Phishing Resistance

Executive Summary

Organizations face persistent phishing campaigns that exploit human trust and everyday communication. Left unchecked, these campaigns create material financial, privacy, and operational harm across the institution and its stakeholders. An effective response is a layered program that strengthens identity verification, improves email screening, and makes reporting easy while enabling coordinated incident handling. Done well, this approach reduces successful scams, speeds detection and recovery, and limits the spread of any incident. Organizations should adopt this program as the operating baseline for all users, domains, and external partners.

Background

Phishing remains one of the most frequently reported cybercrimes, with law-enforcement data showing it consistently near the top of complaint categories and losses continuing to grow year over year [1]. It succeeds because attackers piggyback on routine communication (invoices, benefit updates, meeting invites), recognizable brands (banks, payroll providers, collaboration tools), and time pressure (end-of-day approvals, expiring access, delivery problems). Those same triggers appear in every industry and touch all roles, such as leadership, finance, human resources, Information Technology, operations, etc.

Major email providers have begun tightening sender requirements and raising authentication standards to curb abusive campaigns, reflecting a broader industry push to reduce spoofing and spam at scale [2]. These changes signal that cyberspace is moving toward clearer accountability for senders and more protective defaults for recipients.

National standards and independent research converge on the same point: trustworthy email practices and resilient identity defenses are key to reducing phishing risk [3][4]. Together, these perspectives frame phishing not as an edge case but as an ongoing operational challenge that demands sustained attention from both technology teams and organizational leadership.

Impact

Phishing undermines the trust model of email by deceiving recipients into acting on fraudulent messages. Guidance from the National Institute of Standards and Technology (NIST) details how attackers exploit weak sender authentication, domain impersonation, and message manipulation to appear legitimate and bypass filtering [3]. The result is account takeover, fraudulent payments, data exposure, and operational disruption that can cascade across partners and customers. Because these techniques are low-cost and highly effective, phishing remains a material risk to organizations of every size.

Mitigation

Organizations should implement identity-first defense paired with clear operational playbooks. Operational playbooks are concise, pre-approved guides that map out who does what, when, and how during recurring incidents, turning ad hoc reactions into a repeatable, timely response. Applying phishing-resistant multi-factor authentication that includes using hardware security keys, block legacy sign-in methods, enforce conditional access and risk-based sign-in, and enable rapid session revocation when suspicious activity is detected [4]. These measures remove passwords from the primary attack path, make stolen credentials and tokens far less useful, and shrink the window in which an attacker can act. Together with simple user reporting and organization-wide message purge procedures, this turns scattered controls into a repeatable, effective response aligned with NIST guidance.

Relevance

Phishing preys on routine communications and trusted brands, turning ordinary email into a dependable pathway for fraud and data loss. Accepting the risk leads to recurring incidents, rising recovery costs, reputational harm, and potential regulatory exposure; a layered mitigation program, by contrast, materially reduces both the likelihood and the impact of attacks. By implementing these controls, including MFA, organizations gain measurable reductions in successful scams, faster detection and response, fewer user disruptions, and greater confidence in business communications.

References

[1] Federal Bureau of Investigation. (2025, April 23). FBI Releases Annual Internet Crime Report. FBI. https://www.fbi.gov/news/press-releases/fbi-releases-annual-internet-crime-report

[2] Kumaran, N. (2023, October 3). New Gmail protections for a safer, less spammy inbox. Google—The Keyword
https://blog.google/products/gmail/gmail-security-authentication-spam-protection/

[3] Rose, S., Nightingale, J. S., Garfinkel, S. L., & Chandramouli, R. (2019, February). Trustworthy Email (SP 800-177 Rev. 1). National Institute of Standards and Technology. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-177r1.pdf

[4] Sakhnov, I. (2025, May 29). Defending against evolving identity attack techniques. Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2025/05/29/defending-against-evolving-identity-attack-techniques/