SolarWinds MSP is becoming N-able

Read more

Why Phishing Succeeds—and How to Keep Your Customers Safe

Email attacks have been one of the top methods of attacking users online for years. Many people think they won’t fall victim. However, these attacks haven’t stopped—they continue each year because they’re successful. Today, we’ll talk about some of the reasons why these threats succeed and what you can do to help prevent them.


In sales, numbers become predictable over time. For a given salesperson, they may know that out of every 10 customers they call, they can expect to close one or two. If they want to hit their quota, they make a certain number of calls and they know that, on average, they will hit their quota.

The same applies to phishing. A small percentage of people will fall victim to a phishing scam. Perpetrators need only send out a lot of emails, and a few people will click. This can make any given phishing campaign profitable. Plus, emails can be low cost to send and don’t usually require a ton of technical know-how to pull off.

Additionally, criminals can improve their success rates by doing some reconnaissance. In some cases, it could be a sophisticated spear-phishing attack targeted at an executive using information they gleaned using open source intelligence techniques. Or it could be simpler—they could email blast an organization with an email that appears to come from the personal email of the CEO with an “urgent request.” Either way, these can improve their success rate and make them even more successful with their email campaigns.

Lack of training retention

User security training is essential for reducing your customers’ email security risks. It’s important to teach users what to look for in spam or phishing emails, like misspellings, out-of-character requests, or time pressures like being asked to approve an invoice within an hour.

However, email attacks can succeed despite this because training doesn’t always lead to behavioral change. Employees may zone out during in-person trainings. Others may need to receive information in a specific way—written, visual, or hands-on training. Many employees won’t retain the information for the long term. Training can reduce the overall risk, but it’s not a silver bullet.

Note: You can further reduce the risk a customer will forget important information by offering them follow-up resources like an infographic, poster, or email send that reiterates the important points from your user training. Periodic refreshers can also help.


Perhaps one of the biggest factors in successful phishing attempts is attention. This focuses on two dimensions.

First, people pay attention to relevant information. If the news is dominated by a major story, a scammer can exploit this natural curiosity to hook peoples’ attention. For example, if the government offers a new home loan program and it’s widely publicized, scammers can use this information to trick people into giving away important personal information or user credentials to learn more. People are already primed to pay attention to a relevant email, so scammers can often take advantage.

Second, people often have moments of split attention. When this occurs, people have their guards down, making them less likely to recognize a scam. For example, imagine a manager at a small business who just finished an exhausting project, had to have a sensitive conversation with an employee earlier, and has been pinged by text messages from their family all day. If they have to sort through dozens of emails before they can close their laptop for the day, they’re likely emotionally drained enough to miss a few details. That error could be costly, but it’s certainly human.


Ultimately, phishing scams work because humans make mistakes. You can reduce their risk by offering strong user training, but one or two people in an organization may forget that training when they need it (although, this is no excuse not to offer security training). And of course, it only takes one or two clicks in an organization to potentially cause a breach.

That’s why you shouldn’t rely on any one tool to fight back against cybercriminals. Instead, it’s important to use multiple layers—even within your own email security—to help prevent these attacks from taking hold. Humans need to continue doing their part, but technology should play a role.

For instance, it makes sense to add an additional email security gateway on top of any existing email program your customers use. While many email programs offer some level of security, it’s often insufficient—adding another check on top can go a long way toward reducing the overall number of threats reaching individuals’ inboxes. This means your security can rely less on fallible humans.

Additionally, it’s important to realize that email usually represents only one phase of an attack. Having other security layers in place like endpoint protection to detect malware and fileless attacks, backup for restoring data if it gets encrypted, and frequent patching can help you round out a security strategy for your customers.

Ultimately, phishing attacks continue because they succeed and are profitable for cybercriminals. Yet, if you have the right technology in place to supplement the human element, you can help greatly reduce your customers’ risks.

One of the best ways to help reduce email attacks is to have a strong email security solution in place. SolarWinds® Mail Assure is built to help MSPs protect their customers from email attacks. It uses collective intelligence from its entire user base to protect customers against even emerging attacks. For example, if some of its user base sees a specific scam occurring based on a news event, it can flag that and help prevent it from reaching the inboxes of other users. Additionally, it’s compatible with nearly any email solution including Microsoft 365. Learn more by starting a free trial today

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site