Debunking 8 Common Phishing Myths


From spam filters being adequate security tools to information technology (IT) teams being immune, phishing myths are everywhere. How can business leaders tell which are fact and which are fake? 

1. Phishing Emails Always Have Typos and Grammatical Errors

Malicious emails always have misspellings, syntax mistakes and grammatical errors, right? This was the case years ago. Thanks to artificial intelligence (AI), this once-helpful advice has become a common phishing myth. 

Generative models can create convincing messages in moments. After the initial release of ChatGPT in 2022, phishing volume increased by 1,265% — amounting to an average of 31,000 threats per day in 2023 — proving this threat is not theoretical. 

2. Spam Filters Are Enough to Stop Phishing Emails

Most major email providers have built-in spam filters to block malicious attachments and links, so business leaders often assume they are safe. However, cybercriminals are constantly finding new ways to bypass these endpoint defenses. 

Companies that rely on legacy systems or services are at risk. Technology that has gone several years without updates may be more unreliable than it should be for around-the-clock use in situations like these, giving IT teams a false sense of security.

3. Clicking on a Link Is the Only Way to Get Hacked

What’s the harm in opening a phishing email? After all, aren’t employees safe unless they click on a link, open an attachment or respond to the sender? Business leaders would do well to remember that cybercriminals are nothing if not creative. 

If a phisher hides a tracking pixel — a one-by-one pixel image — within their message, they can collect sensitive data like internet protocol (IP) addresses or keystrokes. Conventional security measures like blocking third-party cookies will not stop it from gathering information.

Even receiving a message could infect a computer with malware. Researchers proved this in 2023 when they found a zero-click vulnerability for Outlook. It could force the client to retrieve an audio file from an attacker-controlled server over the internet.

Since Outlook’s notification alerts play automatically when recipients receive messages, bad actors could have theoretically forced a device to automatically execute malicious code. In other words, their device would become infected with malware. 

4. It’s Possible to Tell Whether an Email Is Legitimate 

Many assume they can tell whether an email is legitimate by checking the sender’s email address. Alternatively, they believe they can hover over the link to see whether the uniform resource locator (URL) is authentic. This is a common phishing myth. 

In reality, attackers can spoof email addresses by forging email headers. They can also disguise URLs using obfuscation techniques like masking the link’s destination with a redirect through a valid website. With a virtual private network, even their IP address may look authentic.

Even if the sender, subject line, content, metadata and timing seem fine, the message may still be fake. If the phisher uses generative AI technology or has insider information on the person they contact, determining legitimacy at first glance is nearly impossible. 

5. Employees Know to Report Phishing When They See It

The company has conducted employee training, so staff members know to report phishing messages immediately — at least, they should. In reality, many don’t. A Cybersecurity and Infrastructure Security Agency (CISA) assessment revealed many take the bait. 

In 2022, a CISA assessment team sent fake phishing emails to gauge companies’ preparedness. Approximately 84% of employees fell for it within 10 minutes of receiving the message, either replying with sensitive data or clicking on a spoofed link. Just 13% reported it.

6. Staff in the IT Department Are Immune to Phishing 

Workers in the IT department should be immune to phishing. After all, don’t they develop training materials and company policies to prevent cyberattacks? This myth is common but no less false than the other misconceptions. These professionals make mistakes, too. 

IT staff spend most of their day managing security alerts, fielding technical questions and putting out fires, leaving little time for much else. Busy schedules create room for error. In fact, 45% of employees say they clicked on a malicious link because they got distracted.

7. Senior Staff Know Better Than to Open Phishing Emails

One phishing myth is that high-ranking professionals don’t need to be trained on best practices or have their communications monitored. The assumption is that they don’t need to be supervised if they are capable enough to be in their position. 

Administrators, upper management and executives are just as prone to human error as the rest of the staff. Moreover, since they often hold highly sensitive information or have a lot of control within the organization, they need a higher-than-average level of supervision. 

Spear phishing targets specific individuals — usually after the phisher gathers a massive amount of information on them. Whaling is similar but only targets high-value, high-ranking professionals. Either way, senior staff are at risk and should be monitored.

8. It’s Not Phishing if the Recipient Knows the Sender

People often lull themselves into a false sense of security when they recognize the sender. In addition to spoofing an email address, an attacker can steal an account. Depending on their goal and subtlety, they may be able to convincingly mimic their victim’s writing style. 

Business leaders should instruct their employees to always be cautious. When in doubt, they should use a second platform to reach out to the sender. Unsolicited messages and unexpected attachments are signs that they have been compromised. 

Educate Staff Members on These Phishing Myths 

Most of these phishing myths have a grain of truth, which helps them spread like wildfire. Business leaders should do everything they can to educate staff members on how reality differs from these misconceptions.


As the Features Editor at ReHack, Zac Amos writes about cybersecurity, artificial intelligence, and other tech topics. He is a frequent contributor to Brilliance Security Magazine.


Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.