The people on the defensive side of the ball in security—especially those who work for vendors—spend a lot of time thinking about ways to stop new and innovative attacks. The last few years have seen advances in APT detection and monitoring and defenses against sophisticated mobile attack techniques.

While those technologies provide valuable protection for users, the plain truth is that attackers will use the simplest technique that accomplishes their goal. There’s no need to bring out the fancy china when the paper plates will hold the pizza just as well. By the same token, attackers don’t like to burn zero days or show off special techniques if they don’t have to. Security professionals understand this and know that the basic attack techniques are still the most popular, and so they warn their users constantly about phishing, reusing passwords, and other common dangers.

Still, phishing remains one of the more effective ways for attackers to gain access to sensitive information through account takeovers. New research from Google into the ways in which attackers hijack victims’ accounts found 12 million sets of credentials on black markets that had been stolen through phishing. Google’s research focused on tracking a number of different black markets that specialize in trading credentials from third-party breaches, and the company found a total of 3.3 billion credentials that had been exposed from breaches. Not everyone has a Google account (I guess?) but the same techniques that attackers use to compromise those accounts work pretty well on other services, as well.

“While our study focused on Google, these password stealing tactics pose a risk to all account-based online services. In the case of third-party data breaches, 12% of the exposed records included a Gmail address serving as a username and a password; of those passwords, 7% were valid due to reuse. When it comes to phishing and keyloggers, attackers frequently target Google accounts to varying success: 12-25% of attacks yield a valid password,” Kurt Thomas and Angelika Moscicki of Google said.

“However, because a password alone is rarely sufficient for gaining access to a Google account, increasingly sophisticated attackers also try to collect sensitive data that we may request when verifying an account holder’s identity. We found 82% of blackhat phishing tools and 74% of keyloggers attempted to collect a user’s IP address and location, while another 18% of tools collected phone numbers and device make and model.”

In some ways it seems absurd that in this point in Internet history so many people are still falling for phishing scams. After all, these things have been circulating for 20 years in one form or another, and we’ve been training users to look for the telltale signs of phishing emails for nearly as long. But attackers have been learning too, and the phishing emails and texts they send out now are light years ahead of what they were even five years ago. The state of the art account takeover attempts right now are virtually indistinguishable from real emails from Google or Facebook or Twitter.

Google has put a lot of effort into improving the defenses in Gmail and its other services to protect against phishing and account takeovers. Two-step verification is the biggest obstacle the company has put in the way of attackers, and if you haven’t already enabled it, do that now. Like, right now. While user education has helped somewhat, it’s these technical defenses that have proven more effective. What hasn’t helped is throwing mud at users for not being security experts. Years and years of blaming victims for falling for phishing has gotten us exactly nowhere.

“Our findings were clear: enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets. While we have already applied these insights to our existing protections, our findings are yet another reminder that we must continuously evolve our defenses in order to stay ahead of these bad actors and keep users safe,” Thomas and Moscicki said.