I caught this fish by waiting for the right moment. I knew dropping a fly in the seam of a riffle, as the sun was low and shadows crept over the water, would increase my chances of fooling a trout. I also knew that the Provo River is a Blue Ribbon Fishery, with around 4,000 fish per mile!
Phishing attacks work the same way- when attackers use emails, texts, or messages that look legitimate to trick someone into clicking a link, opening an attachment, or handing over credentials. They cast thousands of lines knowing only a few need to bite.
Across industries, roughly 5% of phishing emails result in a click. That sounds small until you remember attackers only need one person.
Timing can be critical; the moment attention drifts, the hook sets. Firms that run internal phishing tests often see click rates spike right after major deadlines, when people are tired and moving fast. In some post-deadline tests, click-through rates have jumped dramatically, approaching nearly half of recipients.
And phishing often escalates into BEC scams (Business Email Compromise), where attackers impersonate an executive, vendor, or trusted advisor to redirect wires, change ACH instructions, or extract sensitive information. By the time finance realizes something is wrong, the money is gone.
This is not an IT failure. It is human behavior under pressure. The best IT in the world cannot overcome the human element.
If your organization assumes “our people would never click,” that’s usually when they do. And definitely when our phones ring.
The best defense isn’t better bait detection. It’s knowing when people are most likely to bite.