In today's digitally dependent workplaces, phishing attacks are a persistent and damaging cybersecurity threat. Phishing involves fraudulent attempts to obtain sensitive information, such as login credentials or financial details, by acting as a trustworthy entity, often through email. These attacks exploit human vulnerabilities through deceptive tactics, often resulting in significant financial and reputational damage to organizations. Despite advances in technical defenses, the role of organizational practices such as leadership, communication, structure, and culture in influencing phishing susceptibility among employees remains underexplored. The research question for the study is: “How do the organizational practices structure, leadership, communication and culture affect employees' vulnerability and susceptibility to phishing attacks?”.

Using a qualitative case study approach focusing on Söderberg & Partners, a prominent Swedish financial services organization, the research is conducted using data collected through semi-structured interviews with representative informants. The data is analyzed using thematic analysis to uncover patterns and insights into organizational practices and their impact on phishing defenses.

The findings indicated that a flat organizational structure and a supportive communication culture facilitate information sharing and timely reporting of phishing incidents. Leadership that emphasizes awareness and security-conscious norms strengthens employee preparedness. However, gaps in personalized training and fear of repercussions for reporting phishing attempts persist, highlighting areas for improvement.

This research underscores the interrelated role of organizational practices in mitigating phishing risk, and provides practical insights for developing a resilient cybersecurity culture in organizations.