Phishing: Not Just a User Problem

AUTHOR: MATT WILSON

Yes, users click things, they always have, and (probably, maybe) always will. However, approaching phishing risk as a purely end-user issue ignores many of the ways an organization must improve to keep up with the attackers. 

Social Engineering Is a Feature, Not a Flaw

Phishing is a form of Social Engineering (something our Red Team at SEVN-X does all… the… time), and it’s not about exploiting software vulnerabilities—it’s about exploiting people. The same people your business relies on to keep things running. Social Engineering may involve technology to enable the attacker, but focuses on the human element. Attackers know that humans are emotional, distracted, and eager to be helpful (we really want to believe the CEO actually needs that Purchase Order approved… urgently… from a Gmail address). 

Even the most tech-savvy folks get caught now and then. At SEVN-X, we've had success with everyone - from Executive Leadership through entry level, including those in Information Security. One example targeted the Director of Security at a banking client, and a successful phish granted direct access to the camera network allowing the monitoring of every bank branch. Catch the right user, at the right time, with the right message, it's all the attackers need for success. 

Dwindling are the days of poorly written, kindergarten grammar laced malicious messages. Phishing emails look better, are more personalized, and in 2025 are likely to have been enhanced with AI to increase their efficacy. This isn’t the Nigerian prince email from 2005. Spear phishing attacks bring context, business lingo, urgency, and may even reference legitimate business relationships that would fool half your leadership team. 

The Cost of a Click 

InfoSec professionals may joke about users clicking a link… but what happens next? The pathway varies depending upon attacker capabilities and goals, but we've all heard stories of:

• Business Email Compromise—with knowledge of user credentials and email account access, the attacker may initiate communications with other internal users, business partners, or even clients. SEVN-X has run Incident Response for clients AFTER the attacker successfully injected themselves into a payment transaction in the order of hundreds of thousands of dollars.
• Ransomware - perhaps your endpoint defenses thwart any misuse of the end-user device; however, should an attacker successfully bypasses your endpoint controls,   they may execute malicious applications such as ransomware, holding your data and reputation hostage. No protection is 100%, regardless of the fancy marketing from the vendor. Layer your controls and develop a response plan that assumes that sometimes, the attacker will have some success.  
• Data Extortion – sometimes coupled with Ransomware, but increasing in frequency / popularity (unfortunately). The attackers access and exfiltrate your data, then establish contact with your organization in search of a payday under the threat of publicly exposing your breach and associated data. As backup solutions got better, reducing the impact of ransomware… the bad actors shifted tactics. 

A user clicking a link within an email could lead to direct, and meaningful, operational and financial impacts. That's a business problem, not merely a user problem.  

What Should Businesses Do (Beyond Finger-Wagging at Users)?

Send the right message to your users—educate and support your community to build a small army of "InfoSec first responders." Most organizations conduct some type of Security Awareness training, at least annually, but make sure it's entertaining, engaging, and contains fresh content. Consider having them in-person, if possible. Provide tips and tricks that apply to your user’s personal lives, remind them that your organization has their data too (e.g., HR files, at a minimum). Plenty of vendors offer online courses, supplemented with ongoing phishing campaigns. While those awareness platforms function as a valuable tool, don't let it be your ONLY tool. Clients who find ways to challenge their users while keeping the messaging light-hearted (one hands out "Swedish phish" candies during their in-person trainings) create a user-community excited to "stop the bad guys." 

There's a pattern in terms of behaviors, processes, and technologies the SEVN-X team has noticed drives positive outcomes: 

• Baseline awareness training - at time of hire and annually. Online or in-person, with relevant content that's updated regularly. 
• Multi-Factor Authentication - having MFA solutions in place does not always entirely prevent attacker success, but it's a strong weapon in your arsenal, and more accessible in terms of budget and ease of deployment than ever before. 
• Email Filtering - often the first technical tool an organization adopts, with more vendor options than stars in the sky… select an industry leader, and periodically review your rule-sets. 
• Abide by the Law of Least Privilege - a fundamental Information Security Principle, for good reason. During Penetration Tests our Red Teamers use and abuse "basic" user privileges daily. A talented and determined attacker may find success, but let's not make it too easy. 
• Incident Response Plans - dust yours off, take a read through, consider pressure testing it with an annual "tabletop exercise." Consistent and strong response requires planning and practice, waiting for the incident and crossing your fingers might work once-in-a-while, but isn't reliable.  
• Culture - create a culture with no friction between IT/InfoSec and end-users, where they're rewarded for positive behaviors, encouraged to ask questions, and allowed to take ownership (where THEY can) of Information Security in your organization.  

Let's Wrap It Up

Defending against Phishing isn't about perfection, like many things in Information Security (and life!), it's about executing numerous "small things" with quality. Phishing is a human problem, a technical problem, and a leadership problem. All solvable with the right mind-set and support. Avoid blaming end-users and focus on impacting your organization through a strong security architecture coupled with exciting awareness content.  

So next time someone clicks a sketchy link, resist the urge to roll your eyes or groan about “those users.” Instead, ask: What can we learn from this, and how do we get better?

That mindset shift? That’s how you start building true cyber resilience.