Why phishing volume has become an attack strategy

Most phishing defenses are built around a single failure point: the employee who clicks. The more dangerous assumption attackers are now exploiting is a different one entirely, that the security team investigating those clicks will eventually run out of time. Attackers are using volume as part of the strategy, and organizations doing the most phishing training may now be the ones dealing with it the most.

Understanding phishing volume as an attack strategy

Phishing has always been a numbers game, however the game has changed. What was once a mass-distribution tactic designed to catch any one of thousands of recipients has changed into something more deliberate. Attackers operating at scale no longer just send phishing emails. They send them in ways designed to take advantage of how organizations react.

The core mechanism is straightforward. A campaign floods an organization's reporting channels with high volumes of low-sophistication lures. Trained employees report them. Security Operations Center analysts begin triaging. The queue builds up faster than the team can work through it. Buried inside that volume is a small number of precisely crafted spear-phishing messages targeting individuals with access to critical systems or financial controls. These messages are the actual payload, and the flood is the cover.

A 2025 ACM Computing Surveys paper on alert fatigue in Security Operations Centres (SOCs) describes how excessive alert volume leads directly to desensitisation among analysts, compromising their effectiveness and creating conditions in which genuine threats are missed. The paper cites Trend Micro survey data, finding that 51% of SOC teams feel overwhelmed by alert volume, with analysts spending over 25% of their time handling false positives. Wasting SOC’s time has become an effective attack strategy.

Read also: What is spear phishing? | What is phishing-as-a-service?

The impact of weaponized volume

The economics of this strategy heavily favour the attacker. Generating thousands of commodity phishing emails costs close to nothing, particularly with AI dramatically lowering the production barrier. KnowBe4's 2025 Phishing Threat Trends Report found a 17.3% increase in phishing emails between September 2024 and February 2025 compared to the prior six-month period, with at least one polymorphic feature present in 76.4% of all phishing attacks, variations that bypass blocklists and signature-based filters and therefore generate more analyst work per message.

Each of those reported messages costs the defending organization real analyst time. Each investigation that should close in minutes stretches to hours when the queue is deep enough. The Verizon 2025 Data Breach Investigations Report, which analysed over 22,000 incidents and 12,195 confirmed breaches, found that the human element was involved in the majority of breaches, reinforcing that human attention remains the rate-limiting factor in phishing defence, regardless of the technical controls surrounding it.

For healthcare organizations, the stakes compound. According to Paubox's 2026 Healthcare Email Security Report, phishing emails increased 17% in 2025, and attacks avoiding native email defences rose 47%. According to Paubox's 2025 Healthcare Email Security Report, only 5% of known phishing attacks are reported by employees to security teams at all, which means the volume arriving at the SOC represents only a fraction of what was actually sent, and the organizations with the most engaged reporting cultures face the heaviest triage load.

How weaponized volume works in practice

The tactic follows a predictable structure. First, a large wave of commodity lures is distributed.

These may be generic credential-harvesting pages, fake document sharing notifications, or impersonation attempts using commonly recognised brand names. Many will be caught by email gateways. A big portion will be reported by trained employees and routed to the SOC queue.

Second, a small number of targeted messages are embedded within or timed alongside the high-volume wave. These messages are carefully researched, personalized, and made to look like the kinds of emails analysts are used to handling quickly under pressure. They may reference real projects, vendors, or internal processes, adding details that can make a tired analyst trust the message instead of questioning it.

Third, the SOC responds as it is trained to: triaging faster, spending less time per submission, and prioritising clearing the queue over deep investigation of any single message. IBM X-Force's 2025 Threat Intelligence Index found that 30% of all intrusions involved the use of valid compromised credentials, a figure that shows how often the attacker's real goal is to harvest access, which a single analyst mistake under pressure can provide.

The ACM Computing Surveys paper on SOC alert fatigue describes the downstream consequences: ignored alerts, incomplete investigations, and eventually breaches that trace back to a human capacity failure in the investigation layer that follows, not to a technical failure in detection infrastructure.

Why is this harder to detect and stop

Standard phishing defences address message characteristics: domain reputation, sender authentication, link analysis, and attachment scanning. They do not address investigation capacity. A volume-based campaign does not necessarily need to get past these controls. It needs only to generate enough legitimate-looking reports to overwhelm the analysts reviewing what those controls flagged.

Rule-based automation creates predictable blind spots. If an organization auto-closes reports from domains with established reputation, an attacker can compromise or spoof those domains. If deduplication logic groups messages by subject line, an attacker can vary surface characteristics while maintaining the same payload. When analysts are working through a large queue under pressure, they are more likely to rely on quick visual cues, like whether a message resembles something already cleared, instead of fully reviewing its individual risk.

Generative AI has accelerated this problem considerably. KnowBe4's 2025 Phishing Threat Trends Report found that polymorphic campaigns, those that continuously vary message characteristics to avoid pattern-matching, accounted for 76.4% of phishing attacks. Each variation requires fresh investigation, which means polymorphic volume campaigns do not flood the queue; they prevent the kind of pattern recognition that experienced analysts rely on to move quickly through similar-looking submissions.

Recognising the pattern

Organizations that have dealt with this tactic often only recognize the warning signs after the fact. A spike in phishing reports across a short window, particularly one that coincides with a period of broader business activity such as a product launch, acquisition announcement, or financial period end, should prompt a question about the messages themselves and about who might be sending them and why at that moment.

Signs that volume is being used strategically include campaigns where the commodity lures are unusually well-crafted relative to their volume, more convincing than typical spray-and-pray attacks however less targeted than typical spear-phishing. That mix suggests the attacker is putting enough effort into the noise to make it believable, pointing to something more deliberate than a typical mass phishing campaign.

The ACM Computing Surveys research notes that alert fatigue is predictably worse during shift transitions, periods of high concurrent incident activity, and times when an organization's security team is already stretched by other demands. Attackers who monitor public signals, news coverage of an organization, industry events, and regulatory deadlines can time high-volume campaigns to coincide with moments of predictable stress.

Best practices for reducing phishing volume risk

The most effective way to address this is to remove the human bottleneck for high-volume, low-risk submissions, so analysts can focus on the messages that actually need review.

Automated triage that provides transparent, auditable reasoning for each verdict is more valuable than opaque auto-closure, because it allows analysts to verify and challenge system decisions rather than override them reflexively. The goal is to make sure human review is focused where it matters most.

Email authentication controls, SPF, DKIM, and DMARC at enforcement, reduce the proportion of spoofed messages entering the reporting pipeline, which reduces the volume of low-quality submissions that must be investigated. According to Paubox's 2025 Healthcare Email Security Report, 30.6% of breached healthcare organizations lacked DMARC records entirely, and 37.2% had DMARC in monitor-only mode, which allows spoofed messages to continue undetected. Each of those configurations contributes directly to the investigative load the volume tactic relies on.

Pre-delivery filtering that removes phishing messages before they reach employees' inboxes prevents reports from being generated in the first place. Paubox's Inbound Email Security is designed to detect and block phishing and spoofed emails automatically before they reach healthcare inboxes, addressing the source of volume rather than the downstream investigation burden. According to Paubox's 2026 Healthcare Email Security Report, 75% of breached organizations lacked DMARC enforcement, and every one of those gaps creates room for the commodity lures that generate triage noise.

Learn more: Paubox Inbound Email Security | Paubox Email Suite

Why phishing volume continues to grow

The structural conditions driving this tactic are not changing. Security awareness training programmes are expanding across industries, which increases employee reporting rates and the volume of submissions reaching the SOC. The KnowBe4 2025 Phishing By Industry Benchmark Report, based on 67.7 million simulated phishing tests across 62,400 organizations, found that one in three employees remains susceptible to phishing at baseline. More reports from more engaged employees mean more queue pressure, which means the volume tactic becomes more effective as security culture improves.

Generative AI removes the cost constraint that previously limited how many convincing messages an attacker could produce. The FBI's 2024 IC3 report noted that the FBI has warned that AI is already being used to craft highly convincing phishing campaigns at scale. When production cost approaches zero, the only limiting factor on phishing volume is the attacker's willingness to generate it, and that willingness is driven by the expected return, which remains high.

FAQs

What is the difference between bulk phishing and weaponized phishing volume?

Bulk phishing tries to trick as many people as possible with one campaign. Weaponized phishing volume uses a flood of messages to overwhelm security teams, creating cover for a smaller number of targeted attacks.

Does more employee phishing training make this problem worse?

Training helps employees spot and report threats, but it can also increase the number of reports security teams must review. The fix is not less training, but better systems to handle the added volume.

Why do email gateways not solve this problem?

Email gateways stop many known threats, but attackers can change phishing messages enough to avoid detection. When those emails reach inboxes and get reported, they still create work for security teams.

How does this tactic affect healthcare specifically?

Healthcare teams rely heavily on email and work in busy environments, making them frequent phishing targets. Even a small percentage of reported attacks can create a heavy workload for security teams.

What is the single most effective control against weaponized phishing volume?

Blocking phishing emails before they reach inboxes is the most effective defense. If employees never see them, security teams do not have to investigate them.