Log In
Phishing emails are one of the most common ways cybercriminals break into organisations. They are designed to trick employees into sharing sensitive information or clicking on links and attachments that install malware.
For small and medium-sized businesses, this is a growing concern. These organisations often have fewer resources, smaller teams, and less formal security processes. This can leave them more exposed to attacks that target people rather than systems.
Data from 67.7 million phishing simulations shows that technology alone is not enough. It cannot fully make up for human behaviour. Phishing works because attackers understand how people think and act at work. They design messages to take advantage of this.
To understand why phishing is still so effective, it helps to look beyond technology and focus on everyday behaviour.
Here are five key reasons phishing continues to succeed.
1. Awareness fades over time
Many organisations treat security training as a one-time task. It is often done to meet compliance requirements. After that, it may not be revisited for a year.
In reality, awareness needs to be built over time. Without regular reminders, people forget what to look for. They may miss the warning signs of a phishing email. This is more likely as attacks become harder to detect.
Today’s phishing emails are often well-written and carefully designed. Attackers use simple tools to create realistic messages quickly and at scale. This means employees face more frequent and more convincing attacks than ever before.
User risk can drop when organisations move from one-off training to ongoing learning. This matters even more for smaller organisations. Without large security teams, each employee plays a key role.
The key point is simple. Regular reinforcement helps people stay alert.
2. People are trying to do the right thing
Phishing often works because employees are trying to be helpful and efficient. Attackers take advantage of this by creating messages that feel urgent or important.
For example, an email may appear to come from a manager. It might ask for a quick payment, a document review, or a password reset. On a busy day, this can feel like a normal request that needs a fast response.
This creates what is sometimes called a compliance trap. People are used to acting quickly and following instructions. They may not stop to question if the request is genuine.
To reduce this risk, organisations should encourage people to pause and check. Employees should feel confident verifying requests, even if they come from senior staff.
Simple habits can help. For example, confirming requests through another channel can make a big difference. It does not need to slow down the business. A clear message that it is okay to double-check can reduce risk.
3. Limited visibility of human risk
It is often unclear which teams are more likely to click on suspicious links. It may also be unclear where extra support is needed.
Without this information, organisations rely on guesswork. This makes it harder to plan effective training. It can also lead to gaps in how risk is managed.
Some employees may need more guidance than others. Without data, it is hard to know where to focus.
A better approach is to monitor behaviour over time. This can include tracking how people respond to simulated phishing emails. It can also include how often they report suspicious messages.
With a clearer picture, organisations can focus their efforts where they matter most. This makes training more relevant and helps improve results.
Get our newsletter!
Sign up to receive the latest advice, insights and tips.
4. Overconfidence can increase risk
There is a common belief that some people are less likely to fall for phishing. This often includes IT staff, senior leaders, and experienced employees.
In reality, confidence can reduce caution. People who feel safe may pay less attention to warning signs. They may also skip basic checks.
Attackers know this. They often target senior staff because of their access and authority.
In smaller organisations, this risk can be higher. Senior leaders are often involved in daily operations, including financial decisions. A successful attack at this level can have serious consequences.
This is why awareness should apply to everyone. A consistent approach helps reduce risk across the organisation.
5. Technology is not a complete solution
Security tools such as email filters play an important role. However, they cannot stop every phishing attempt.
Phishing emails are now harder to detect. Many no longer include clear signs like spelling mistakes or unusual formatting. Instead, they look like normal business messages.
When a phishing email reaches an inbox, the final decision is made by the person reading it. If they are not prepared, the attack can succeed in seconds.
This is why a balanced approach is needed. Technology should be supported by clear processes and informed employees.
Simple actions can help. Encouraging people to report suspicious emails or verify requests adds another layer of protection.
The bottom line
Phishing is often seen as a technical problem. In reality, it is just as much a human one.
For small and medium-sized businesses, this is critical. Limited resources mean it is important to focus on what has the most impact.
Security tools will always matter. But everyday decisions made by employees often determine the outcome of an attack.
By encouraging people to question unusual requests, improving visibility into behaviour, and recognising the limits of technology, organisations can reduce their risk. Strengthening the human layer is one of the most effective steps any organisation can take.
About the author
Javvad Malik is Lead CISO Advisor at KnowBe4, a human and AI risk management company. Trusted by more than 70,000 organisations worldwide, KnowBe4 builds security culture and helps teams manage both human and agent risk.
How Mobile Threats Are Targeting SMEs
— Read More — How Mobile Threats Are Targeting SMEsHow Mobile Threats Are Targeting SMEs
How hybrid work is reshaping cybersecurity priorities
Cybersecurity: Protecting Your Small Business
— Read More — Cybersecurity: Protecting Your Small BusinessCybersecurity: Protecting Your Small Business
Protect your small business from data breaches with these simple cybersecurity and data privacy strategies, including risk assessments, access controls, and employee training.
AI-Enabled Fraud Detection: 2026 Merchant’s Guide
— Read More — AI-Enabled Fraud Detection: 2026 Merchant’s GuideAI-Enabled Fraud Detection: 2026 Merchant’s Guide
AI algorithms are skilled at pattern recognition and anomaly detection. Here’s how they can help merchants combat fraud.
These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit.
If you do not allow these cookies you may not be able to use or see these sharing tools.