Phishing attacks remain a central component of many of the security breaches that are reported in the press for one very good reason they work. An attacker doesnt need to exploit a zero day vulnerability or craft malware that can steal keystrokes from a targeted PC. All they may need to do is use some compelling social engineering to fool an innocent user into clicking on a link, and take them to a convincing-looking website which simply asks for their password. Google recently announced that it was providing an option for G Suite administrators to receive warnings when Google believed that a government-backed attacker had likely attempted to access a users account or computer through phishing, malware, or another method”]
Source: https://businessinsights.bitdefender.com/google-warns-businesses-government-backed-phishing-attacks