Phishing attacks have long been the top attack vector worldwide. In the 2025 Cybersecurity Breaches Survey, the UK Department for Science, Innovation, and Technology found that phishing attacks remained the most common form of cybercrime. At least 95% of charities and 93% of businesses reported having experienced a phishing incident. The survey further estimated that of the approximately 8.58 million cyberattacks reported within the last twelve months, only 680,000 were non-phishing cybercrimes.
Furthermore, the UK’s National Fraud and Cyber Crime Reporting Centre, Action Fraud, has cautioned businesses to be wary of extortion phishing attacks. The NCSC’s Suspicious Email Reporting Service (SERS) has particularly raised concerns about the rise in phishing extortion attacks, noting a sharp increase from 133 reported in February to 2,924 incidents in March 2025.
Figure 1: Phishing attacks were the most reported by UK businesses in 2025 (image adapted from UK Gov website)
So, how do malicious actors execute this attack? Phishing occurs when cybercriminals send malicious links, attachments, or websites and trick victims into opening them. The attachments and links contain malware that often installs automatically when a user clicks or opens them.
Worse still, adversaries design other phishing attacks to trick employees into divulging sensitive company or personal information. Either way, the endgame of all phishing attacks is to provide attackers with a gateway to launch larger and more destructive attacks.
In its guidance on defending against phishing attacks, the NCSC emphasises that attackers do not discriminate against their targets. They can hit anyone or any business, regardless of size or industry. For example, an individual user may be caught up in a phishing campaign in which automated systems send millions of emails indiscriminately to random people, or they may be the victim of a targeted attack seeking to establish a foothold in a company’s network. The difference between the two is that in a targeted attack, hackers customise the phishing emails to fit their victims’ profiles, making the messages more realistic.
Today, threat actors are increasingly leveraging AI tools, which poses a significant concern for businesses. Cybercriminals use AI to craft convincing, highly targeted, and more complex AI-powered phishing scams. Thus, it is no surprise that 94% of UK businesses feel inadequately prepared to counter the threat of AI attacks.
In a traditional phishing attack, threat actors often find it unsuccessful to social engineer their victims. They rely on easily recognisable phishing emails that are usually poorly crafted and contain numerous spelling mistakes. For example, Russian hackers may struggle to distinguish between British and American English when crafting phishing emails, thereby reducing their success rates.
AI-driven phishing attacks, however, spell doom for organisations as attackers use the technology to create highly personalised, hard-to-detect phishing emails that mimic genuine communications. In that case, even the most trained and vigilant employees struggle to differentiate such emails from legitimate ones, hence exposing their organisations to significant risks.
Figure 2: How an AI spear phishing agent works (image adapted from HoxHunt)
In addition to crafting personalised and convincing phishing emails, cybercriminals also leverage generative AI’s ability to scrape enormous amounts of publicly available data to escalate their phishing scams. Data posted on social media accounts like LinkedIn and Facebook allows them to craft personalised messages based on the targets’ interests, special projects, and roles. The scammers also use this data to craft contextually relevant content that appears legitimate, targeting specific employees, business partners, and executives.
These AI-driven phishing tactics seem to originate from trusted parties, including company leadership. They are more likely to trick unsuspecting recipients into clicking on malware-laden links or divulging sensitive information, such as passwords, customer account details, and intellectual property.
In addition, scammers are increasingly using AI to mimic video calls and create deepfakes that clone faces and voices, adding authenticity to their AI-driven video and voice phishing attacks. Subsequently, organisations face a new threat dimension, as employees are more trusting of visual and verbal communication than of phishing emails. AI deepfakes are more effective since they pressure victims into unknowingly compromising established security protocols, particularly in urgent scenarios, thereby increasing the likelihood of a successful phishing attack.
Attackers are executing polymorphic phishing campaigns at a scale never seen before. In a 2025 report on phishing threat trends, a polymorphic feature was found in 76.4% of phishing scams and 57.49% of white noise phishing attacks.
Figure 3: Polymorphic phishing is on the rise (image adapted from Phishing Threat Trends Report 2025)
Polymorphic phishing attacks occur when perpetrators alter a minute detail in a series of nearly identical emails. Security systems designed to identify and blocklist known fraudulent payloads and addresses often fail to detect these slightly altered attacks.
The altered emails may also be difficult to mitigate with traditional email security systems once they reach an organisation’s employees’ inboxes. AI adds fuel to the fire: 90.9% of phishing emails that used heavy AI also contained polymorphic elements.
Businesses also face increased challenges in identifying phishing emails, as even slight alterations can significantly impact their ability to detect them. Many organisations group phishing emails to detect them more efficiently by identifying commonalities, like sending domains, to prevent repeat attacks. In turn, threat actors adjust their tactics by modifying just enough elements to revive previously successful attacks.
For example, they may tweak an email’s signature, metadata, or address, tinker with the sender’s display name, or rename an attachment known to be malicious. The top three preferences for hackers are changing a link’s destination, the sender’s email address domain, and the organisation’s logo. Changing an email’s subject line is also a standard attack method, where adversaries add additional symbols or characters, and modify the text’s pattern and length to make it easier to evade native security email gateways.
If AI has caused businesses sleepless nights by simplifying phishing campaigns, then Phishing as a Service (PhaaS) will push them to the very edge. PhaaS operatives are renowned for developing online kits that experienced and novice scammers use to clone an organisation’s official website login page.
Moreover, PhaaS operators provide security evasion tools, servers for processing harvested credentials, and proxy servers for perpetrating Adversary-in-the-middle (AitM) attacks. All these are readily available for a small fee.
PhaaS has increased rapidly recently, with security researchers noting a massive spike in PhaaS attacks in the first quarter of 2025. For example, one security firm identifies the Tycoon 2FA/Tycoon Group platform as one of the most prominent PhaaS providers in 2025. The platform aims to steal Microsoft 365 session cookies and compromise subsequent authentications by bypassing multi-factor authentication processes.
In 2024, UK police infiltrated and dismantled a PhaaS operation that targeted thousands of victims, resulting in cybercriminals earning more than $1.3 million. Europol described it as one of the most prevalent PhaaS platforms, providing scammers with the tools needed to execute large-scale smishing and phishing attacks.
Dubbed LabHost, the platform hosted at least 40,000 phishing sites and had more than 2,000 members, all of whom paid a monthly fee. Globally, the LabHost platform resulted in the theft of over 64,000 PINs, 480,000 credit card numbers, and approximately one million passwords.
Analysis by security researchers revealed that LabHost provided criminals with smishing components, the capability to harvest PINs and security answers, customisable phishing pages, and MFA bypass.
Phishing aims to exploit a person’s trust to trick them into revealing sensitive information or clicking on malicious links and attachments. Therefore, they often appear to originate from legitimate sources. According to research, phishing scams create a sense of urgency, leading targets to click links that seem trustworthy. An example is an email from a bank or credit company that alerts you to account security issues or suspicious activity on your credit card.
Common indicators of phishing scams include deceptive URLs, unknown sender email addresses, unexpected requests for financial, company, or personal data, and generic greetings.
Identifying phishing attacks can be challenging for most people, but following basic guidelines and staying vigilant can significantly reduce the risk. The signs of a phishing attempt to look out for include:
An unexpected email that uses alarming or charged language is a sure giveaway that it is a phishing attempt. For instance, a common tactic is creating a sense of urgency, where you are required to “click” immediately or risk account termination. Legitimate businesses don’t ask clients to provide personal information or induce fear in their communications.
In the example below, the phishing email appears to have been sent from Amazon, claiming that Amazon has detected suspicious activity on the account and that multiple passwords have been used to access it. However, note how the message is designed to induce fear by threatening to close the account if the user does not respond within 48 hours.
Figure 4: A message designed to induce fear to force the user to click on a link
If a user clicks the provided link, it redirects to a website that resembles the Amazon website. Instead, it is a form that hackers use to harvest personal information they can use to access your accounts.
Phishing links often contain embedded hyperlinks. Although the email messages may appear to be from a trusted organisation, hovering the cursor over the link can reveal the actual URL, and you should especially pay attention if the URLs have subtle misspellings for the websites you are familiar with. Misspelt URLs are a red flag, and it is safer to manually open the URL in a new tab rather than clicking an embedded hyperlink.
Below is an example demonstrating how attackers can spoof a notice from a legitimate organisation, such as PayPal. In the image, the email appears to originate from PayPal, but hovering the mouse over the “Confirm Now” button reveals that the actual URL (in the red triangle) redirects to a different website.
Figure 5: Embedded hyperlinks may conceal the actual URL of a phishing link
AI or traditional phishing methods usually use generic greetings. For example, greetings like “Dear Customer” are generic, rather than saluting you by your name, which is a tell-tale sign that it is a phishing email. Legitimate organisations typically personalise their correspondence and will greet you by name.
Despite leveraging AI and other technologies to cover their tracks, attackers are bound to make some mistakes in how they design and format their phishing emails. An email with a design and format that differ from previous communications with the purported company indicates it is a phishing email. The inconsistencies you should look out for are vocabulary, tone, and style.
Phishing emails are commonly used to deliver malware to the intended target. Some of the most significant cyberattacks begin with an employee opening a malicious attachment. Opening malicious attachments can install ransomware or spyware, potentially leading to more severe cyberattacks.
Phishers entice victims to click on malicious links by sending emails with offers that are too good to be true. They may claim that you have won a jackpot, concert tickets, the latest gadgets, etc, and all you need to do to claim them is to click the provided link. Some links may contain malware that triggers downloads and installations when you click, while others request your data.
The success of a phishing attack relies on the impulsive actions a person takes after receiving a phishing email. Employees must be vigilant before reacting to any email, especially those that create a sense of urgency, require a user to download an attachment, or prompt a user to click a link to access a website. They must also double-check all email requests, no matter how legitimate they seem. The best approach is to verify their legitimacy by contacting the sender via alternative means, such as phone.
A phishing attack often urges employees to click on sent links and open attachments, as these are the easiest ways to deliver a malware payload. Employees must be extra careful when interacting with such emails, as a single mistake can put the entire organisation at risk. Good attachment and link hygiene practices include typing URLs of the known organisations instead of clicking embedded hyperlinks. Employees can also use link expander tools or company-approved sandboxes to reveal hidden redirects. Businesses should also configure their email clients to turn off automatic previews or downloads of attachments.
One of the top rewards for phishers is harvesting the credentials of the victims they successfully trick into their phishing scams. Employees and organisations can protect themselves by locking their credentials. Rather than using the same password across different accounts, they can use a password manager that generates and stores a unique credential for each account, reducing the chance that attackers will compromise all their accounts, even if they fall for a phishing attempt. However, suppose they suspect they clicked a phishing link and entered their login credentials on a fake login page. In that case, they must notify IT personnel immediately to revoke sessions and reset all passwords.
Phishing scam artists are known for leveraging publicly available data to social engineer their victims. They identify their victims, scrape publicly available data from social media platforms, and use it to personalise phishing emails that match each victim’s profile. Employees can prevent this by limiting the public disclosure of data. They can adjust Facebook and LinkedIn privacy settings to hide job projects, organisational charts, and other job details that attackers can use in a spear phishing attack. Fraudsters can also impersonate IT or HR and demand that employees provide their passwords to reset them. Employees should challenge such requests, as organisational teams will never ask them to reveal their passwords or other sensitive information.
Nearly all companies use current technology to enhance their cybersecurity readiness. One of the most effective ways to prevent phishing incidents is to enable multi-factor authentication. MFA helps block at least 99% of automated password attempts, as a user must provide additional factors, such as a code known only to them or a fingerprint, to prove their authenticity before being granted access. Thus, attackers cannot use a compromised password, as MFA makes it difficult for them to access other required authentication factors.
Employees are the first line of defence, no matter how many defensive measures an organisation deploys to secure its perimeter. Once an employee falls for a phishing scam and clicks on a malicious link or attachment, the odds of stopping a larger attack reduce to almost zero. Employees must maintain continuous vigilance by participating in regular phishing simulation awareness campaigns. Regular drills sharpen their ability to identify phishing emails and understand the process for reporting them, thereby blocking threats faster.
Cyberattackers target employees more frequently than they do other attack vectors for a social engineering attack to succeed. Providing employees with sufficient training and awareness is a crucial investment that significantly reduces the success rate of phishing attacks. A practical training and awareness campaign deploys mock phishing campaigns to test employee vigilance. Phishing simulations also provide feedback that helps employees understand why they failed and how to hone their skills to be more effective at identifying real-life phishing attacks.
In addition, the organisation should deliver role-specific, engaging training materials that equip employees to be more aware of the phishing signs to look out for in their specific departments or roles. Businesses need to tailor training content to match the threat profiles targeting particular departments, so that employees in the finance department can distinguish between deepfakes and real video/voice calls, HR teams can identify fake job applicants, and so on.
A successful phishing attack derails an organisation’s ability to respond efficiently and disrupt the attack chain. Early detection and reporting are crucial to disrupting a phishing attack kill chain before it allows hackers to install malware or compromise an organisation’s network. Businesses should establish a straightforward phishing reporting process that enables employees to report suspicious emails easily. This can be a “report phishing” button in the business’s email platform, e.g. in Outlook.
Preventing cyberattacks requires an organisation to ensure that all hierarchical levels are committed to ensuring company-wide security. Businesses can achieve this by requiring continuous commitment from their leadership, for example, by requiring executives to lead by example and participate in all training and awareness campaigns. Also, leadership should uphold the set security policies and standards and publicly affirm their support for cybersecurity initiatives, as this emphasises their importance
An erroneous approach many organisations take is placing too much emphasis on having employees spot and report phishing emails as the primary measure for mitigating phishing attacks. Unfortunately, this tactic risks exposing the company to attacks and wasting resources if leadership overlooks the need to enhance security. Thus, businesses must acknowledge user education as a single aspect of preventing phishing attacks and widen their defences to include technical measures.
Implementing a multi-layered security approach provides organisations with multiple opportunities to detect and prevent phishing attacks from compromising the network. While user training is a critical measure for preventing phishing, some phishing scams will still succeed, as attacks increasingly rely on artificial intelligence (AI) to evade detection. This means that the organisation must plan how to respond to such incidents and minimise the resulting damage, or risk dealing with more disastrous attacks, such as ransomware. A multi-layered defence approach must consist of people-based, technological-based, and process-based approaches, including the following:
Organisations must implement AI-powered email security solutions to detect and block phishing attempts before they reach employees’ inboxes. Modern email filters should analyse sender behaviour, scan attachments in isolated sandbox environments, and flag messages with suspicious links, spoofed domains, or impersonation attempts. These systems must automatically integrate with threat intelligence feeds to block newly identified phishing templates in real time.
Requiring MFA for all critical systems is a fundamental security measure that prevents credential theft from leading to full account compromise. Organisations should implement phishing-resistant multi-factor authentication (MFA) methods, such as FIDO2 security keys or authenticator apps, rather than SMS-based codes, which can be intercepted and compromised. Additionally, adopting Zero Trust principles—including least-privilege access and continuous authentication—ensures that even if credentials are stolen, attackers cannot easily move laterally within the network. This layered approach limits potential damage from successful phishing attempts.
Security teams must utilise Security Information and Event Management (SIEM) tools to detect unusual login attempts, suspicious data transfers, and other indicators of compromise. Automated response protocols should be in place to immediately quarantine malicious emails, force password resets, and revoke suspicious sessions. Combining real-time monitoring with automated remediation helps organisations neutralise phishing threats before they escalate into full-scale breaches.