Why Phishing Still Works (And the 6 Controls That Actually Stop It)

Every year someone publishes another study claiming phishing has been “solved” by AI, by passkeys, by some new gateway. Then we look at incident data and discover that 80%+ of business email compromises and a majority of ransomware infections still start with a phishing email.

Phishing keeps working because the defences are uneven. A lot of organisations have some controls in place — a default email filter, an annual training video — but the gaps between controls are where attackers operate. Here are the six controls that, when stacked, actually stop most phishing-led incidents.

1. SPF, DKIM and DMARC — with DMARC at p=reject

The single most under-implemented anti-phishing control. SPF tells the world which servers are authorised to send mail for your domain. DKIM cryptographically signs your outbound mail. DMARC tells the world what to do when both checks fail.

If your DMARC record is at p=none (monitor only), spoofers can send mail “from” your domain and recipient servers will deliver it. Move to p=reject after you’ve audited which legitimate senders need authorisation. Most organisations stall at p=quarantine — finish the job.

This is one to assign to a single owner with a 60-day deadline. The work is mostly DNS configuration and stakeholder coordination, not money or tooling.

2. The external sender warning banner

A one-line configuration change in your email platform. Every email from outside your organisation gets a clearly visible banner: “External sender — verify before clicking links or replying.”

It sounds trivial. Studies consistently show 10–20% click reduction on phishing emails. Why? Because most successful phishing impersonates internal senders, and the banner tells the recipient instantly that the email isn’t actually from a colleague. Just turn it on.

3. MFA on every email account, with legacy auth disabled

Even if a phishing kit successfully harvests a credential, MFA blocks the attacker from logging in. The catch: many organisations have MFA enforced for new logins but allow legacy authentication protocols (POP, IMAP, SMTP basic, EWS basic) that bypass MFA entirely.

Disable legacy auth at the tenant level. In Microsoft 365 this is the “Block legacy authentication” conditional access policy or the “Security defaults” toggle. In Google Workspace it’s “Less secure apps” turned off, plus enforcing 2-step verification.

4. Anti-phishing training that’s continuous, not annual

The reflex response to phishing is “more training.” The actual research is more nuanced: a single annual training has minimal lasting effect on click rates. What works is continuous training reinforced by simulated phishing.

The right cadence is 5–10 minutes of training per user per month, plus simulated phishing emails about as often as the real ones (typically 1–2 per month for SMBs, 4+ per month for enterprises). Track click rate and report rate over time. The metric that matters most is the report rate — how quickly users surface a real phish.

Don’t shame people who click. Reward people who report. Phishing simulations exist to find weak spots in your communications and process, not to embarrass employees.

5. A one-click “Report Phish” button

Make it trivially easy to report a suspicious email. Most modern email security platforms ship a button. If yours doesn’t, install one. The minute friction of forwarding to security@ is enough to lose 80% of reports.

The button should do two things: send the message to your security team for triage, and remove the email from the user’s inbox so they’re not tempted to engage with it.

Behind the button, you need automated triage. A SOAR / detection engineering team can analyse the message, check for similar messages in other inboxes, and pull all copies if it’s malicious. Without that, reports pile up unread.

6. Detection for post-compromise behaviour

Even with great prevention, some phishing succeeds. The next-best line of defence is detecting what happens after the credential is stolen.

Three behaviours to alert on:

• Suspicious sign-ins. Impossible travel (logged in from London then Mumbai 30 minutes later). New device. New ASN. Modern identity providers (Entra ID Premium, Okta, Google Workspace) flag these — make sure someone reviews and that automation force-revokes tokens on high-risk events.
• New mailbox rules. Attackers create rules to auto-forward to external addresses or delete responses to fraudulent invoices. Alert on mailbox rule creation, especially auto-forward and auto-delete patterns.
• OAuth consent grants. “Consent phishing” tricks users into authorising malicious third-party apps that gain persistent access without ever needing the password. Restrict which apps users can authorise without admin approval.

What about AI?

Modern email security tools use ML to detect tone, urgency, social engineering patterns, lookalike domains and brand impersonation. They help. But they don’t solve phishing — they raise the bar, and attackers raise theirs in response.

The fundamentals (DMARC, MFA, reporting culture) remain more important than any AI vendor’s pitch deck. The advanced tools are useful when the fundamentals are already in place. They’re not useful as a substitute for them.

What about passkeys?

Passkeys (FIDO2 / WebAuthn) are phishing-resistant by design — the cryptographic challenge is bound to the legitimate domain, so a fake login page cannot harvest anything reusable. Roll them out where you can, especially for admin and high-value accounts.

The reality is that for most organisations, passkey rollout will take 12–24 months across all the apps users care about. Don’t wait — get DMARC and MFA in place now and add passkeys progressively.

The realistic plan

If you do nothing else this quarter, do these in order:

1. Configure DMARC at p=reject and audit any senders that fail.
2. Enable the external sender warning banner.
3. Disable legacy email authentication protocols and enforce MFA.
4. Install or enable a one-click Report Phish button.
5. Schedule monthly simulated phishing campaigns.
6. Tune detection alerts for suspicious sign-ins, mailbox rule creation, and OAuth grants.

Take the 15-question Phishing Vulnerability assessment → to see where your stack and your people stand against modern phishing tactics.