In January 2024, a finance employee at British engineering firm Arup transferred $25 million to threat actors after joining a video call with what appeared to be the company's CFO and other colleagues — all of them deepfake recreations. The attack started the way most do: with a phishing email. If you've ever asked what is a phishing scam, that incident is the answer distilled to its most terrifying form. It's social engineering at scale, powered by technology, and aimed squarely at human trust.
This post breaks down exactly how phishing scams work in 2025, the specific techniques threat actors use, and the concrete steps you and your organization can take right now. No vague advice. No scare tactics without solutions.
What Is a Phishing Scam, Exactly?
A phishing scam is a social engineering attack where a threat actor impersonates a trusted entity — a bank, a boss, a vendor, a government agency — to trick you into handing over sensitive information, clicking a malicious link, or transferring money. The "trusted entity" part is what makes it work. Phishing doesn't exploit software vulnerabilities. It exploits you.
The term covers a wide range of attack vectors: email, SMS (smishing), voice calls (vishing), social media messages, and even QR codes. But the core mechanic is always the same — deception that creates urgency, fear, or curiosity, then directs you to take an action you wouldn't take if you stopped to think.
According to the 2024 Verizon Data Breach Investigations Report, phishing and pretexting together accounted for over 73% of all social engineering breaches. The median time for a user to fall for a phishing email? Less than 60 seconds. That's the window between "seems legit" and a full-blown data breach.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million — the highest figure ever recorded. Phishing was consistently among the top initial attack vectors.
Here's what actually happens when a phishing scam succeeds inside your organization. An employee clicks a link in an email that looks like a Microsoft 365 login page. They enter their credentials. Within minutes, the attacker is inside your email system, reading messages, setting up forwarding rules, and identifying high-value targets for business email compromise (BEC).
From there, the damage compounds fast. Credential theft leads to lateral movement. Lateral movement leads to ransomware deployment or data exfiltration. One click. One set of stolen credentials. Millions in losses.
This is why I always tell organizations: if you're not running phishing awareness training with realistic simulations, you're gambling with every employee's inbox.
5 Phishing Techniques Threat Actors Are Using Right Now
Phishing has evolved far beyond the Nigerian prince emails of the early 2000s. Here's what I'm seeing in the wild in 2025.
1. AI-Generated Spear Phishing
Large language models have made it trivially easy for attackers to craft grammatically perfect, highly personalized emails. Gone are the days when typos and awkward phrasing were reliable red flags. Threat actors now scrape LinkedIn, company websites, and social media to build detailed profiles, then generate emails that reference real projects, real colleagues, and real deadlines.
2. QR Code Phishing (Quishing)
Attackers embed malicious QR codes in emails, PDFs, and even physical mail. When scanned, the codes redirect to credential harvesting pages. This technique bypasses many traditional email security filters because there's no clickable URL to analyze. The FBI's Internet Crime Complaint Center (IC3) flagged this trend in alerts throughout 2024.
3. Multi-Factor Authentication Bypass Kits
Tools like EvilProxy and Evilginx act as reverse proxies, sitting between the victim and the legitimate login page. The victim enters their credentials and their MFA token — and the attacker captures both in real time. Multi-factor authentication is still essential, but it's no longer a silver bullet against phishing scams.
4. Business Email Compromise via Thread Hijacking
Once an attacker compromises a single email account, they search for active conversation threads — especially those involving invoices, wire transfers, or contract negotiations. They reply within the existing thread, changing payment details. The recipient has no reason to be suspicious because the email is coming from a real, trusted address in a real conversation they recognize.
5. Smishing and Vishing Combos
A text message warns you about "suspicious activity" on your account and gives you a number to call. When you call, a convincing voice (sometimes AI-generated) walks you through "verifying" your identity — which means handing over your credentials, Social Security number, or banking details. CISA has published multiple advisories warning about the increasing sophistication of these combined attacks.
Why Traditional Email Filters Aren't Enough
I've seen organizations invest heavily in email security gateways and assume the phishing problem is solved. It's not. Modern phishing scams are specifically designed to evade automated detection.
Attackers host credential harvesting pages on legitimate platforms like Google Sites, Microsoft Azure blob storage, and Cloudflare Workers. The URLs pass reputation checks. The SSL certificates are valid. The pages look pixel-perfect. Your spam filter sees a link to a Microsoft domain and waves it through.
Zero trust architecture helps. Verifying every access request regardless of source reduces the blast radius of compromised credentials. But zero trust is a framework, not a product you install on a Friday afternoon. The fastest, most cost-effective layer of defense is still a workforce that can recognize a phishing scam before clicking.
How to Spot a Phishing Scam: The 30-Second Check
This is the section you should share with every employee in your organization. When an email, text, or call asks you to take action — especially involving credentials, payments, or sensitive data — run through this checklist:
- Urgency or threats. "Your account will be suspended in 24 hours." "Immediate action required." Legitimate organizations rarely demand instant action via email.
- Sender mismatch. The display name says "IT Support" but the actual email address is a random Gmail account or a look-alike domain (yourcompany.co instead of yourcompany.com).
- Unexpected attachments or links. You weren't expecting a document from this person. Hover over links before clicking — does the URL match where you'd expect it to go?
- Requests for credentials. No legitimate service will ask you to "verify" your password by entering it into an email or a linked form.
- Too-good-to-be-true offers. Gift cards, surprise refunds, unclaimed packages — all classic lures.
Train yourself to pause. That 30-second pause is the single most effective countermeasure against phishing scams in existence.
Building a Phishing-Resistant Organization
Spotting phishing on an individual level is necessary but not sufficient. You need organizational defenses that assume some employees will click eventually — because statistically, they will.
Layer 1: Security Awareness Training That Actually Works
Annual compliance-checkbox training doesn't change behavior. What works is continuous, scenario-based training that reflects the actual threats your employees face. I recommend starting with a comprehensive cybersecurity awareness training program that covers phishing, social engineering, credential theft, and ransomware in practical, real-world terms.
Layer 2: Regular Phishing Simulations
You don't know your organization's actual risk until you test it. Run phishing simulations monthly — not to punish employees who click, but to identify knowledge gaps and deliver targeted follow-up training. Organizations that combine simulations with training see click rates drop by 60% or more over 12 months.
Layer 3: Technical Controls
Deploy DMARC, DKIM, and SPF to prevent domain spoofing. Implement phishing-resistant MFA — FIDO2 security keys or passkeys — wherever possible. Use conditional access policies to block logins from untrusted devices and locations. Enable browser isolation for high-risk users. None of these are optional in 2025.
Layer 4: Incident Response Readiness
Every employee should know exactly what to do when they suspect a phishing attempt — and more importantly, what to do after they've already clicked. A fast report-and-contain process can mean the difference between a single compromised account and a full-scale ransomware event. Make reporting easy. Make it blame-proof. Make it fast.
The FBI's Numbers Tell the Story
The FBI IC3's 2023 Internet Crime Report (the most recent full-year report available) recorded over 298,000 phishing complaints — making it the number one reported cybercrime type for the fifth consecutive year. Adjusted losses from BEC alone exceeded $2.9 billion.
Those are just the reported cases. The actual numbers are almost certainly much higher, because many phishing scams go unreported, especially when they target individuals rather than businesses.
Here's what these numbers mean for you: phishing isn't a niche concern. It's the primary way threat actors get into organizations of every size, in every industry. If you're responsible for security at your company — even partially — phishing defense is your highest-leverage investment.
What About AI-Powered Phishing Detection?
Yes, AI-powered email security tools have improved significantly. They analyze behavioral patterns, flag anomalous sending patterns, and can detect zero-hour phishing campaigns faster than signature-based tools. Use them.
But here's the catch: attackers use AI too. It's an arms race, and the attacker only needs to win once. Your AI-powered filter might catch 99 out of 100 phishing emails. That one email that gets through lands in the inbox of your accounts payable clerk at 4:45 PM on a Friday. That's where training makes the difference.
Technology and training aren't competing strategies. They're complementary layers. The organizations that get breached least are the ones that invest in both.
Your Next Step Takes 10 Minutes
If you've read this far, you understand what a phishing scam is, how it works, and why it's the most dangerous threat vector your organization faces. The question is what you do next.
Start with training. Enroll your team in phishing awareness training built for real-world scenarios. Pair it with a broader security awareness training curriculum that covers the full threat landscape — from ransomware to credential theft to social engineering tactics that go beyond email.
Then run your first phishing simulation. Measure your baseline click rate. Set a target. Train again. Simulate again. Repeat. That cycle is how you build a workforce that doesn't just know what phishing is — but reflexively resists it.
The threat actors aren't slowing down in 2025. Neither should your defenses.