Phishing attacks continue to persist as a major cybersecurity threat, targeting even well-educated and digitally literate professionals.
Phishing has moved on from its origins as crude spam email to embrace personalisation and sophistication, successfully deceiving large numbers of users in organisations worldwide.
The effectiveness of such attacks is not attributed only to a lack of awareness, but to social engineering tactics that leverage the way people think and act under pressure.
IBM’s 2023 Cost of a Data Breach Report has highlighted the impact of phishing, identifying it as the second most common cause of data breaches globally. The report stated that phishing accounted for 16% of all incidents, incurring an average cost of USD $4.76 million per breach. These findings reinforce the argument that technological solutions alone are insufficient if human behaviour remains vulnerable to manipulation.
Phishing attacks are distinct from other types of cyber attacks in that they focus on exploiting emotional and cognitive biases rather than technical vulnerabilities. Attackers may deploy tactics such as urgency, authority, familiarity, or fear to manipulate the victim’s decision-making at moments of stress or distraction.
Pivit Strategy observers note that phishing campaigns often use highly relevant messages, such as fake password reset notifications, fraudulent delivery confirmations, or counterfeit internal HR communications. These approaches are designed to provoke instinctive action before the recipient has time to consider whether the message is legitimate.
Phishing draws heavily from principles of psychology and classic social engineering. Attacks often play on authority bias, prompting individuals to comply with requests from supposed authority figures, such as IT personnel, management, or established brands. Additionally, attackers exploit urgency and scarcity by sending warnings of account suspensions or missed payments, and manipulate familiarity by referencing known organisations or colleagues.
