate the surface-level signals that employees have been trained to recognize.

The resulting messages are grammatically correct, contextually relevant, and stylistically coherent, requiring detection to move from surface-level language inspection to deeper contextual and behavioral analysis.

Social engineering cyberattacks exploit weaknesses in human cognitive functions, write Montañez, Golob, and Xu in their 2020 Frontiers in Psychology framework paper. Their analysis identifies five cognitive susceptibility factors: high cognitive workload, high stress, low attentional vigilance, lack of domain knowledge, and lack of past experience.

Well-written language no longer signals legitimacy. Employees relying on grammar checks as their primary filter are using a detection method that modern phishing routinely defeats. Behavioral indicators (sender domain verification, link inspection, second-channel confirmation for sensitive requests) are the checks that remain effective regardless of how polished the email appears.

Recognizing these warning signs significantly reduces individual exposure, but no degree of vigilance can replace the organizational layer: the technical configurations, reporting workflows, and phishing simulations that surface gaps before cyberattackers exploit them.

Email Authentication Protocols: How SPF, DKIM, and DMARC Block Phishing Emails

Preventing phishing emails from reaching employee inboxes starts at the DNS layer with three authentication standards (SPF, DKIM, and DMARC) that together verify whether a message actually originates from the domain it claims to represent. The correct implementation sequence is: deploy SPF to define authorized sending servers, add DKIM to apply cryptographic signatures to outbound mail, then layer DMARC in monitor mode before escalating to quarantine and finally reject.

Each step builds on the last, and skipping the staged rollout risks breaking legitimate mail flows before the full sending infrastructure is mapped. The critical caveat: these protocols stop spoofed-domain cyberattacks but provide no protection against phishing sent through legitimate, compromised accounts.

1. Deploy SPF: Define Authorized Sending Servers

SPF (Sender Policy Framework) is a DNS TXT record that lists every mail server authorized to send email on behalf of a domain. When a receiving server gets a message claiming to be from that domain, it queries DNS and checks whether the sending IP appears on the authorized list. Mail originating from any unlisted server fails SPF, and without DMARC in place, that failure alone rarely stops delivery.

SPF covers the envelope from address checked during SMTP handshakes, not the visible "From" header recipients see in their inbox. That distinction matters: a cyberattacker can still display a spoofed From address while routing through an unlisted server, and without a DMARC policy enforcing action on that failure, the message lands regardless.

2. Add DKIM: Sign Outgoing Mail With a Cryptographic Key

DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every outgoing message, generated using a private key the mail server holds. Receiving servers retrieve the public key from DNS and verify the signature, confirming the message content has not been altered in transit and that it originated from an authorized source. Unlike SPF, which checks the sending IP, DKIM validates message integrity, making it effective even when email is forwarded through third-party servers.

Both SPF and DKIM produce pass/fail signals, but neither instructs receiving servers on what to do with a failure. An email can fail both checks and still reach an inbox when no enforcement policy exists. DMARC closes that gap.

3. Deploy DMARC: Add Policy Enforcement and Abuse Reporting

DMARC (Domain-based Message Authentication, Reporting and Conformance) is the policy layer that gives SPF and DKIM failures consequences. It tells receiving servers whether to take no action (p=none), route failing messages to spam (p=quarantine), or block them outright (p=reject). A 2024 joint advisory from the FBI, the U.S. Department of State, and the NSA confirmed that malicious actors specifically target domains with weak or absent DMARC policies to send spoofed emails that bypass standard filters.

CISA's Binding Operational Directive BOD 18-01 states that a DMARC reject policy provides the strongest protection against spoofed email, ensuring unauthenticated messages are rejected at the mail server before delivery. While the directive formally applies to U.S. federal civilian executive branch agencies, CISA's framing of p=reject as the strongest available protection is widely adopted as the authoritative standard across public and private sector email security programs.

p=none is a monitoring-only configuration. It generates aggregate reports showing who is sending email on behalf of a domain, but does nothing. Organizations that deploy DMARC and leave it at p=none receive visibility without protection.

DMARC also sends domain owners aggregate reports on authentication failures, effectively mapping who is attempting to send email using that domain. Reviewing these reports during the monitoring phase identifies all legitimate sending sources (CRMs, HR platforms, marketing tools) before tightening policy. Missing a legitimate sender when escalating to reject breaks outbound mail from that system.

4. Escalate Through the Full Policy Sequence

The implementation sequence is non-negotiable: SPF, then DKIM, then DMARC at p=none, then p=quarantine after reviewing reports, and finally p=reject. Organizations that skip straight to reject without reviewing aggregate data routinely discover undocumented sending systems (third-party SaaS tools, payroll processors, automated notification platforms) that begin bouncing immediately.

DMARC enforcement is also a compliance prerequisite under PCI DSS v4.0, which designates anti-phishing controls, including email authentication, as a requirement for any organization processing cardholder data. The PCI Security Standards Council codified DMARC specifically because phishing against payment environments accelerated after 2022.

5. Understand What These Protocols Do Not Cover

SPF, DKIM, and DMARC block domain spoofing, but a cyber threat actor who has compromised a legitimate Microsoft 365 or Google Workspace tenant can send mail that passes all three checks cleanly because that mail genuinely originates from an authenticated domain.

The same is true for spear phishing launched from a breached colleague's account or from a lookalike domain with its own valid authentication records. These are precisely the cyberattack vectors that technical controls cannot intercept, and where phishing simulations that train employees to evaluate message context rather than just sender address become the primary line of defense.

Human recognition fills the gap that authentication protocols leave open. A finance employee who receives an invoice approval request from a "verified" Microsoft 365 tenant still needs judgment to verify out of band before acting. Authentication protocols set the floor; trained human behavior determines whether a spoofed-but-authenticated message ends in a breach or a blocked attempt.

Technical Controls That Prevent Phishing Emails From Reaching Employees

No single technical control stops all phishing. The only architecture that meaningfully reduces phishing volume is defense-in-depth: layered controls that each address a different attack surface, compensating for gaps left open by the previous layer.

Preventing phishing emails from reaching employees requires deploying spam filters, a secure email gateway, API-based cloud security, sandboxing, link protection, and machine learning detection. Even a fully deployed stack will not intercept every phishing attempt, so planning for human-layer detection remains essential.

1. Deploy Spam Filters and Anti-Phishing Gateways as a First Line

Spam filters and anti-phishing gateways are the entry point of every email security stack. They evaluate inbound messages against IP reputation databases, domain blocklists, and heuristic rules, rejecting high-volume commodity phishing campaigns before they reach a mail server. These controls are effective against known, mass-distributed cyber threats: the spray-and-pray campaigns targeting millions of recipients simultaneously.

Their limitation is significant. Spam filters operate on recognition; they block what they already know. Novel spear phishing attempts, BEC messages sent from newly registered domains, and AI-generated emails with no signature match slip through because they appear clean by every metric the filter checks.

2. Add a Secure Email Gateway for Inbound and Outbound Inspection

A Secure Email Gateway (SEG) sits at the MX record level, routing all inbound and outbound mail through an inspection layer before delivery. SEGs scan for malicious attachments, suspicious URLs, and sender reputation signals, adding a structured enforcement layer on top of basic spam filtering. For organizations running on-premises or hybrid mail infrastructure, a SEG has historically been the standard architecture.

The SEG's structural limitation is its position in the mail flow. Because it evaluates messages against known cyber threat signatures and sender reputation lists, it performs well against established cyberattack patterns but struggles against AI-generated phishing sent from legitimate sending infrastructure. BEC cyberattacks impersonating a vendor using a real Microsoft 365 tenant often pass a SEG completely: the domain is clean, the sending IP is trusted, and no malicious attachment exists to scan.

3. Layer in Integrated Cloud Email Security for Behavioral Detection

Integrated Cloud Email Security (ICES) platforms connect natively to Microsoft 365 or Google Workspace via APIs, without requiring changes to MX records. Because they sit inside the mail environment rather than in front of it, ICES platforms analyze the full context of communication: historical sender-recipient relationships, writing style baselines, anomalous metadata, and behavioral signals that rule-based SEGs never see.

The practical difference matters for security teams. A SEG asks: "Is this sender on a blocklist?" An ICES platform asks: "Does this message behave like every other message this sender has sent in the past six months?" That second question catches executive impersonation from a freshly compromised account (one of the most common BEC entry points), where a SEG sees only a clean, trusted domain.

4. Enable Attachment Sandboxing to Stop Malicious Payloads

Attachment sandboxing detonates suspicious files in an isolated virtual environment before delivering them to the end user. Rather than comparing a file's hash against a known-malware database, the sandbox observes what the file actually does when executed: whether it spawns processes, makes network calls, or modifies system files.

Microsoft Defender for Office 365's Safe Attachments is a widely deployed implementation; it uses dynamic delivery to send the email body immediately while holding attachments in a quarantine environment until the detonation verdict is complete, typically within 15 minutes.

Sandboxing adds latency, which is why dynamic delivery matters operationally. Organizations that disable sandboxing to avoid delivery delays accept the risk of macro-enabled weaponized documents reaching employee inboxes, a documented initial access vector in ransomware deployments.

5. Activate Safe Links and URL Rewriting for Post-Delivery Protection

Phishing URLs are increasingly weaponized after initial delivery. A cyberattacker sends a link to a clean staging page, the SEG scans it and finds nothing suspicious, and the payload activates only after the email has landed in the inbox. Safe Links and URL rewriting controls address this by rewriting every link at delivery time and re-evaluating the destination at the moment of click.

Microsoft Defender for Office 365's Safe Links is a widely deployed implementation. Safe Links rewrites every URL at delivery time, substituting a Microsoft-controlled redirect for the original link. At the moment a recipient clicks, Safe Links resolves the redirect, checks the destination against Microsoft's current threat intelligence, and blocks the request if the page is now classified as malicious.

This time-of-click evaluation is what makes Safe Links effective against delayed weaponization, where a cyberattacker initially hosts a clean page and activates the payload hours after delivery.

6. Use Machine Learning Detection to Catch What Rules Miss

Machine learning (ML) detection models analyze thousands of signals simultaneously: sender behavioral baselines, header anomalies, content tone, recipient graph patterns, and linguistic markers. Where rule-based controls ask whether a message matches a known pattern, ML models ask whether a message deviates from established norms.

That distinction makes ML the most effective tool against AI-generated spear phishing, where cyberattackers use generative AI to write grammatically clean, contextually accurate messages that pass every keyword and reputation check.

One critical gap remains across all email gateway controls: a compromised internal Microsoft 365 or Google Workspace account sending phishing from within the trusted tenant bypasses every control described above.

The message originates from a legitimate domain, an authenticated sender, and an established relationship, making it invisible to perimeter defenses. Identity threat detection and response (ITDR) is the necessary complement, monitoring account behavior for anomalous sign-in patterns, unusual send volumes, and forwarding rule changes that indicate account takeover.

Technical controls define the floor of phishing defense; they set the baseline from which human-layer detection must take over. The Verizon Data Breach Investigations Report 2026 confirmed that 62% of incidents involve a non-malicious human element, meaning a meaningful share of phishing reaches employees despite every layer of technical filtration. Recognizing a phishing email before clicking it is the skill that determines outcomes when controls fall short.

Why MFA and Zero-Trust Architecture Limit the Damage of Phishing Cyberattacks

Knowing how to prevent phishing emails from reaching inboxes addresses only part of the exposure. When a phishing email lands and an employee engages, authentication controls and access architecture determine whether that moment becomes a breach or a contained incident. The right controls at this layer dramatically narrow the blast radius of any credential-based cyberattack.

Multi-factor authentication (MFA) forces a cyberattacker to defeat a second verification factor even after stealing a valid password, which fundamentally changes the economics of credential-based cyberattacks.

A 2024 joint advisory on top routinely exploited vulnerabilities, published by CISA, the FBI, NSA, and international partners (AA24-317A), explicitly directs organizations to "enforce phishing-resistant multifactor authentication (MFA) for all users without exception" as a baseline control.

While the advisory is framed as strong guidance rather than a legal mandate for private sector organizations, the use of "enforce" and "without exception" signals that the authoring agencies treat phishing-resistant MFA as the minimum acceptable baseline, not a discretionary option.

What Is the Difference Between Phishing-Resistant MFA and Standard MFA?

Not all MFAs deliver equal protection, and the differences in strength are significant. Three factor types dominate enterprise deployments, each with distinct security properties:

• FIDO2 hardware security keys (e.g., YubiKey): The highest assurance tier. Authentication is cryptographically bound to the origin domain, meaning a login attempt on a spoofed phishing site fails at the protocol level. The key physically cannot authenticate to a site that does not match the registered domain. CISA and NIST classify these as the only phishing-resistant factor type;
• Authenticator app TOTP codes (time-based one-time passwords): Strong against passive credential harvesting, but not phishing-resistant against adversary-in-the-middle (AiTM) cyberattacks. Modern AiTM phishing kits such as Evilginx and Tycoon 2FA act as reverse proxies, capturing the employee's TOTP code in real time and replaying it to the target service before the 30-second window expires. The cyberattacker obtains a valid authenticated session while the employee sees a normal login;
• SMS one-time passcodes: The weakest option. SIM-swapping cyberattacks transfer a victim's phone number to a cyberattacker-controlled SIM, redirecting all SMS messages. For high-privilege accounts (finance teams, IT administrators, executives), SMS OTP provides marginal protection and should be replaced immediately.

The operational implication is direct: organizations still relying on SMS or TOTP for privileged account access carry meaningful exposure that a single AiTM phishing kit can exploit at scale.

How Does Zero-Trust Architecture Reduce Phishing Blast Radius?

Zero-trust architecture addresses scenarios in which authentication controls still fail. NIST Special Publication 800-207 defines zero trust as a security paradigm that eliminates implicit trust based on network location and requires continuous verification of identity and device posture before every access request.

In a legacy perimeter model, a valid credential on the corporate network is treated as trusted, and lateral movement after a phishing compromise is trivial. Under zero trust, a compromised credential is just the start of a verification gauntlet.

Zero trust limits blast radius through three concrete mechanisms. Least-privilege access controls mean a cyberattacker who captures a finance employee's credentials can reach only the systems that employee is authorized to access: HR records, source code repositories, and backup infrastructure remain out of reach.

Continuous session verification means that even an authenticated session is periodically re-challenged against device posture, behavioral signals, and access patterns, with anomalies triggering step-up authentication or session termination.

Microsegmentation ensures that even within an authorized application, a cyberattacker cannot pivot laterally to adjacent systems without passing additional verification checkpoints.

Zero trust is a strategic posture rather than a product category. Phishing-resistant MFA is one of its foundational controls, but it must be combined with least-privilege policies, device health verification, and continuous monitoring to contain the damage when credentials are inevitably compromised.

The practical starting point for most security teams is deploying FIDO2 for privileged accounts, extending phishing-resistant MFA organization-wide over a defined migration window, and running phishing simulations that equip employees to recognize credential-harvesting attempts before a cyberattacker can harvest the first factor they need.

What controls accomplish at the architectural level, security-trained employees must reinforce at the human layer, and that cybersecurity awareness training only works when it mirrors the real tactics cyberattackers actually use.

Employee Security Awareness Training: What Works and What Doesn't Against Phishing Emails

Employee cybersecurity awareness training is a non-negotiable layer of phishing prevention: technology controls cannot intercept cyberattacks engineered to exploit human judgment, and compliance checkboxes do not change that reality.

Most organizations are running programs that produce completion logs rather than behavioral change. An employee who completed a 45-minute annual module in January retains very little of it by March, and virtually none by the time a real cyberattack arrives in October. Compliance-oriented cybersecurity awareness training satisfies an audit requirement; it does not change how people respond under pressure.

Why Annual Training Fails Under Real Cyberattack Conditions

Traditional security awareness and cybersecurity training misaligns with how humans actually learn and retain information. A single long-form session delivered once per year competes with every other workplace priority for attention and memory.

Behavioral science research consistently shows that retention decays rapidly without spaced reinforcement, and that knowledge acquired in a low-stakes setting does not transfer automatically to a high-pressure inbox.

Effective cybersecurity awareness training inverts this model. Short modules under 10 minutes, triggered immediately after an employee clicks a phishing simulation link, deliver context precisely when it is most salient.

Role-specific content matters equally: a finance analyst's cyber threat landscape centers on invoice fraud and BEC, while an IT administrator faces credential-harvesting cyberattacks disguised as internal helpdesk requests. Generic content that tries to cover everything for everyone succeeds at neither.

How AI-Powered Phishing Changed the Training Calculus

cybersecurity awareness training that teaches employees to spot grammar errors and suspicious sender domains was already insufficient before generative AI arrived.

Generative AI enables cyberattackers to produce grammatically flawless, contextually accurate spear phishing emails at scale, pulling from OSINT to personalize content with an employee's name, role, recent projects, and colleague relationships. The visual and linguistic surface of these messages is indistinguishable from legitimate communication.

This shifts the burden of detection from surface-level cues to behavioral pattern recognition. Employees must learn to identify the psychological levers these cyberattacks use: artificial urgency ("wire this before close of business"), false authority ("the CFO needs this approved immediately"), and artificial scarcity ("this window closes in 20 minutes").

These manipulation patterns are consistent across AI-generated and human-crafted cyberattacks alike, making them the most durable focus for cybersecurity awareness training programs.

How to Design a Security Awareness Training Program That Changes Behavior

Program design starts with measurement. Run a baseline phishing simulation before deploying any cybersecurity awareness training content to establish an honest starting benchmark. Segment the workforce by risk profile: finance teams, executives, and IT administrators each face distinct cyberattack patterns and warrant distinct curricula.

Executives are high-value targets for deepfake impersonation and vishing; finance teams face BEC and invoice redirect fraud; IT administrators face credential phishing dressed as internal tooling requests.

cybersecurity awareness training frequency should track cyber threat evolution rather than the compliance calendar. Quarterly content updates are the minimum viable cadence in 2026, given the pace at which AI-generated cyberattack patterns change.

The metrics that matter are behavioral: phishing simulation click rates, time-to-report, and the percentage of employees who correctly flag a suspicious message. These figures reveal whether cybersecurity awareness training is actually closing the gap between awareness and action.

Phishing simulations paired with microlearning create the feedback loop that makes behavioral improvement measurable and continuous. When an employee fails a phishing simulation, that moment of failure becomes the most effective teaching opportunity available.

How Phishing Simulation Testing Strengthens Organizational Defenses Against Phishing Emails

Phishing simulation testing is one of the most direct methods for preventing phishing emails from causing real damage. It moves employees from passive learners into active threat recognizers before a cyberattacker forces the lesson.

To implement phishing simulations effectively, organizations define objectives and scope, select simulation types in progression, deploy OSINT-personalized scenarios, measure click and reporting rates, deliver immediate microlearning to employees who engage with a simulated lure, and increase difficulty as resistance improves.

The most important principle: phishing simulations exist to identify cybersecurity awareness training gaps, not to assign blame.

1. Define Objectives and Scope

A phishing simulation program without defined success criteria generates data no one acts on. Before sending a single test email, security leaders must decide what behaviors they are measuring (click rates, credential submission rates, or reporting rates) and which employee populations carry the highest risk. Finance teams face invoice fraud and BEC scenarios; IT staff encounter credential reset lures; executives are targeted with vendor impersonation scenarios.

2. Select Phishing Simulation Types in Progression

Start with standard email phishing to establish baseline susceptibility before layering in complexity. Once employees demonstrate improved detection on generic email lures, advance to spear phishing scenarios built with OSINT: publicly available data from LinkedIn profiles, conference speaker bios, and earnings call recordings that cyberattackers use to personalize cyberattacks. From there, add vishing (voice phishing), smishing (SMS phishing), and deepfake video scenarios impersonating company executives.

QR code phishing, known as quishing, is one of the fastest-growing phishing simulation types for 2026. Cyberattackers embed malicious URLs inside QR codes precisely because employees cannot inspect a QR code the way they can hover over a hyperlink. Including quishing in the phishing simulation rotation reflects real cyberattacker behavior; programs that omit it are training against last year's threat landscape.

3. Configure Scenarios That Mirror Real Cyberattacks

Generic phishing simulation templates (like "You've won a prize" email) fail as cybersecurity awareness training tools because experienced employees recognize them instantly, skewing click data downward and failing to build genuine detection skills.

OSINT-informed phishing simulations that reference an employee's actual job title, a recent company announcement, or a known vendor relationship create authentic pressure that mirrors real cyberattacker methodology.

A finance team member who safely handles a simulated invoice fraud request built around a real vendor name has practiced the exact scenario cyberattackers deploy.

4. Measure What Matters: Click Rates, Credential Submission, and Reporting

Three metrics determine whether a phishing simulation program is working. Click rate measures the percentage of employees who engaged with the simulated lure. Credential submission rate measures those who proceeded further and entered sensitive information, a more severe risk indicator than a click alone. Reporting rate measures employees who identified the phishing simulation as malicious and flagged it, which is the behavioral outcome every program should optimize for.

Reporting rate is the metric most programs underinvest in. An employee who reports a suspicious email (real or simulated) has executed exactly the security behavior the team needs. Programs that only celebrate non-clicks miss the more valuable outcome.

5. Deliver Microlearning at the Moment of Failure

The teachable moment in cybersecurity awareness training is the exact second an employee clicks a phishing simulation lure; waiting three weeks to deliver that lesson through a scheduled module forfeits the retention window entirely. Immediate feedback delivered at the point of failure connects the lesson to the experience, which is how behavioral retention actually works.

A short microlearning module explaining what cues the phishing simulation contained, why it was convincing, and what to look for next time is orders of magnitude more effective than retrospective cybersecurity awareness training delivered at a scheduled interval.

This architecture (phishing simulation failure triggering automatic targeted cybersecurity awareness training) closes the gap that multi-channel phishing simulations are designed to address. It treats every failed simulation as a data point that activates a personalized improvement path, not a punishable offense.

6. Increase Difficulty Over Time as Resistance Builds

A phishing simulation program that runs identical templates quarter after quarter trains employees to recognize specific tests rather than actual phishing tactics.

Rotating and escalating scenario difficulty (moving from generic email to personalized spear phishing, then to vishing calls and deepfake video requests) keeps the program calibrated against the real cyber threat landscape rather than lagging behind it. Organizations that run phishing simulations more frequently and with higher-fidelity scenarios across multiple channels see measurably lower susceptibility rates over time.

Employees who progress through this cycle become active contributors to organizational defense. They slow down on unexpected requests, verify through secondary channels, and report anomalies that technical filters missed. That behavioral shift (not a phishing simulation completion percentage) is the actual measure of a program working.

What to Do If an Employee Receives or Clicks a Phishing Email

Knowing how to prevent phishing emails from causing harm requires two distinct response plans: one for when a suspicious message lands untouched, and one for when a link has already been clicked or credentials submitted.

Upon receiving a suspected phishing email, the correct actions are to avoid clicking any links, avoid opening attachments, avoid replying, report through the organization's designated mechanism, and verify the sender through a separate channel.

If a link has already been clicked or information submitted, containment begins immediately: disconnect from the network, change exposed passwords, enable multi-factor authentication, and notify the security team without delay. The difference between a contained incident and a full organizational breach often comes down to how quickly those first steps are taken.

Scenario A: What to Do After Receiving a Suspicious Email

Receiving a suspicious email without interacting with it is the best-case scenario, and the window to act correctly is short. The single most important first action is restraint: do not click any link, do not open any attachment, and do not reply, even if the email appears to come from a known colleague or executive. Replying confirms the address is active and hands the cyberattacker an additional engagement vector.

Report the email through the organization's designated mechanism, typically a Phish Alert Button installed in the email client, so the security team can investigate, classify it, and remove it from other inboxes if needed. When legitimacy is uncertain, call the apparent sender directly using a phone number sourced independently, never one provided in the email itself.

CISA's phishing guidance advises recipients to resist the temptation to engage and to report suspicious messages promptly so security teams can act across the organization.

Individuals can forward suspected phishing emails to reportphishing@apwg.org, the Anti-Phishing Working Group's intake address. Organizations operating in critical infrastructure sectors can also report directly to CISA. Both channels contribute to broader cyber threat intelligence, helping identify active campaigns before they reach additional targets.

Scenario B: What to Do After Clicking or Submitting Credentials

If a link has been clicked or credentials entered, the incident is active and must be treated accordingly. Speed of containment directly limits how far a cyberattacker can move. Execute these steps in sequence:

• Disconnect from the network if there is any reason to believe malware was executed, such as an unexpected download or browser redirect. Isolation prevents the cyberattacker from establishing a command-and-control channel or exfiltrating data in real time;
• Change passwords immediately for any account whose credentials may have been exposed, starting with the email account and any other accounts sharing the same password. Password reuse is a primary enabler of credential replay cyberattacks, where one stolen set unlocks multiple services;
• Enable or verify MFA on all affected accounts. Even if credentials were captured, MFA blocks authentication attempts that use only the stolen password;
• Notify the IT or security team without delay. The faster the team is informed, the sooner they can revoke active sessions, block malicious domains, and begin forensic review;
• Monitor accounts actively for unauthorized access attempts, unexpected password reset requests, or unusual activity in connected applications;
• Contact the organization's bank if any financial information was submitted. Request a fraud alert and review recent transactions for unauthorized charges.

What Happens Inside the Organization After a Phishing Click

A single compromised credential rarely stays contained. Cyberattackers follow a documented post-access playbook: they test stolen credentials against other services the victim uses (email, VPN, cloud file storage, HR systems) in a process known as credential stuffing.

The MITRE ATT&CK framework's documentation on Valid Accounts (T1078) describes how compromised credentials enable adversaries to bypass access controls, move laterally across networks, and establish persistence. The documentation also describes that they often use legitimate access through VPNs, Outlook Web Access, and remote desktop without deploying malware, making detection significantly harder. OAuth application grants that survive password resets by authenticating via token rather than password are documented separately under ATT&CK's cloud account persistence techniques.

From there, cyberattackers access sensitive data, monitor communications for privileged information, and frequently pivot toward BEC, inserting themselves into financial workflows before anyone flags the intrusion. Notifying the security team immediately, rather than attempting to handle the situation independently, is the most impactful containment action.

Why Organizations Need a Documented Phishing Incident Response Procedure

Expecting employees to make correct decisions under the pressure of a suspected phishing incident is an unreliable strategy. A documented phishing incident response procedure removes the cognitive load entirely: employees follow a pre-defined sequence rather than improvising under stress.

That means defining in writing who to call, how to report, when to disconnect from the network, and what to document, then rehearsing that sequence through realistic phishing simulations so the response becomes automatic.

Organizations that pair phishing simulations with clear, written response protocols give employees a practiced reflex rather than a problem to solve under pressure. The procedure does not need to be complex; it needs to be specific, accessible, and rehearsed, and cybersecurity awareness training only holds when employees have experienced realistic cyberattack scenarios before a real one arrives.

Metrics That Measure Phishing Email Prevention Program Effectiveness

A phishing prevention program that tracks only cybersecurity awareness training completion rates measures administrative compliance rather than security outcomes. Completion confirms that employees clicked through a module; it does not reveal whether they can recognize and report a cyberattack under real-world pressure.

Separating programs that change behavior from those that fill a checkbox requires tracking a distinct set of outcome metrics, each connected to a concrete reduction in breach probability. How to prevent phishing emails from causing damage at scale depends on the quality of the data these metrics produce.

1. Establish a Phishing Simulation Click Rate Baseline First

The phishing simulation click rate (the percentage of employees who click a simulated phishing link) is the primary entry point for measuring human susceptibility. Run a baseline phishing simulation before any cybersecurity awareness training intervention so there is an honest starting number. Track it continuously by department, role, and seniority level, because finance teams, executive assistants, and IT staff carry different risk profiles that aggregate figures obscure.

2. Add Credential Submission Rate as a Severity Indicator

Clicking a link and submitting credentials represent different levels of failure. Credential submission rate measures how many employees who clicked the phishing simulation link then proceeded to enter a username and password into a fake login page. This metric signals an employee who bypassed two decision points and should be tracked separately to identify the cohort at highest risk of enabling account takeover.

3. Treat Reporting Rate as the Strongest Security Culture Signal

A rising reporting rate (the percentage of employees who correctly flag a simulated or real phishing email) is one of the most reliable positive indicators of a maturing security culture. An employee who reports a suspicious email stops the cyberattack chain and gives the security team actionable intelligence. Target a reporting rate that climbs quarter over quarter, and pair it with mean time to report: how quickly employees flag suspected phishing. Faster detection directly limits cyberattacker dwell time inside the environment.

4. Flag Repeat Clickers for Escalated Intervention

The repeat clicker rate isolates employees who fail multiple phishing simulations despite completing assigned cybersecurity awareness training. This group requires a different approach: targeted one-on-one coaching, adjusted training difficulty, or role-based scenario changes, rather than simply more of the same content they have not retained. Tracking this cohort separately prevents high-risk individuals from being averaged out in program-level statistics.

5. Verify Retention With Knowledge Scores, Not Just Completion

cybersecurity awareness training completion rates confirm enrollment. Knowledge retention scores (post-module assessments and periodic knowledge checks) confirm comprehension. Both are necessary, but neither replaces phishing simulation performance data as the primary effectiveness signal. Tracking all three together identifies gaps between what employees report knowing and what they do when a simulated cyber threat appears in their inbox.

6. Translate Risk Metrics Into Board-Level Business Language

Real phishing incident rate (actual reported incidents and confirmed compromises tracked over time) is the ultimate program effectiveness signal. When this number falls, the program is working; when it holds steady despite security awareness and cybersecurity training investment, intervention is needed.

Security leaders must also translate susceptibility rates into financial exposure for board and executive audiences. A department with a 20% phishing simulation click rate indicates a measurable likelihood of a breach. Using the average breach cost benchmarks, security teams can model the expected annual loss attributable to human susceptibility and tie security awareness and cybersecurity training investment directly to financial risk reduction.

Taken together, these six metrics (click rate, credential submission rate, reporting rate, mean time to report, repeat clicker rate, and knowledge retention scores) form a complete picture of program health. Each one connects directly to a risk outcome the board can act on, and each one points to a specific intervention when the data moves in the wrong direction.

How AI-Powered Phishing Has Changed Human Risk Management for Organizations

Preventing phishing emails is no longer a problem technology alone can solve. Generative AI has transformed phishing from a volume-based spray-and-pray operation into a precision targeting system, one capable of producing grammatically perfect, contextually convincing spear phishing emails at scale, with no human cyberattacker required to customize each message.

The FBI's Internet Crime Complaint Center warned in December 2024 that criminals are already using AI-generated text to execute social engineering, spear phishing, and financial fraud in ways that are substantially harder to detect than traditional cyberattacks.

This shift has exposed the limits of traditional phishing prevention. Blocking malicious emails at the gateway is necessary but insufficient when cyberattackers have simultaneously moved to voice, SMS, and video channels. AI voice cloning enables vishing cyberattacks that impersonate executives with enough fidelity to authorize wire transfers.

OSINT automation allows cyberattackers to harvest an employee's job title, reporting structure, email format, and publicly visible projects from LinkedIn in minutes, then build a spear phishing message indistinguishable from a legitimate internal communication.

What Is the Difference Between Phishing Prevention and Human Risk Management?

Traditional phishing prevention concentrates on two control points: blocking messages before they reach the inbox, and equipping employees through cybersecurity awareness training to recognize suspicious emails when filters fail. Both are necessary. Neither is sufficient as a standalone discipline, because they treat phishing as an isolated email problem rather than a dynamic, person-level exposure.

Human risk management extends the frame. Instead of measuring whether an employee completed annual cybersecurity awareness training, it continuously monitors individual vulnerability across every cyberattack vector using a combination of behavioral signals from phishing simulations, cybersecurity awareness training engagement data, OSINT exposure scores, and credential breach history.

The output is a dynamic risk score per employee that changes as behavior and external exposure change. An employee who recently clicked a phishing simulation link, has a public LinkedIn profile listing their finance role, and holds credentials that appeared in a known breach carries a materially different risk profile than a colleague with a clean simulation record and minimal public footprint. Human risk management makes that distinction visible and actionable.

Why Does OSINT Exposure Change Phishing Risk?

Employees with high OSINT exposure (published email addresses, LinkedIn roles that identify decision-making authority, salary data on Glassdoor, or public conference speaker bios) are materially more likely to receive targeted spear phishing and BEC cyberattacks than employees with limited digital footprints.

Cyberattackers use OSINT automation to identify which employees have budget authority, supplier relationships, or system access credentials, then craft messages that reference real details no mass phishing campaign could reproduce.

A uniform annual cybersecurity awareness training curriculum does not account for this difference. An employee whose role, email address, and organizational relationships are publicly indexed faces a cyber threat profile that is qualitatively different from a peer whose name does not appear in any external database.

Risk-proportionate cybersecurity awareness training (triggered by OSINT exposure signals rather than calendar date) delivers relevant preparation to the employees who need it most, before a cyberattacker acts on the same data.

What Does a Unified Employee Risk Score Add That Completion Rates Cannot?

cybersecurity awareness training completion rates measure activity. They do not measure whether an employee is actually harder to deceive after finishing a module. Organizations that track only completion rates know that an employee watched a video; they do not know whether that employee clicked a phishing simulation credential-harvesting link the following week, whether their email address appeared in a data breach, or whether a cyberattacker scraped their LinkedIn profile last month.

Organizations that integrate phishing simulation results, cybersecurity awareness training engagement data, and OSINT exposure signals into a unified employee risk score gain a materially different picture of their human-layer exposure.

They can identify which employees are genuinely reducing susceptibility and which are completing cybersecurity awareness training without behavioral change, then direct targeted intervention to the latter group before that gap becomes a confirmed breach. Tracking behavioral signals, phishing simulation outcomes, and external exposure produces a defensible human risk posture that completion records alone cannot provide.

Human risk management treats phishing prevention not as a cybersecurity awareness training event but as a continuous measurement problem, one that requires the same ongoing attention as vulnerability management on the technical side. That reframe is what allows security teams to move from reactive incident response toward proactive risk reduction.

See How Adaptive Security Reduces Phishing Email Risk Organization-Wide

Phishing cyberattacks now combine AI-generated content, multi-channel delivery, and OSINT-informed personalization that technical filters were not built to stop. Adaptive Security's phishing simulations and cybersecurity awareness training platform give security teams a measurable view of human-layer risk by role, by department, and over time, so cybersecurity awareness training closes the gaps that matter most.

The platform tracks phishing simulation click rates, credential submission rates, and reporting rates against a dynamic employee risk score, making it possible to identify the employees who need intervention before a real cyberattack forces the issue.

Security leaders who need to move from compliance-oriented cybersecurity awareness training to a continuous human risk management program will find that Adaptive Security's phishing simulation engine and automated microlearning delivery create the feedback loop that measurable behavioral change requires. Role-specific phishing simulation scenarios, real-time remediation triggered by simulation failure, and board-ready reporting translate program activity into defensible risk outcomes.

Discover what a continuous human risk management program looks like: take a self-guided tour of Adaptive Security's phishing simulation and security awareness training platform.

Key Takeaways: How to Prevent Phishing Emails

• Phishing emails exploit human judgment as reliably as technical vulnerabilities; a layered defense addressing both dimensions is the only architecture that contains the risk;
• SPF, DKIM, and DMARC deployed in the correct sequence block domain-spoofing cyberattacks, but provide no protection against phishing sent from legitimate, compromised accounts;
• Phishing-resistant MFA, specifically FIDO2 hardware security keys, is the only factor type CISA and NIST classify as resilient against adversary-in-the-middle cyberattacks;
• Zero-trust architecture limits blast radius by enforcing least-privilege access, continuous session verification, and microsegmentation, containing the damage when credentials are compromised;
• cybersecurity awareness training that runs annually produces knowledge decay; effective programs deliver short, role-specific modules triggered immediately after phishing simulation failures;
• Phishing simulation testing exposes human-layer gaps before cyberattackers exploit them; programs that progress from generic email to spear phishing, vishing, and deepfake scenarios build the most durable detection skills;
• Behavioral metrics (phishing simulation click rate, credential submission rate, reporting rate, and mean time to report) are the signals that reveal whether a phishing prevention program is producing real behavioral change;
• OSINT exposure materially increases an employee's spear phishing and BEC risk; human risk management platforms that incorporate exposure scores deliver cybersecurity awareness training to the employees who need it most;
• AI-generated phishing has eliminated grammar and formatting as reliable detection signals; employees must be trained to recognize psychological manipulation patterns (urgency, false authority, artificial scarcity) that remain consistent regardless of how convincing the email appears;
• Incident response speed determines breach scope; organizations with documented phishing response procedures and rehearsed phishing simulation protocols contain cyberattacks that organizations without them cannot.

See how Adaptive Security's phishing simulation and human risk management platform convert program data into behavioral defenses that prevent phishing emails from becoming confirmed breaches.

Frequently Asked Questions About How to Prevent Phishing Emails

How do organizations prevent phishing emails from reaching employee inboxes?

Preventing phishing emails from reaching employee inboxes requires layered technical controls. Deploy email authentication protocols (SPF, DKIM, and DMARC on a reject policy) to block spoofed domains at the gateway level. Combine these with a secure email gateway or an API-integrated cloud email security platform that uses behavioral analysis to catch cyber threats that pass signature-based filters.

Enable Safe Links to recheck URLs at the moment of click, and sandbox attachments before delivery. These controls reduce volume significantly, but no technical stack eliminates all phishing. Employees prepared through regular phishing simulations remain the critical last line of defense against targeted cyberattacks that bypass every automated filter.

What should employees do after accidentally clicking a phishing link?

Speed of response directly determines the scope of damage. Disconnect from the network if malware may have executed. Change the password for every account whose credentials may have been exposed, prioritizing email and any accounts sharing that password.

Enable or verify multi-factor authentication on all affected accounts. Notify the IT or security team immediately so they can contain lateral movement and review OAuth grants or forwarding rules cyberattackers commonly configure within minutes of a successful compromise.

If financial information was submitted, notify the organization's bank and place a fraud alert on credit files. Document the timeline (what was clicked, when, and what information may have been entered) so the security team can scope the incident accurately.

Can spam filters alone stop phishing emails?

Spam filters alone cannot stop phishing emails, and relying on them as a primary defense is one of the most common gaps in organizational security. Traditional spam filters catch high-volume, known-threat patterns using IP reputation, blocklists, and heuristic rules. They were not built for targeted spear phishing, BEC, or the AI-generated messages that now dominate the cyber threat landscape.

Research published in Expert Systems with Applications (Opara, Modesti, and Golightly, 2025) tested 63 GPT-4o-generated phishing emails against Gmail, Outlook, and Yahoo spam filters, finding that Gmail and Outlook allowed significantly more AI-generated phishing emails to bypass their filters than Yahoo.

The authors attribute the evasion to the absence of traditional malicious markers in AI-generated content, exposing a detection gap in filters tuned to identify conventional phishing signals. The study's sample size (63 emails) reflects an early-stage finding warranting further large-scale investigation.

Effective phishing prevention requires spam filtering as one layer within a broader stack that includes email authentication, behavioral detection, MFA, and security awareness and cybersecurity training.

How often should organizations update security awareness training programs?

Organizations should update cybersecurity awareness training content at a minimum of quarterly and run phishing simulations on a continuous or monthly basis. Annual cybersecurity awareness training produces measurable knowledge decay; employees who complete a module in January retain little by Q3.

NIST SP 800-50r1 (2024) frames cybersecurity and privacy learning programs as ongoing lifecycles requiring continuous review rather than one-time or calendar-driven events. Content updates should be tied to the evolving threat landscape, organizational role changes, and applicable regulatory requirements.

In practice, cybersecurity awareness training content must reflect current cyberattack patterns: AI-generated spear phishing scenarios, deepfake vishing simulations, and QR code phishing (quishing) all require updated curriculum that a 12-month cycle cannot provide. Organizations that demonstrate measurable reductions in susceptibility rates treat security awareness and cybersecurity training as a continuous program.

What is the difference between phishing and spear phishing?

Phishing is a high-volume, low-personalization cyberattack in which cyberattackers send identical or near-identical deceptive emails to thousands of targets simultaneously, relying on volume to achieve a small success rate.

Spear phishing is a precision cyberattack: the cyberattacker researches a specific individual or organization using OSINT (LinkedIn profiles, company directories, press releases, and social media) and crafts a message tailored to that person's role, relationships, and recent activity. That personalization dramatically raises the likelihood of success.

Spear phishing is the variant most associated with high-value targets (executives, finance teams, and system administrators whose credentials or approvals open the door to the most sensitive systems and financial accounts).