Email security gateways block millions of phishing attempts every day. Spam filters, URL reputation checks, and attachment sandboxing stop the bulk of commodity attacks before they reach inboxes. Attackers know this, and the sophisticated ones have adapted.
Modern phishing campaigns use techniques designed specifically to evade automated detection. QR codes embedded in PDF attachments redirect victims to credential harvesting pages without triggering URL scanners. Attackers host phishing pages on legitimate platforms like SharePoint and Google Docs, borrowing the domain reputation of trusted services.
The Human Layer Remains Vulnerable
No filter catches everything. When a well-crafted phishing email lands in someone’s inbox, the only remaining defence is the person reading it. Business email compromise attacks that impersonate senior executives or trusted suppliers use no malicious links or attachments at all. They rely purely on social engineering, asking for wire transfers, sensitive documents, or credential resets through entirely text-based messages.
William Fieldhouse, Director of Aardwolf Security Ltd, comments: “The phishing emails that worry me most contain no malware and no suspicious links. They read like genuine business correspondence because the attacker has researched the target thoroughly. Technical controls cannot catch a plain-text email asking someone to change a payment reference. Organisations need both technical defences and a workforce that recognises manipulation tactics.”
Where Phishing Meets Web Application Security
Credential harvesting phishing feeds directly into web application attacks. Once an attacker captures a valid username and password, they attempt to access corporate web portals, SaaS platforms, and cloud management consoles. Organisations that invest in web application penetration testing discover whether stolen credentials alone grant access or whether additional controls like MFA and session management provide a second barrier.
Testing should cover login flows, password reset mechanisms, and session handling. Weak implementations allow attackers to bypass MFA through session fixation, token replay, or flawed recovery workflows. These gaps only surface through hands-on testing by skilled professionals.
Building Resilience
Deploy DMARC, DKIM, and SPF records properly. These email authentication standards prevent domain spoofing, which remains a common phishing tactic. Pair technical controls with regular phishing simulations that measure click rates and reporting behaviour. Track improvement over time rather than using simulations as a gotcha exercise.
Engage a best penetration testing company to simulate realistic attack chains that combine phishing with web application exploitation. This approach tests your defences as attackers actually experience them, not as isolated components.
The financial impact of these attacks dwarfs traditional phishing. A single successful BEC attack can drain an account of tens or hundreds of thousands of pounds before anyone notices. Unlike malware-based attacks, there is no technical indicator to trigger an alert. The money simply leaves through a legitimate banking channel.
Testing should also verify that security headers, content security policies, and cross-origin restrictions prevent attackers from leveraging compromised credentials across multiple applications within your estate.
Phishing succeeds when one person makes one mistake. Reducing that risk requires layered technical controls, ongoing staff awareness, and regular testing that reflects how real attackers operate.
