top of page

Why Phishing Works and How to Mitigate It

  • Writer: Kyle Giliam
    Kyle Giliam
  • Sep 6
  • 4 min read

Phishing remains one of the most persistent and damaging threats in cybersecurity. Despite decades of awareness campaigns, improved email filtering technologies, and regulatory pressure on organisations, phishing continues to succeed. According to many industry reports, phishing is still the leading cause of data breaches worldwide.


Why is this so? The answer lies not only in technical gaps but also in human psychology. Phishing works because it exploits human bias. Understanding these biases, alongside implementing strong technical and procedural controls, is key to mitigating the risk.



ree

 


Why Phishing Works

Phishing is fundamentally a form of social engineering. Instead of breaking through firewalls or exploiting unpatched systems, attackers focus on the weakest link in security, the human firewall (people).


Phishing attacks typically impersonate trusted organisations or individuals, creating a sense of urgency or opportunity. These messages often instruct recipients to click a link, open an attachment, or disclose sensitive information. What makes them effective is not the sophistication of the technology behind them but the psychological levers they pull.


Cognitive Biases at Play


  1. Authority Bias

    Humans are predisposed to trust messages that appear to come from authority figures. When an email seems to come from a manager, HR department, or a well-known brand, recipients are more likely to comply without questioning.


  2. Urgency Bias

    Attackers often frame their phishing messages with tight deadlines or threats of negative consequences. “Your account will be suspended in 24 hours” or “Immediate action required” pressures people to act quickly, bypassing rational evaluation.


  3. Scarcity Bias

    Offers of limited-time deals or opportunities tap into our fear of missing out (FOMO). The desire to act fast before losing a perceived benefit overrides careful scrutiny.


  4. Confirmation Bias

    People tend to notice information that confirms what they already believe. If someone expects a delivery or an invoice, a phishing message related to these scenarios will feel more credible and is less likely to be questioned.


  5. Reciprocity Bias

    Humans are wired to return favours. Attackers may send a “gift card,” “bonus,” or “reward,” nudging the victim to click in response to the apparent goodwill.


By targeting these biases, phishing bypasses technical defences and leverages the natural shortcuts our brains use to make decisions quickly.

 

The Cost of Phishing

Successful phishing attacks can lead to:


  • Credential theft: Compromising usernames and passwords for email, banking, or corporate systems.

  • Financial fraud: Direct transfer of money, fraudulent invoices, or payroll redirection.

  • Malware infection: Delivering ransomware, spyware, or remote access trojans.

  • Reputational harm: Public disclosure of a breach damages trust in an organisation.


For businesses, the costs are not only financial but also regulatory. Breaches involving personal data may result in penalties under frameworks such as GDPR, POPIA, or HIPAA, alongside loss of customer confidence and trust.

 

How to Mitigate Phishing

Since phishing leverages both technology and human psychology, mitigation must be layered and comprehensive.


1. Technical Defences

  • Email Filtering: Deploy advanced spam and phishing filters that use machine learning and threat intelligence feeds.

  • Multi-Factor Authentication (MFA): Even if credentials are stolen, MFA adds a layer of protection by requiring an additional factor.

  • URL and Attachment Scanning: Implement secure email gateways and endpoint protection to inspect links and files before they reach the user.

  • DMARC, DKIM, SPF: Configure email authentication standards to reduce email spoofing.


2. Organisational Measures

  • Security Awareness Training: Go beyond annual slide decks. Simulated phishing campaigns and regular workshops build “muscle memory” in identifying suspicious messages.

  • Culture of Reporting: Make it easy and safe for employees to report suspected phishing. Reward vigilance rather than punishing mistakes.

  • Incident Response Plan: Ensure the organisation knows how to act swiftly when a phishing attempt succeeds, containing damage and learning from the event.


3. Addressing Human Bias

Technical tools can only do so much. To tackle the psychological dimension, organisations must:

  • Debias Decision-Making: Train staff to slow down when faced with urgent or emotional messages. Encourage the use of checklists: verify the sender, hover over links, and confirm unusual requests through a second channel.

  • Scenario-Based Training: Tailor exercises to mimic real-world situations (invoice fraud, delivery notices, HR requests). By making these scenarios relatable, training addresses confirmation bias directly.

  • Reinforce Positive Behaviour: Celebrate when employees correctly identify and report phishing. Recognition shifts bias towards cautious behaviour rather than blind trust.


Phishing succeeds because it is not just a technical exploit but a psychological one. Attackers know how to manipulate the mental shortcuts we all use, authority, urgency, scarcity, confirmation, and reciprocity. Recognising this reality helps organisations move beyond purely technical solutions.

The strongest defence against phishing lies in combining layered technologies with a culture of awareness and resilience. By addressing both the tools attackers use and the biases they exploit, businesses can significantly reduce their risk.


Phishing will not disappear anytime soon. But with deliberate effort in education, technical controls, and cultural reinforcement, its impact can be contained. Ultimately, awareness of our own human biases may be the most powerful shield we have.

 

bottom of page