Almost every major breach in the past decade has involved email at some point in the kill chain. Initial access, credential harvesting, lateral movement, fraud โ phishing remains the dominant entry vector across the threat reports of every major incident response firm. The technology is decades old, the attacks are well-understood, and the controls that work are well-known. None of that has translated into email being secure. It’s the perimeter that organizations keep declaring solved and keep losing on.
The numbers don’t move
Verizon’s annual Data Breach Investigations Report has consistently put phishing or pretexting at the top or near the top of breach causes for over a decade. The 2024 report attributed roughly a third of breaches to phishing, with business email compromise alone accounting for billions of dollars in reported losses to the FBI’s IC3. The targeting has gotten more sophisticated โ generative AI has cut down the broken-English signal that used to flag phishing to wary users โ but the underlying social engineering hasn’t fundamentally changed. People click links, open attachments, and respond to urgent-sounding messages from authority figures, because the email protocol gives no reliable visual signal of authenticity. Sender display names are trivially spoofable. Domain lookalikes are a few keystrokes away. Even authenticated mail through SPF, DKIM, and DMARC doesn’t tell the recipient anything in the way the inbox is rendered.
The controls that work are unevenly deployed
Multi-factor authentication, especially with FIDO2 hardware keys, defeats most credential phishing because the stolen password isn’t enough to authenticate. Enforced phishing-resistant MFA on email accounts is the single highest-leverage email security control available, and it remains substantially under-deployed in small and midsize organizations. Email gateway filtering with sandbox detonation catches a meaningful percentage of malicious attachments. Domain authentication via enforced DMARC reject policies prevents your own domain from being trivially spoofed. None of this is novel. CISA, NIST, and major insurers have been recommending the same stack for years. Adoption lags because the controls cost something โ money, deployment effort, occasional user friction โ and the cost of not adopting only shows up after a breach.
User training is real but limited
Security awareness training reduces click rates on simulated phishing campaigns. The effect is real but bounded. Even well-trained organizations show double-digit click rates on sophisticated phishing simulations, and the rate trends upward when attackers use targeted spear-phishing. The realistic objective of training isn’t to eliminate clicks; it’s to reduce them and to encourage rapid reporting when they happen, because containment time is the variable that most affects breach severity. Organizations that treat training as a checkbox compliance exercise โ annual computer-based training nobody pays attention to โ get the corresponding result.
The bottom line
Email is going to remain the primary attack vector for the foreseeable future because the volume, the trust model, and the user behavior all favor the attacker. The defensive playbook isn’t a mystery: phishing-resistant MFA on every account, DMARC enforced at reject, gateway filtering with attachment sandboxing, and training that’s frequent enough to matter. Organizations that do those four things have measurably fewer incidents. Organizations that don’t keep showing up in breach reports.
Leave a Reply