In January 2024, a finance employee at engineering firm Arup wired $25 million to criminals after joining a video call with what appeared to be the company's CFO and several colleagues. Every person on that call was a deepfake. The attack started the same way nearly all of them do — with a phishing message. If you're asking what is a phishing attack, that story is your answer distilled to its most terrifying form: a carefully crafted deception designed to make you trust the wrong person and take the wrong action.
This post breaks down exactly how phishing works in 2025, the different forms it takes, why it keeps succeeding despite billions spent on security, and — most importantly — what you and your organization can do about it right now.
What Is a Phishing Attack, Exactly?
A phishing attack is a form of social engineering where a threat actor impersonates a trusted entity to trick a victim into revealing sensitive information, clicking a malicious link, or performing an action that benefits the attacker. That's the textbook version. Here's the practical one.
Phishing is a con job delivered at scale through digital channels. The attacker pretends to be your bank, your boss, Microsoft, the IRS, or your shipping company. They create urgency — "Your account will be locked in 24 hours" — and give you a path of least resistance that happens to lead straight into their trap.
According to the 2024 Verizon Data Breach Investigations Report (DBIR), phishing and pretexting together accounted for the vast majority of social engineering incidents. The median time for a user to click a malicious link in a phishing email? Less than 60 seconds. The median time to enter credentials on a fake site? Under another 60 seconds. Two minutes from inbox to breach.
Why Phishing Keeps Working in 2025
I've worked with organizations that had firewalls, endpoint detection, SIEM platforms, and a six-figure security budget — and still got breached through a phishing email. Here's why.
Humans Are the Target, Not the Technology
Phishing doesn't attack your network. It attacks your people. Every security tool in the world is irrelevant if an employee willingly enters their credentials into a convincing fake login page. Threat actors know this. They've shifted almost entirely to targeting the human layer because it's the cheapest, most reliable entry point.
AI Has Supercharged Phishing Quality
The days of laughably bad grammar and "Dear Valued Customer" are fading. In 2025, attackers use large language models to generate flawless, context-aware phishing emails in any language. They clone voices for vishing calls. They generate deepfake video for high-value targets. The Arup incident wasn't an anomaly — it was a preview of the new normal.
Credential Theft Is Absurdly Profitable
Stolen credentials are the skeleton key to modern organizations. The 2024 Verizon DBIR found that stolen credentials were the top initial access vector in breaches. One compromised password can give an attacker access to email, cloud storage, financial systems, and customer databases — especially in organizations that haven't adopted multi-factor authentication.
The 7 Types of Phishing You Need to Know
Not all phishing looks the same. Threat actors pick their method based on the target, the payoff, and the level of effort they're willing to invest.
1. Email Phishing (Bulk Phishing)
The classic. Mass emails sent to thousands or millions of recipients impersonating well-known brands. Low effort per message, but the sheer volume guarantees clicks. Think fake Amazon order confirmations or Microsoft 365 password reset alerts.
2. Spear Phishing
Targeted emails crafted for a specific individual or small group. The attacker researches the target using LinkedIn, company websites, and social media. A spear phishing email might reference a real project you're working on, a conference you just attended, or a colleague by name. These are dramatically harder to spot.
3. Whaling
Spear phishing aimed at senior executives — CEOs, CFOs, board members. The stakes are higher, and so is the sophistication. Whaling attacks often impersonate legal counsel, auditors, or other executives to authorize wire transfers or release sensitive data.
4. Smishing (SMS Phishing)
Phishing delivered via text message. "USPS: Your package cannot be delivered. Update your address here." Smishing exploits the trust people place in text messages and the small-screen format that makes verifying URLs difficult.
5. Vishing (Voice Phishing)
Phone-based attacks where the caller impersonates tech support, a government agency, or a bank. AI-generated voice cloning has made vishing significantly more dangerous. In 2023, the FBI's IC3 reported that business email compromise and related social engineering schemes caused over $2.9 billion in losses — many of these schemes involved vishing as a component.
6. Business Email Compromise (BEC)
The attacker compromises or spoofs an executive's email account and sends instructions to employees — usually to wire money or change payment details. BEC is consistently the most financially devastating form of phishing. The FBI IC3 has highlighted BEC as a top cybercrime threat year after year.
7. QR Code Phishing (Quishing)
A newer tactic gaining traction. Attackers embed malicious QR codes in emails, flyers, or even physical locations. When scanned, the code directs the victim to a credential-harvesting site. This bypasses many email security filters because there's no traditional malicious URL in the message body.
Anatomy of a Phishing Attack: Step by Step
Understanding the attack chain helps you spot it. Here's how a typical phishing attack unfolds.
Step 1: Reconnaissance. The attacker identifies targets and gathers information. For bulk campaigns, they buy email lists. For spear phishing, they scour LinkedIn, corporate websites, and social media.
Step 2: Weaponization. They create the lure — a convincing email, text, or voice script. They register lookalike domains (amaz0n-support.com) and build fake login pages that mirror real ones pixel for pixel.
Step 3: Delivery. The message hits the target's inbox or phone. It creates urgency, fear, or curiosity. "Unusual sign-in detected." "Your invoice is overdue." "HR has shared a document with you."
Step 4: Exploitation. The victim clicks. They enter their username and password on the fake page, download a malicious attachment, or enable macros in a weaponized document.
Step 5: Post-Compromise. The attacker now has credentials or a foothold. They move laterally through the network, escalate privileges, exfiltrate data, or deploy ransomware. In BEC scenarios, they silently monitor email for weeks before striking.
How to Spot a Phishing Email: 6 Red Flags
This is the section you should share with every employee in your organization.
- Urgency or threats. "Your account will be suspended in 24 hours." Legitimate companies rarely impose artificial deadlines via email.
- Mismatched sender addresses. The display name says "Microsoft Support" but the actual email address is [email protected].
- Suspicious links. Hover before you click. If the URL doesn't match the organization it claims to be from, don't touch it.
- Unexpected attachments. Especially .zip, .exe, .docm, or .html files from people you didn't expect to hear from.
- Requests for credentials or money. No legitimate organization will ask you to email your password or wire money based solely on an email.
- Generic greetings from "personalized" services. Your bank knows your name. "Dear Customer" from your bank is a red flag.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2024 Cost of a Data Breach Report put the global average cost of a data breach at $4.88 million — the highest figure ever recorded. Phishing was one of the most common initial attack vectors. And here's the part that should concern every business leader: the majority of those costs aren't from the technical cleanup. They come from lost business, regulatory fines, legal fees, and reputational damage.
A single employee clicking a single link can trigger that cascade. That's not hypothetical — I've seen it happen to organizations that thought they were too small to be targeted and to organizations that thought they were too sophisticated to fall for it.
How to Defend Your Organization Against Phishing
Technology alone won't solve this. You need a layered defense that addresses people, process, and technology together.
Build a Security Awareness Culture
Training isn't a one-time checkbox exercise. Effective security awareness training changes behavior over time through regular, engaging education that keeps pace with evolving threats. Your employees need to understand what a phishing attack looks like in 2025 — not what it looked like in 2015.
If you're looking for a structured program to build that foundation, the cybersecurity awareness training at computersecurity.us covers the core topics your team needs, from social engineering to credential theft to ransomware defense.
Run Phishing Simulations Regularly
You can't improve what you don't measure. Phishing simulations let you test your organization's resilience in a controlled environment, identify employees who need additional coaching, and track improvement over time. The data from these exercises is invaluable for prioritizing your security investments.
For organizations ready to implement targeted exercises, the phishing awareness training at phishing.computersecurity.us provides practical, scenario-based training built around real-world phishing tactics.
Deploy Multi-Factor Authentication Everywhere
MFA is the single most impactful technical control against credential theft. Even if an employee enters their password on a fake site, the attacker can't access the account without the second factor. CISA strongly recommends MFA for all users, and frankly, there's no excuse for not having it enabled on every externally facing system in 2025.
Prioritize phishing-resistant MFA methods — hardware security keys (FIDO2) or passkeys — over SMS-based codes, which can be intercepted through SIM swapping.
Implement Zero Trust Architecture
Zero trust operates on the principle of "never trust, always verify." Every access request is authenticated and authorized regardless of where it originates. This limits the blast radius when credentials are compromised. An attacker who phishes one set of credentials shouldn't be able to traverse your entire network unchallenged.
Harden Your Email Environment
Deploy SPF, DKIM, and DMARC to prevent email spoofing. Enable advanced threat protection features in your email platform — attachment sandboxing, URL rewriting and time-of-click analysis, and impersonation detection. These won't catch everything, but they'll stop the low-hanging fruit and force attackers to work harder.
Establish a Clear Reporting Process
Your employees need to know exactly what to do when they suspect a phishing attempt. A "Report Phish" button in their email client, a dedicated Slack channel, a security hotline — whatever works for your culture. Make reporting easy, fast, and consequence-neutral. If people are afraid they'll get in trouble for clicking, they'll hide it, and that delay gives the attacker more time.
What To Do If You've Already Clicked
Speed matters. If you or someone in your organization clicked a suspicious link or entered credentials on a site you now suspect was fake, take these steps immediately.
- Change the compromised password now. If the same password was reused anywhere else (it shouldn't be, but reality is what it is), change it there too.
- Enable MFA on the affected account if it wasn't already active.
- Alert your IT or security team. They need to check for unauthorized access, forwarding rules added to email, and lateral movement.
- Monitor financial accounts if banking credentials or payment information were involved.
- Report the phishing email to your email provider and to the Anti-Phishing Working Group at [email protected].
The first 30 minutes after a successful phish are critical. The faster you respond, the more you limit the damage.
Phishing Isn't Going Away — But You Can Get Ahead of It
Every year, phishing attacks get more sophisticated. AI-generated content, deepfake voice and video, and increasingly targeted social engineering mean the bar for detection keeps rising. But the fundamentals of defense haven't changed: train your people relentlessly, verify before you trust, layer your technical controls, and assume that eventually someone will click.
The question isn't whether your organization will face a phishing attack. You already have — probably this week. The question is whether your people recognized it, reported it, and stopped it before it became a data breach. That outcome isn't luck. It's the result of deliberate, consistent preparation.
Start building that preparation today. Your security posture is only as strong as the person most likely to click.