DarkReading, an online cybersecurity publication, recently referenced a report from PhishMe that asserts 91% of all cyberattacks begin with a phishing email. It’s a hacker’s point of entry and malware’s gap to slip through.

But why is this? Why do people continue to fall for phishing emails time and time again? Aren’t these emails littered with grammatical errors and clearly written by someone in a foreign country?

Well… that’s not always the case. People don’t exactly have their facts straight when it comes to modern-day phishing. So here’s what you should remember.

Phishing can be personalized.

People like to think that if their name or title is used within an email that the email is definitely legit. How can a hacker know my name? How can a cyber-thief possibly know what my business title is? It’s a lot easier than you think it is… especially when the majority of people use their names as their email addresses. Just because an email references your name or title does not mean it’s safe. There’s a lot more to it than that.

These emails can be grammatically correct.

Phishing emails don’t always look like they were written by a group of cavemen. Sometimes… in fact… in many cases, these emails will look rather perfect to the everyday email recipient. And if there is a missing comma or forgotten capitalization, you probably won’t even notice it. You’ll have to go above and beyond grammar to legitimize an email.

Sometimes, they’ll know your processes.

Just as they can be specific with names and titles, they can also be specific with internal processes. If a hacker wants to take the time to do it (which a lot of them can and will), they can quickly learn how you and your staff do things. Do you need two upper managers to approve an invoice? Do you require two or three days before this transaction can be processed? It’s not hard to determine processes like these. All they have to do is email an unsuspecting lower-level employee… or just guess.

They don’t always rely on urgency.

Oftentimes, a phishing email is successful because it employs a sense of urgency. Something needs to get done immediately, and if it doesn’t get done immediately, something bad will happen. This can be really hard to ignore. But – and this is a big but – urgency isn’t the only tactic used. How does the possibility of losing your job feel? Or how about getting recognized for doing something really well? Or maybe sheer curiosity of what waits on the other side of that click? Phishing won’t always be a “must-do-now” type of thing. It can be anything really. So be prepared.

All types of industries are at risk.

Within the same PhishMe report, it was found that the insurance industry fell victim to phishing attacks more often than most other industries. But this was followed very closely by retail, energy, and healthcare. It’s important to remember that phishing is all over the board. Do not think for one second that phishing does not exist outside these four industries. Education. Consulting. Marketing. Oil. Agriculture. Media. Accounting. It’s everywhere.