Resources Blog Article
Threat Analysis

Why 80% of Cyberattacks Start With Phishing — And What Defenders Can Do About It

Phishing remains the single most effective attack vector in the threat actor's playbook. Here's why it keeps working — and how defenders can actually close the gap.

VAPTIC Security Team
Cybersecurity Research
12 April 2026
8 min read
1,240 views

The Numbers Don't Lie

According to the 2024 Verizon Data Breach Investigations Report, 74% of all breaches involved the human element — phishing, pretexting, stolen credentials, or misuse. Of those, phishing is consistently the entry point attackers prefer above all others. It's cheap to execute, scales infinitely, and targets the one system no patch can fix: human psychology.

74%
of breaches involve the human element
$4.88M
average cost of a phishing-initiated breach
60s
median time for first victim click on phishing link

Why Phishing Still Works in 2026

Most security awareness training teaches employees to look for obvious red flags: misspelled domains, poor grammar, suspicious attachments. This advice was adequate in 2012. Today's phishing campaigns are built differently.

AI-Generated Spear-Phishing

Large language models have eliminated the writing quality gap that used to make phishing emails detectable. Attackers now feed a target's LinkedIn profile, GitHub activity, and public emails into LLMs to generate contextually accurate, grammatically flawless messages that reference real projects, real colleagues, and real internal terminology. The result is indistinguishable from legitimate communication at first read.

Real Example — MGM Resorts 2023

The Scattered Spider threat group spent just 10 minutes on LinkedIn before calling MGM's IT helpdesk. They convincingly impersonated an employee and social-engineered their way past MFA — no malware, no zero-days, just phishing by phone. Total damage: $100M+.

QR Code Phishing (Quishing)

Email security gateways scan URLs. So attackers stopped including URLs in the email body. Instead, they embed malicious links inside QR codes — an image the gateway sees as harmless. The victim scans it with their personal phone, which has no corporate MDM policy, bypassing every layer of enterprise email security in one step.

Adversary-in-the-Middle (AiTM) Proxies

Traditional phishing harvests credentials. AiTM phishing goes further: it proxies the real login page in real time, stealing not just the password but the authenticated session token — making MFA completely ineffective. Tools like Evilginx and Modlishka have made this technique accessible to mid-tier threat actors, not just nation-states.

What Actually Reduces Phishing Risk

Awareness training alone produces a measurable but small improvement in click rates — typically 10–20% reduction. Organisations that achieve 60–80% reductions combine technical controls with training. Here's what the data supports:

1. FIDO2 / Passkeys (Phishing-Resistant MFA)

TOTP codes and push notifications are vulnerable to AiTM proxying. FIDO2 hardware keys and device passkeys are not — the authentication is cryptographically bound to the legitimate domain, so a proxied page physically cannot complete authentication. Google's internal deployment of security keys in 2017 eliminated account takeover for 85,000+ employees with zero successful phishing attacks on enrolled accounts in the following two years.

2. Zero Trust Email Architecture

DMARC + DKIM + SPF together prevent spoofing of your domain. Deployed at enforcement (p=reject), these three standards together eliminate the majority of brand-impersonation phishing targeting your customers. Astonishingly, as of 2024 fewer than 40% of Fortune 500 companies have DMARC set to enforcement.

; DMARC enforcement record — blocks spoofed email from reaching inboxes _dmarc.yourdomain.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; pct=100"

3. URL Rewriting + Sandboxed Preview

Modern email security platforms (Microsoft Defender, Proofpoint, Mimecast) rewrite URLs so every click passes through a sandbox that detonates the target page in a virtual browser before allowing the user through. This catches credential harvesting pages even when the initial link looks clean — because many attackers serve benign content to scanners and only deliver the phishing page to real human clicks.

4. Simulated Phishing + Targeted Training

The most effective training targets repeat clickers with immediate, contextual education — not annual videos watched at 2x speed. Platforms like KnowBe4 and Proofpoint Security Awareness Training show the best results when simulations are frequent (monthly), varied in technique, and followed within 60 seconds with a personalised explanation of exactly what the employee should have noticed.

What Defenders Need to Know

Phishing is not a solved problem — it is an arms race. The techniques above will be effective until attackers route around them, which they will. The defenders who stay ahead are the ones who understand the attacker's current toolset, not last year's.

Understanding phishing at this depth — including AiTM proxying, business email compromise (BEC), and social engineering psychology — is a core component of the CEH v13 curriculum at VAPTIC, specifically covered in Module 9: Social Engineering. Students practice both attack and defence in a safe, controlled lab environment.

Phishing Social Engineering AiTM FIDO2 DMARC Zero Trust CEH
Apply What You've Learned
Practice phishing attacks and defences in a real lab
CEH v13 Module 9 covers social engineering attack techniques including AiTM, spear-phishing, and vishing — on real Kali Linux labs with guided walkthroughs.
Enrol Now View Courses