Phishing emails have been the first stage of some of the biggest hacks and data leaks on the internet in recent years.
After all, the teams behind these attacks continue to develop new deception techniques.
In a speech at the Black Hat 2019 security conference, Google security researcher Elie Bursztein and University of Florida professor Daniela Oliveira analyzed why these social engineering attacks remain effective, even though they have been known for decades.
Gmail blocks more than 100 million phishing emails every day, and Google reports that 68% of these Gmail-blocked phishing emails are new variants.
The company reports that many of the campaigns targeting Gmail end users are targeted at just a few dozen people. Business users are almost five times more likely to receive phishing emails than regular Gmail users.
Users of educational services are twice as likely, government officials are three times more likely, and nonprofit executives are 3,8 times more likely to receive phishing than the average user.
Although mass phishing campaigns only last for 13 hours, the most focused attacks are much shorter - what Google calls a 'boutique campaign'. It is aimed at some people of a company and lasts only seven minutes.
In half of the phishing campaigns the email seems to come from the email provider, while in a quarter of them it claims to come from a cloud service provider.
The others usually appear to come from financial services emails or an e-commerce site.
Google found that 45% of Internet users do not understand what exactly is phishing or the risks associated with it.
As phishing teams are now much more experienced in using psychology to trick us into clicking, the ignorance of some users to realize the magnitude of the threat is a very important problem.
"This lack of awareness increases the risk of repression and potentially hinders the adoption of 2-step verification." he says Google.