Laptop screen displaying a locked credit card notification next to a small potted plant on a white table.

How Phishing Attacks Get Through Even When You Think You're Protected

July 01, 2026

Last month, a construction company in St. Joseph lost $47,000 when their office manager wired funds to a scammer—despite having email filtering, security awareness training, and a policy requiring verbal confirmation on wire transfers. That loss happened because modern phishing attacks exploit gaps between individual security tools rather than breaking through any single defense. Attackers know exactly which techniques bypass email filters, sidestep multi-factor authentication, and leverage human psychology faster than training programs update their scenarios.

Understanding how these attacks succeed helps you identify where your current security stack leaves you exposed and what it takes to close those gaps.

Why Traditional Email Filters Miss Modern Phishing

Traditional email filters rely on signature-based detection and known sender databases, which attackers easily bypass using newly registered domains, image-based text instead of plain-text content, and time-delayed link activation that makes malicious URLs appear harmless during initial scans.

How Signature-Based Detection Falls Short

Signature-based email filtering: A security approach that compares incoming messages against databases of known malicious senders and keyword patterns to block threats.

Basic email filters included in standard Microsoft 365 advanced security features plans check messages against lists of previously identified spam sources and scan for suspicious keywords. Attackers circumvent these checks by registering fresh domains that have no reputation history, embedding phishing content in images where text scanners cannot read it, and using legitimate file-sharing services as delivery mechanisms.

The Google Doc Share Link Example

An attacker sends a Google Doc share link that points to a legitimate Google domain. Email security systems see the trusted google.com URL and allow the message through. Inside that document sits a phishing form designed to capture login credentials. The email filter never examines the document's contents because the link itself originates from a reputable source.

Time-Delayed Link Activation

Time-delayed link activation: A phishing technique where URLs check benign at the moment of email scanning but redirect to malicious pages hours later after passing through security filters.

Attackers configure URLs to serve harmless content during the brief window when email gateways scan them, then switch the destination to a phishing page once the email reaches inboxes. This timing exploit defeats static link analysis completely.

How Attackers Get Around Multi-Factor Authentication

Attackers bypass multi-factor authentication through real-time phishing proxies that capture credentials and MFA tokens simultaneously, MFA fatigue attacks that exhaust users into approving fraudulent requests, and SIM swapping schemes that hijack phone-based authentication before victims realize their number has been compromised.

Real-Time Phishing Proxies

Real-time phishing proxy: An attack tool that sits between a victim and the legitimate login page, capturing credentials and MFA tokens as the user enters them and immediately replaying those tokens to gain access.

Tools like Evilginx2 create convincing fake login pages that relay every keystroke to the real authentication server in real time. When a victim enters their password and approves an MFA prompt, the proxy captures both and uses them instantly to establish a legitimate session. The entire exchange happens so quickly that time-based one-time passwords remain valid throughout the attack.

This technique defeats SMS codes, authenticator app tokens, and push notifications because the attacker uses valid credentials during their brief validity window. The victim completes what appears to be a normal login, unaware that someone else simultaneously gained access to their account using the same authentication factors.

MFA Fatigue Attacks

MFA fatigue attack: A social engineering technique where attackers repeatedly trigger MFA push notifications until the exhausted user approves one just to stop the alerts.

Attackers who already possess stolen passwords but lack the second factor will spam MFA approval requests to the victim's phone—sometimes dozens in a row, often during sleep hours. Eventually, the frustrated user approves one notification either accidentally or deliberately to silence the alerts. That single approval grants the attacker full access.

This attack exploits the convenience that makes push-based MFA popular. Users grow conditioned to tapping 'approve' without scrutinizing each request because legitimate prompts appear multiple times daily. Attackers weaponize that habituation.

SIM Swapping Attacks

SIM swapping: An attack where criminals convince mobile carriers to transfer a victim's phone number to a new SIM card the attacker controls, enabling them to intercept SMS-based MFA codes.

Attackers gather personal information through data breaches or social media, then contact the victim's mobile carrier claiming they lost their phone and need their number transferred to a new SIM. Once the carrier completes the transfer, all calls and texts route to the attacker's device. Any SMS-based authentication codes now arrive in the attacker's hands rather than the victim's.

This technique works because mobile carriers prioritize customer service over security verification. Many carriers approve SIM transfers based on information anyone could find online—mother's maiden name, date of birth, last four digits of a social security number.

MFA Method Vulnerability Comparison

MFA Method Vulnerable to Phishing Proxies Vulnerable to MFA Fatigue Vulnerable to SIM Swapping
SMS Codes Yes No Yes
Authenticator App Tokens Yes No No
Push Notifications Yes Yes No
Hardware Keys (FIDO2) No No No
FIDO2 hardware keys: Physical authentication devices that use cryptographic challenges tied to specific websites, making them nearly impossible to phish because they only work on legitimate domains.

FIDO2 hardware keys represent the strongest MFA option because they cryptographically verify the login page's domain before responding to authentication challenges. A phishing proxy cannot fool a hardware key because the device confirms it is communicating with the real server. Unfortunately, small businesses rarely deploy hardware keys due to cost, management complexity, and the logistics of distributing physical devices to remote workers.

Why Security Awareness Training Alone Isn't Enough

Security awareness training creates a false sense of protection because attackers continuously develop new social engineering techniques that training has not yet covered, employees experience alert fatigue after months of hypervigilance, and sophisticated attacks use legitimate compromised accounts rather than spoofed addresses.

The Innovation Gap Between Training and Attacks

Annual or quarterly phishing simulation programs teach employees to recognize specific red flags—misspelled domains, urgent language, requests to click suspicious links. Attackers study these same training materials and design attacks that avoid the taught warning signs. By the time a training vendor updates its curriculum to include new tactics, attackers have already moved to the next variation.

Training operates on a publish-and-deliver model with months-long development cycles. Attackers test and deploy new approaches weekly. This asymmetry guarantees that some percentage of real attacks will use techniques employees have never seen in training scenarios.

Alert Fatigue Erodes Vigilance

Alert fatigue: A psychological state where employees stop scrutinizing emails carefully after months of hypervigilance produce no actual threats, making them more likely to miss real attacks.

Immediately after completing phishing awareness training, employees carefully examine every unexpected email. Over weeks and months, the heightened vigilance fades as the vast majority of messages prove legitimate. Employees return to processing emails quickly rather than treating each one as a potential threat. The first sophisticated attack that arrives after this fatigue sets in often succeeds.

Human psychology cannot maintain peak alertness indefinitely when the overwhelming majority of events are harmless. Attackers exploit this predictable decline by targeting organizations several months after visible security initiatives when vigilance naturally wanes.

Compromised Account Attacks Bypass Training

Compromised account attack: A phishing attack that uses a legitimate email account the attacker has already hijacked rather than spoofing or forging sender addresses.

The most dangerous phishing emails come from real accounts that attackers control. An attacker compromises a vendor's email system, then monitors their inbox for ongoing conversations. When they find an email thread discussing an unpaid invoice, they reply with updated wire transfer instructions pointing to an attacker-controlled bank account.

The recipient sees a message from their vendor's actual email address, continuing an existing conversation they recognize, discussing a legitimate business matter. Every red flag employees learn in training—check the sender address, verify unexpected requests, look for urgent language—appears green. The 'From' field shows the vendor's real domain, the subject line matches the previous thread, and the tone sounds normal.

Why This Scenario Defeats Training

Training teaches employees to suspect emails from strangers or unexpected requests from executives. Compromised account attacks involve neither. The vendor legitimately owes them payment information updates, the email address is correct, and the request matches the business context. No amount of training prepares employees to treat every legitimate continuation of known business relationships as potentially fraudulent.

The Rise of Business Email Compromise (BEC) Attacks

Business Email Compromise attacks trick employees into wiring money or sharing sensitive data by impersonating executives or vendors through text-based social engineering that includes no malware or malicious links, making these attacks invisible to most technical security controls.

What Is Business Email Compromise?

Business Email Compromise (BEC): A sophisticated phishing attack where criminals impersonate company executives, vendors, or business partners to manipulate employees into authorizing fraudulent wire transfers or disclosing confidential information.

BEC attacks rely entirely on deception rather than technical exploits. Attackers research target organizations through LinkedIn, company websites, and public records to understand reporting structures, ongoing projects, and business relationships. They craft emails that sound like they come from the CEO, CFO, or a familiar vendor using spoofed display names or compromised accounts.

Why BEC Bypasses Technical Controls

Most BEC emails contain only text—no attachments, no embedded links, no malware. Email security systems find nothing suspicious to block because the message looks identical to legitimate business correspondence. The entire attack vector is psychological persuasion rather than technical exploitation.

Endpoint antivirus never activates because nothing malicious enters the system. Firewalls pass the traffic because it is ordinary SMTP email. URL filtering has nothing to examine because the email includes no links. The attacker wins by manipulating human decision-making rather than breaking through technical barriers.

Spoofed Display Names Versus Actual Domains

Display name spoofing: An email forgery technique where the attacker sets a familiar name in the 'From' field while using a completely different sending domain that most email clients hide from prominent view.

Email clients prominently show the display name ('John Smith, CEO') but hide or minimize the actual sending address ('[email protected]'). Users glance at the name, recognize it, and trust the message without checking the underlying email address. Attackers exploit this interface design by setting display names that match executives or vendors while sending from domains they control.

Organizational Hierarchy Exploitation

Attackers craft urgent requests that appear to come from executives several levels above the target employee. A junior accountant receives what looks like an email from the CEO requesting an immediate confidential wire transfer for a pending acquisition. The employee hesitates to question or verify the request because challenging executive authority feels risky, especially when the message emphasizes urgency and confidentiality.

This dynamic works particularly well at small-to-midsize businesses where employees rarely interact directly with top executives but recognize their names and authority. The social distance creates hesitation to verify, while the power distance makes employees eager to comply quickly.

The FBI Cost Data

The FBI's Internet Crime Complaint Center reported that Business Email Compromise attacks caused $2.7 billion in losses in 2022, making BEC the costliest cyber threat facing businesses. That figure represents only reported incidents—many companies never disclose BEC losses publicly.

BEC losses dwarf all other cybercrime categories because successful attacks typically steal five-figure or six-figure sums in single transactions. Ransomware attacks may shut down operations, but BEC attacks drain bank accounts directly. The construction company in St. Joseph that lost $47,000 represents a typical mid-range BEC outcome for a small business—not a worst-case scenario.

Gaps in Your Current Defense Stack

Most small-business security setups combine basic email filtering, endpoint antivirus, and network firewalls—a stack that catches known threats but misses targeted attacks, cannot prevent users from entering credentials on fake sites, and allows misconfigurations like silent email forwarding rules to persist undetected.

Basic Email Filtering Limitations

Standard email filtering included in entry-level Microsoft 365 plans blocks obvious spam and known malware signatures. These filters catch mass-distributed phishing campaigns that hit thousands of organizations identically. Targeted attacks customized for your company—referencing your vendors, your projects, your employees by name—sail through because they have no reputation history and match no known patterns.

Attackers researching your organization through LinkedIn and your website create emails that sound like internal communications. Basic filters have no context for what constitutes normal correspondence within your company versus a sophisticated impersonation.

Endpoint Antivirus Blind Spots

Fileless attack: A malware infection technique that runs malicious code directly in memory using legitimate system tools rather than installing traditional executable files that antivirus software scans.

Endpoint antivirus detects known malware signatures and behavioral patterns associated with file-based infections. Fileless attacks that execute entirely in memory using PowerShell or other built-in Windows tools leave no files for antivirus to examine. Social engineering attacks that trick users into taking voluntary actions—entering passwords, approving wire transfers, sharing data—involve no malware at all, leaving endpoint protection with nothing to block.

What Firewalls Cannot Stop

Network firewalls monitor traffic entering your network, blocking unauthorized connection attempts and known malicious IP addresses. Phishing attacks do not penetrate your network—they trick your employees into voluntarily visiting attacker-controlled websites from inside your perimeter. The firewall sees only normal outbound web browsing initiated by authorized users on authorized devices.

Once an employee clicks a phishing link and enters credentials on a fake login page, the firewall has no reason to intervene. The traffic is HTTPS web browsing to a site the user chose to visit. The firewall cannot distinguish between an employee legitimately accessing their bank and an employee being phished.

Infrequent Security Reviews Miss Persistent Threats

Silent email forwarding rule: A mailbox configuration attackers create after initial compromise that automatically forwards copies of incoming messages to an external address, allowing them to monitor communications even after the victim changes passwords.

Attackers who gain initial access often establish persistence mechanisms before detection. A common technique involves creating an email rule that silently forwards all messages to an external address. The compromised user never sees this rule because it operates behind the scenes. Even after the breach is detected and passwords reset, the attacker continues receiving copies of every email until someone specifically audits mailbox rules.

Organizations that conduct security reviews quarterly or annually face a critical gap: attackers typically establish persistence within hours or days of initial compromise. If a phishing attack succeeds in January and your next security review happens in April, the attacker has had three months to establish multiple backdoors, create administrator accounts, and exfiltrate data.

Many organizations review security configurations only during audits or compliance assessments. Between these reviews, attackers modify settings, add accounts, and create rules that go completely unnoticed. By the time someone discovers the compromise, the attacker has had unlimited access to systems and data for weeks or months.

Multi-Factor Authentication Vulnerabilities

Multi-factor authentication (MFA) significantly improves security, but implementation matters. Many organizations enable MFA for initial login only, not for sensitive actions like changing security settings or accessing financial systems. Attackers who compromise an active session bypass MFA entirely because the user has already authenticated.

Certain MFA implementations are vulnerable to specific attack techniques. Prompt bombing floods users with dozens of approval requests until they accidentally or intentionally approve one just to stop the notifications. MFA fatigue attacks exploit user frustration with frequent authentication requests. Some phishing kits even proxy authentication requests in real-time, capturing credentials and immediately using the MFA token before it expires.

Building Defense Beyond Technical Controls

Effective phishing protection requires layering technical controls with human awareness and organizational processes. Technology alone cannot solve a problem that fundamentally exploits human psychology and trust.

Continuous Security Awareness Training

Traditional annual security training creates temporary awareness that fades within weeks. Effective programs deliver frequent, short training sessions that reinforce recognition of phishing indicators throughout the year. Simulated phishing exercises help employees practice identifying attacks in a safe environment where mistakes become learning opportunities.

Training should emphasize skepticism of unexpected requests, especially those creating urgency around financial transactions, credential changes, or data sharing. Employees need clear procedures for verifying requests through known-good contact information rather than responding directly to suspicious messages.

Verification Procedures for Sensitive Actions

Organizations should implement out-of-band verification for high-risk actions. Before processing wire transfers, sharing sensitive data, or changing payment information, require confirmation through a separate communication channel. If someone requests a wire transfer via email, verify it with a phone call to a known number from your records—never a number provided in the request itself.

This human firewall catches attacks that bypass technical controls. Even if an attacker perfectly impersonates an executive in email, the verification phone call reveals the fraud before money leaves your account.

Regular Security Audits Beyond Compliance

Monthly or even weekly audits of critical security configurations catch attacker persistence mechanisms before significant damage occurs. Review mailbox forwarding rules, administrator accounts, application permissions, and data access logs on a consistent schedule. Automate these reviews where possible to identify anomalies quickly.

Look specifically for configuration changes that occurred outside normal business hours, accounts created without proper approval processes, and unexpected permission escalations. These indicators often reveal compromised accounts even before the attacker takes overt action.

Email Authentication Technologies

Implement DMARC, DKIM, and SPF to authenticate incoming email and prevent domain spoofing. These technologies verify that messages claiming to come from specific domains actually originated from authorized mail servers. While not foolproof, they block the easiest spoofing techniques attackers use to impersonate trusted senders.

Configure your own domain's DMARC policy to prevent attackers from spoofing your organization in attacks against customers, partners, or other employees. Monitor DMARC reports to identify unauthorized attempts to send email using your domain.

Response Planning for When Prevention Fails

No defensive strategy prevents 100% of attacks. Organizations need documented incident response procedures that activate immediately when someone suspects a phishing compromise. Speed matters—the faster you respond, the less time attackers have to escalate privileges and exfiltrate data.

Response plans should include immediately resetting compromised credentials, auditing account activities for unauthorized actions, checking for persistence mechanisms like forwarding rules or new accounts, and notifying affected parties if data was accessed. Designate specific team members responsible for each action so response doesn't stall while people determine who should do what.

Document lessons learned after every incident. What indicators did people miss? Which controls failed? What worked well? Use this information to continuously improve defenses and training programs.

Frequently Asked Questions

How can phishing emails get past advanced spam filters?

Modern phishing attacks use legitimate infrastructure, proper email authentication, and contextually relevant content that appears normal to spam filters. Attackers send messages from compromised business email accounts or newly registered domains with clean reputations. The content contains no malware attachments or obvious spam characteristics—just social engineering designed to trick humans. Spam filters excel at blocking mass-distributed obvious spam but struggle with targeted, well-crafted phishing that mimics legitimate business communication.

Does multi-factor authentication completely prevent phishing attacks?

Multi-factor authentication significantly reduces risk but does not eliminate it. Attackers can bypass MFA through session hijacking after users authenticate, real-time phishing proxies that capture and immediately use MFA tokens, MFA fatigue attacks that overwhelm users with approval requests, and social engineering that tricks users into approving malicious authentication attempts. MFA is essential but must be combined with awareness training, verification procedures, and regular security audits for comprehensive protection.

How often should we conduct phishing simulations for employees?

Monthly phishing simulations maintain awareness without creating excessive disruption. Vary the attack scenarios, sender types, and techniques to expose employees to different phishing methods they might encounter. Track metrics over time to identify individuals or departments needing additional training. Simulations should educate rather than punish—use results to improve training programs and help employees develop recognition skills. Quarterly simulations represent the minimum frequency; less frequent testing allows awareness to fade between exercises.

What should employees do if they suspect they clicked a phishing link?

Employees should immediately report the incident to IT security without fear of punishment—rapid response limits damage significantly. IT should reset the potentially compromised account credentials, audit recent account activity for unauthorized actions, check for persistence mechanisms like email forwarding rules, review sign-in logs for unusual locations or devices, and monitor for lateral movement to other systems. Organizations should create clear reporting procedures and emphasize that quick reporting helps protect everyone, while delayed reporting allows attackers more time to cause damage.

Strengthen Your Defenses Against Sophisticated Phishing Attacks

Phishing attacks evolve constantly, exploiting gaps between technical controls and human behavior. TS Conard helps organizations build comprehensive security programs that address both technological and human vulnerabilities. Our approach combines advanced technical controls, practical security awareness training, and proactive monitoring to catch attacks that bypass traditional defenses.

Schedule a Security Assessment