What fraction of the phishing you see was just harvesting credentials? Because every such incident becomes irrelevant if you have unphishable credentials, and yet companies are going to spend a bunch of money on phishing prevention/ training and not move to unphishable credentials.
I don’t know the percentage off hand but it’s certainly quite high and we do see huge numbers of fake O365 login sites in particular (often tailored to the intended victim’s company). The problem, though, is that the less frequent fake invoice or malware drive-by phish does a lot more damage, so frequency isn’t a great gauge of overall implied risk. Many of these other kinds of phish originate from third party accounts that have themselves been taken over. So it’s critical to deploy MFA to protect yourself, but that doesn’t help with all your third party contacts who don’t require MFA themselves. There have also been, in the last 6-9 months, more published on attacks that subvert MFA.
You’d also be surprised how many “please buy gift card” kinds of phish we see. And yes people do fall for them if they get through.
