Phishing isn’t dead in 2025. It’s thriving. That might sound ridiculous considering how much security tech we’ve stacked: endpoint detection, zero trust, behavioral analytics, and AI everywhere. And yet, attackers still break through with... a basic email.
Here’s the harsh truth: phishing works because humans do.
This is the first in a three-part blog series exploring the ongoing relevance of this topic in the cybersecurity landscape.
As we all know by now, phishing doesn’t target systems, it targets people. It feeds on trust, not code. Our brains are wired to respond to urgency, authority, and familiarity. So when “CFO@yourcompany.com” emails you about a “critical invoice,” you’re not thinking about SPF records. You’re thinking, “I don’t want to delay payment.”
That’s what makes Business Email Compromise (BEC) so dangerous. No malware. No exploits. Just social engineering that impersonates someone important, and it works. According to the 2024 Cost of a Data Breach Report by IBM Security, conducted in partnership with the Ponemon Institute, BEC attacks now cost organizations an average of $4.67 million per incident.
And spear phishing? It’s personal. Attackers scrape LinkedIn, read bios, study your org chart. The email you get isn’t just clever. It’s custom-built to fool you.
Cognitive science tells us that humans rely heavily on heuristics, mental shortcuts that help us process information quickly. Unfortunately, these shortcuts can be exploited. Research published in the Journal of Experimental Psychology has shown that urgency and authority are two of the most effective triggers for compliance, even when people suspect something might be wrong. Another well-cited study by Vishwanath et al. (2011) on phishing susceptibility demonstrated that individuals under cognitive load (i.e., distracted or multitasking) were significantly more likely to fall for phishing emails.
This aligns perfectly with attacker tactics: send the email at 4:55 p.m. on a Friday, layer on urgency, and frame it as coming from a superior. The recipient’s brain, pressed for time, defaults to compliance instead of scrutiny.
Let’s address the elephant in the room: Awareness training hasn’t solved this. It’s helped, but it’s not enough. Why? Because real phishing emails don’t look like training exercises. They look like business-as-usual.
And that’s the problem. We’re not just up against technical adversaries. We’re up against professional manipulators who understand human behavior better than most HR departments.
Coming Up: In our next post, we’ll unpack how Generative AI is industrializing this manipulation and taking phishing from bespoke scam to mass-produced cyber threat.