The Numbers Are Getting Worse, Not Better
Verizon's 2025 Data Breach Investigations Report confirmed that phishing and pretexting together accounted for over 40% of all breaches. The median time for a user to click a phishing link is 21 seconds from email receipt — faster than most security tools can analyse and quarantine a message. SlashNext's 2025 State of Phishing report documented a 856% increase in AI-generated phishing emails over the previous 18 months. These are not the grammatically broken "Dear Customer" emails of a decade ago. AI-generated phishing emails achieve a 78% open rate compared to 52% for traditional phishing attempts, according to Abnormal Security research. The technology that was supposed to help defenders has handed attackers their most effective weapon yet.
Why Security Awareness Training Is Not Enough
The security industry has spent two decades and billions of dollars on phishing awareness training. Click rates on simulated phishing campaigns have improved — but real-world breach statistics have not. The reason is simple: training teaches people to spot yesterday's phishing. AI-generated emails have no spelling errors, use perfect context, and increasingly reference real internal projects harvested from LinkedIn and public sources. Business email compromise (BEC) attacks — where attackers impersonate executives or suppliers — cost UK businesses £245 million in 2024 according to Action Fraud. No amount of training can reliably protect against a perfectly crafted email from what appears to be your CFO's actual email address requesting an urgent payment.
What Actually Prevents Phishing in 2026
Effective phishing prevention requires a layered approach that does not rely on human vigilance as the primary control. Modern email security platforms use AI to analyse sender behaviour, email content, and communication patterns rather than just scanning for known malicious links. Multi-factor authentication — specifically phishing-resistant MFA like FIDO2 hardware keys — prevents stolen credentials from being useful even when phishing succeeds. Endpoint detection and response catches the malware that arrives via phishing attachments. And anti data exfiltration technology like BlackFog ensures that even if an attacker gains access through a phished credential, they cannot extract valuable data.
- AI-powered email security (behavioural analysis, not just link scanning)
- Phishing-resistant MFA (FIDO2 / hardware security keys)
- Endpoint detection and response for post-click protection
- Anti data exfiltration as the last line of defence
- Security awareness training as one layer — not the only layer
The Board-Level Conversation
Phishing is not just a technical problem — it is a business risk that belongs in every board discussion about cyber resilience. When a single clicked link can result in a ransomware deployment, a data breach, or a six-figure BEC fraud, the organisation's phishing defences are as critical as its financial controls. The question boards should ask is not "have our staff completed phishing training?" but "if an employee clicks a phishing link today, what prevents the attacker from achieving their objective?" If the answer depends entirely on the employee not clicking, the organisation is one mistake away from a material incident.