91% of Cyber Attacks Start with a Phishing Email: Here's How to Protect against Phishing

Published on February 4, 2026

A cybercriminal is just one phishing email away from gaining unfettered access to your device, network, and valuable data. Phishing emails hold the potential to bypass many of the cybersecurity defenses employed by organizations and wreak havoc on the sensitive data and resources they hold. As concluded by PhishMe research, 91% of the time, phishing emails are behind successful cyber attacks.

PhishMe came to this conclusion after sending 40 million simulated phishing emails to around 1000 organizations. PhishMe’s study also found the healthcare sector to be particularly at risk of compromise via phishing attacks, with a phishing email response rate of 31% amongst healthcare employees, despite having received security awareness training.

How phishing attacks work

Cybercriminals have a wide variety of social engineering techniques at their disposal to lure the user into clicking on links, opening attachments, or disclosing sensitive information. Common tactics include:

  • Impersonating trusted brands or individuals
  • Creating spoofed websites
  • Personalizing attacks using private details

Phishing can come in the shape of phony confirmation emails for online purchases, job applications, failed delivery notifications, security updates, and even legal notices, each designed to create urgency or fear.

 

Phishing doesn’t need to be sophisticated to work

But it doesn’t take a highly targeted or nuanced phishing attack (often called “spear phishing”) to be successful. PhishMe also discovered that employees even respond to the most basic forms of phishing emails too, which are usually far more generic and contain harmful links and attachments.

 

Example of a real-world phishing attack

Tech giant Google was recently in the crosshairs of a sophisticated phishing scheme which targeted the company’s approximately 1 billion Gmail users globally, in pursuit of acquiring access to users’ accounts and spreading to their contacts. 

The emails closely mimiced real emails from Google and appeared to be sent by targets’ trusted contacts, asking recipients to open a linked “Google Docs” file. Once clicked, the link redirected users to Google’s actual account management page, where users were requested to give permission for a fake app, posing as the actual Google Docs, to access and manage their accounts. 

Once granted access, the attackers would send the phishing email to the user's contact list, spreading the attack in an attempt to compromise as many users and as quickly as possible.

 

 

 

While similar Google Docs phishing scams have been taking place for years, this campaign proved highly successful due to its convincing use of Google’s branding and email format as well as its propagation techniques.

 

How to avoid phishing attacks

Phishing attacks are becoming more sophisticated and can appear in emails, social media, messaging apps, and websites. To stay safe, focus on being aware, double-checking requests, and using the right technology.
 

Be cautious with unexpected messages

Look closely at any unexpected or suspicious messages, especially if they ask for sensitive details or money. Attackers may fake email addresses or impersonate people you know. Before you respond, check the request using a different, trusted way to contact the person or company.
 

Inspect links and domains before clicking

Don’t click on links in emails or messages that seem suspicious. Hover your mouse over any link to see where it really goes, and watch out for small spelling mistakes or fake website names. If you can, type the website address yourself instead of using the link.
 

Verify requests independently

If a message seems strange, take a moment to check it out. You can search online for the message, reach out to the company using their official contact information, or ask your IT or security team for help. Many phishing scams use messages that have already been reported.
 

Watch for advanced phishing tactics

Modern phishing attacks often use AI-generated content, realistic branding, and personalized details. Messages may no longer contain obvious typos or errors, making them harder to detect. Be cautious even when communications appear polished and legitimate.
 

Use strong authentication controls

Enable multi-factor authentication (MFA) whenever possible. If someone gets your password, MFA adds another layer of security to help keep your accounts safe. Using hardware tokens or fingerprint scans is even more secure than a password alone.
 

Secure your connections and devices

Use secure networks and avoid accessing important accounts on public Wi-Fi unless you have protection. Make sure your devices, browsers, and apps are up to date so you’re less likely to be affected by known security issues.
 

Consider anti-phishing tools

Anti-phishing software can spot suspicious websites, check messages, and find threats before you click on them. Many companies use these tools to automatically detect phishing attempts and make it easier to stay safe as attacks become more advanced.

For more tips on protecting against phishing attacks, check out Fortra's infographic, Don't Get Hooked: How to Recognize and Avoid Phishing Attacks.

Anas Baig is a cybersecurity journalist who covers cybersecurity and tech news. He is a computer science graduate specializing in internet security, science and technology. He is also a security professional with a passion for robots and IoT devices. Follow him on Twitter @anasbaigdm.

Off
Subscribe for weekly Security Insights