Most organisations have decent email filtering. Quarantines fill up, obvious spam never arrives, and the known bad senders are blocked before anyone sees them. So when a convincing phishing message lands cleanly in a finance manager’s inbox, the natural reaction is that something has failed. Usually nothing has. The filter did roughly what filters do. The message simply belonged to the small slice that modern filtering was never going to stop on its own.
It is worth understanding why, because the answer shapes what you should actually invest in.
Filters catch the known. Good attacks look unknown.
Most filtering leans, in part, on reputation and signatures. A sending domain has a history, an attachment matches a known pattern, a link points at a site already flagged. That works extremely well against volume. It works far less well against an attacker who has done the basic work to look new and clean.
That work is not exotic. It is routine.
Lookalike and freshly registered domains
A domain registered an hour ago has no bad reputation, because it has no reputation at all. Pair that with a name that reads like a real supplier or a slight twist on your own, and a message clears the reputation checks while still fooling a busy human reading on a phone. The domain may be burned within a day, but the attacker only needs the few hours before anyone reports it.
Payload free social engineering
The image of phishing as a dodgy attachment is out of date. The most effective business email compromise carries no malware at all. It is a short, plausible message asking someone to change bank details, approve an invoice, or buy gift cards for a director. There is nothing for a scanner to detonate, because there is nothing technical happening. The attack is entirely social, and a content scanner has very little to grip.
Thread hijacking and trusted but compromised senders
The hardest messages to stop are the ones that come from a real account. If an attacker compromises a supplier’s mailbox, they can reply inside a genuine email thread, with the real history quoted beneath, from the real address. Every reputation signal says trust this. The only thing wrong is the intent of whoever is now at the keyboard. This is why a breach at one organisation so often becomes the entry point at another.
Timing and targeting
A campaign sent to ten people at one company, written for them, referencing a real project, behaves nothing like bulk spam. Low volume and high relevance is precisely the profile that statistical filtering struggles with, because there is not enough of it to learn from before it has already done its job.
No filter catches everything, by design
It is tempting to read all this as a filtering failure to be fixed by buying a better filter. A stronger layer genuinely helps, and the gap between basic and serious email security is real and worth closing. We cover where that line sits in our guide on whether your built in email security is enough.
But there is no setting that catches everything without also blocking legitimate business. Every filter sits on a dial between missing real threats and quarantining real work. Turn it up far enough to stop every clever message and you will also stop invoices, contracts and customer replies, and the business will route around you. The residual risk is not a bug. It is the cost of the inbox staying useful.
Which means a portion of well crafted attacks will always reach a person. The honest question is not how to reach zero. It is what happens at that last moment.
The human moment is the real last line
When a message gets through, the outcome turns on one person’s judgement in a few seconds. That is uncomfortable, because people are busy, trusting and easily rushed. It is also where the leverage is, because the same human who can be fooled can be the control that holds.
The framing that helps is not blaming the person. It is recognising that the attacker has engineered the moment: urgency, authority, a plausible story, a small reasonable seeming action. Reduce the pressure in that moment and you reduce the hit rate.
A few things genuinely move the needle.
- Make the safe action easy. A one click report button that someone can hit without feeling foolish turns every recipient into a sensor. The faster a real attack is reported, the faster the rest can be pulled.
- Remove the single point of failure on money and data. If changing bank details or releasing a large payment requires a second channel and a second person, no single convincing email can complete the fraud. This one control defeats most business email compromise outright.
- Train for the specific moves, not generic awareness. People do not need a lecture on cyber. They need to recognise the handful of patterns that actually target them, the urgent payment, the changed details, the out of band request from a senior name.
- Shorten the time from arrival to response. Most of the damage happens after the click, not at it. Quick reporting, quick containment and quick reset of exposed credentials decide whether a lapse becomes an incident.
None of this replaces good filtering. It sits on top of it, and the two together are what a resilient setup looks like. Email security is layered for exactly this reason, and the human layer is the part most organisations underinvest in.
Where this leaves you
A phishing email reaching an inbox is not proof your defences are broken. It is the expected behaviour of any system that also has to let real email through. The mature response is to assume some messages will always land, and to design for that: a strong technical layer to thin the volume, a confident and unembarrassed reporting culture, hard controls around money and data movement, and fast response when something slips.
That blend of technology and human judgement is the heart of how we think about the human risk that now sits at the centre of security. The filter is necessary. It was never going to be sufficient. Planning as if it were is the actual vulnerability.
If you want an honest read on how strong your own email defences really are, our free Email Security Assessment takes a few minutes and needs no sign up.