Why Phishing Attacks Still Work Despite Modern Security Controls
We understand the problem. So why does it keep showing up?
Recent discussions across the European cybersecurity community, including at the recent Cyber Intelligence conference in Brussels reflect a growing confidence in how well the threat landscape is understood. And yet the prevalence of some of the most persistent risks haven’t meaningfully shifted. According to national cybersecurity authorities, phishing persists as the most common and successful cyber attack threatening organisations, with over 90% of exploits starting with a fraudulent email.
Not because it is especially sophisticated—but because it continues to work.
Why phishing attacks are still the number one threat
Phishing continues to dominate because organisations struggle to consistently apply known security controls at scale. The fundamentals of phishing are clear:
- People are being targeted, not just systems
- It’s inexpensive and easy to scale
- AI makes it more convincing, not less
Recent activity such as EchoLeaks demonstrates how AI is not simply redefining phishing—it is refining it. The result is higher-fidelity phishing campaigns with significantly reduced effort.
Inconsistent DMARC enforcement creates security risks
Why do phishing attacks still work despite modern security controls? Modern cybersecurity has evolved into a large and complex ecosystem. Significant effort is taken by lawmakers and cyber experts to reduce and manage cybersecurity risk. But as with any mature system, a natural tension emerges between continuously managing risk and structurally preventing it.
The controls required are well known:
- Strong identity and access controls
- Consistent and meaningful user awareness
- Implementation of robust email and domain protections such as SPF, DKIM, and DMARC
- Reduction of unnecessary exposure points
However, these controls are often applied inconsistently. This is particularly evident in the use of DMARC, where adoption has improved across Europe although enforcement remains inconsistent. As a result, phishing does not need to overcome strong, consistent defences, it only needs to find the weakest point.
Why Inconsistency Is the Real Weakness
Across Europe, there is a strong network of 27 national cybersecurity authorities capable of influencing baseline security outcomes at national and regional levels. With regulatory frameworks such as the NIS2 Directive increasing focus on baseline security, the argument for consistency has never been stronger.
Yet approaches to something as fundamental as DMARC still vary widely. Adoption of DMARC is often measured by the presence of a DMARC record, but real risk mitigation only begins to take hold when the policy moves from p=none to p=quarantine or p=reject. Many organisations remain at p=none, which is a good step to get visibility but does not actively prevent abuse.
Strengthening European email security: mandates over recommendations
Approaches vary in Europe, with countries like Denmark and the Netherlands driving adoption via mandates; other regions rely on guidance. A more effective approach would see broader use of policy and mandates (not simply guidance) at national and regional levels to drive consistent adoption of controls such as DMARC.
Phishing does not need to defeat the strongest organisations; as the top attack method, it only needs to continue to benefit from the weakest protected domains in the ecosystem.
Check out our list of evolving DMARC mandates and guidance across the globe.
How to reduce phishing risks
Phishing persists not because it is unsolvable, but because we are not applying controls consistently at scale. The opportunity to mitigate phishing is not just about better detection or additional tooling but in making proven controls more accessible, more consistent, and more widely adopted. This includes routinely adopting foundational measures for email authentication with protocols like DMARC, which are often underutilized. When we do this we can remove one of the most persistent threats from the ecosystem.
Until that changes, phishing does not need to evolve, it just needs to wait.
If you’re interested in learning more about EMEA DMARC adoption, starting a commitment-free trial, or connecting with us, you can contact us at [email protected]. We would be happy to hear from you.
Want to continue the conversation? Head over to the dmarcian Forum.
