/Concentrix%20Case%20Study.webp?width=568&height=326&name=Concentrix%20Case%20Study.webp)
.webp?width=100&height=100&name=PXL_20220517_081122781%20(1).webp)
Don’t do it now, but if you head to our homepage later, you’ll see this right at the top:
We’ve been using that line for a while now. And it resonates, almost every security leader we talk to gets it immediately.
But at some point, it’s fair to ask: “Can you prove it?”
That’s what this post is about.
How Many Phishing Emails Are Getting Through?
We analyzed 30 days of email traffic across 1,921 customer environments, all running IRONSCALES with Microsoft 365 or Google Workspace, while also using a SEG for upstream filtering (Barracuda, Cisco, Mimecast, or Proofpoint).
We looked specifically at attacks that made it through those upstream controls but were caught at the inbox level by our platform.
Here’s what we found:
SEGs missed an average of 67.5 phishing emails per 100 mailboxes per month
For a company with 1,000 users, that’s 675 missed phishing emails per month. That’s 23 threats per day, delivered directly to employee inboxes.
What Kind of Attacks Are Getting Through?
It’s not just volume, it’s the type of threats that matter. The ones SEGs are missing aren’t always the ones you’d expect.
These include:
- Credential theft
- Vendor scams
- Executive impersonation
- Image-based phishing (like Quishing)
- Vishing attacks with voicemail attachments
And here’s the part most people underestimate: 10.4% of users click on phishing emails that make it past upstream filters.
If you’re not stopping those messages before they reach people, you’re taking a bet you probably don’t want to take.
One Customer, 13,000 Missed Attacks
Here’s a real number from a real IRONSCALES customer:
13,000 phishing emails made it past their SEG in one year.
$78,000 saved in estimated remediation costs.
They didn’t switch vendors, they added a layer. And it paid off.
What This Means
If you’re relying on a SEG alone, things are getting through. Full stop.
And look, I'm not saying SEGs don’t work. But they weren’t designed to stop the kinds of email attacks we’re seeing today. The ones that don’t have malicious links or attachments. The ones that look just enough like legitimate messages to get through.
That’s why we built the Missed Phish Calculator, to help teams estimate how many threats are getting through right now, based on their SEG of choice and organization size.
What’s Coming in Part 2
In my next post, I'll dig into the vendor-specific performance, who’s missing what, how that shifts based on company size, and what attack types are the biggest problem for each platform.
I'll also get into the nuance behind the numbers. The results in this report are conservative on purpose. We didn’t count every suspicious email...we focused on clear, malicious phishing. Could we have made the numbers look scarier? Sure. But we didn’t want inflated numbers. We wanted credibility.
Because when we say we catch the phish others miss, we mean the ones that matter.
Want to go deeper? Download the Full Report.
Want to see how many phish your SEG is missing? Check out our Missed Attacks Calculator.
Stay tuned for more...
Explore More Articles
Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.
