
What Is Phishing?
Phishing is the most common cyberattack in the world—and the starting point for the overwhelming majority of data breaches, ransomware infections, and financial fraud affecting businesses of every size. Unlike attacks that exploit software vulnerabilities, phishing exploits human psychology. Attackers impersonate trusted entities—banks, software vendors, government agencies, even colleagues—to trick you into revealing credentials, clicking malicious links, downloading malware, or authorizing fraudulent payments.
The 2025 Verizon Data Breach Investigations Report (DBIR) attributes over 90% of successful data breaches to phishing as the initial access vector. Despite decades of awareness campaigns, attackers are improving: AI-generated content eliminates the grammar errors that once made fake emails obvious, deepfake voice cloning makes phone scams nearly indistinguishable from real calls, and adversary-in-the-middle proxy attacks now bypass multi-factor authentication (MFA) in real time.
This guide explains what phishing is in detail, breaks down every major attack variant, shows you how to recognize sophisticated attacks before they succeed, and outlines the layered defenses that protect individuals and organizations alike. Whether you're protecting personal accounts or securing a business that handles sensitive client data, understanding phishing is the single most valuable cybersecurity skill you can develop.
Phishing: By the Numbers
Verizon Data Breach Investigations Report 2025
FBI Internet Crime Complaint Center 2025
Microsoft Security Intelligence Report 2025
Types of Phishing Attacks
Phishing has evolved far beyond the obvious "Nigerian prince" emails. Modern attacks come in many forms, each engineered to exploit a different context, channel, or level of trust. Understanding these variations is essential for recognizing threats across your inbox, text messages, phone calls, and even QR codes.
Email Phishing
The most common form, email phishing sends mass messages impersonating trusted brands—Microsoft, Amazon, your bank, or a government agency. These attacks cast a wide net, relying on volume rather than personalization. Modern email phishing increasingly uses AI-generated content that eliminates the grammar errors and awkward phrasing that once made fake emails easy to spot.
Attackers use spoofed sender addresses, cloned company branding, and urgent language to pressure victims into clicking malicious links or downloading infected attachments. Targets are typically cloud service credentials, banking portals, and corporate systems—any account that provides access to money or sensitive data.
Spear Phishing
Unlike generic email phishing, spear phishing targets specific individuals or organizations with highly personalized messages. Attackers research their victims on LinkedIn, company websites, and social media to craft messages that reference real projects, colleagues, or business relationships. Success rates run up to 10 times higher than mass phishing campaigns precisely because the messages feel genuine.
These attacks often incorporate information harvested from prior data breaches or social media reconnaissance to establish credibility. A spear phishing email might reference a real vendor you work with, a deal you recently closed, or a conference you attended—making the request feel entirely plausible. This is the primary vector for social engineering attacks against businesses. For tax preparers and financial firms, spear phishing frequently targets filing-season workflows and client portal credentials.
Whaling
Whaling targets high-value individuals—executives, CFOs, attorneys, and decision-makers with access to sensitive data or financial authority. These attacks often impersonate board members, legal counsel, or business partners requesting urgent wire transfers or confidential information. The FBI's Internet Crime Complaint Center (IC3) reports the average whaling attack results in losses exceeding $130,000. Attackers use publicly available information about executive travel schedules, board meetings, and business transactions to time their attacks when targets are distracted, traveling, or under deadline pressure.
How a Phishing Attack Works: Step by Step
Reconnaissance
Attackers gather information about the target from LinkedIn, company websites, social media, and prior data breach datasets to craft believable, personalized messages.
Message Crafting
Using collected intelligence, attackers build a convincing email, text, or call script. AI tools now generate flawless, contextually personalized content at scale.
Delivery
The phishing message is sent via email, SMS, voice call, or messaging platform—often bypassing filters through trusted cloud services or compromised legitimate accounts.
Victim Action
The target clicks a malicious link, downloads an infected attachment, or provides credentials—believing the request is legitimate and urgent.
Exploitation
Attackers use stolen credentials to access accounts, deploy malware, initiate wire transfers, or establish persistent access—often within minutes of the click.
Post-Compromise
Depending on the attacker's goal, they escalate privileges, move laterally through the network, exfiltrate data, or deploy ransomware across connected systems.
Smishing (SMS Phishing)
Smishing delivers phishing attacks via text message. Common tactics include fake package delivery notifications, bank fraud alerts, and two-factor authentication (2FA) warnings designed to steal credentials. Mobile devices make smishing particularly effective—URLs are harder to inspect on small screens, and users tend to trust text messages more than email. For tax professionals, smishing attacks frequently impersonate the IRS or state revenue departments during filing season, often referencing real deadlines or specific software platforms to appear credible.
Vishing (Voice Phishing)
Vishing uses phone calls to manipulate victims into revealing information or authorizing fraudulent payments. Attackers spoof caller ID to appear as legitimate organizations, use AI voice cloning to impersonate executives, and create elaborate pretexts around account security, technical support, or legal threats. In 2025, the FBI documented over 400 cases of deepfake vishing resulting in losses exceeding $50 million. Voice phishing often serves as the initial contact before directing victims to phishing websites or requesting remote access to their systems.
Business Email Compromise (BEC)
BEC attacks compromise legitimate email accounts to send fraudulent messages from trusted, real addresses. Unlike traditional phishing that impersonates organizations, BEC uses actual compromised accounts, making detection extremely difficult. The FBI reports BEC attacks caused $2.9 billion in losses in 2025, making it the costliest single form of cybercrime by financial impact.
BEC typically targets finance departments with fraudulent wire transfer requests, payroll redirection schemes, or W-2 data theft. These attacks often combine social engineering with technical compromise—gaining access to a legitimate mailbox, then monitoring conversations for weeks before executing the fraud at the right moment. Anyone with authority over payments or payroll benefits from understanding financial security controls as a first line of defense.
QR Code Phishing (Quishing)
QR code phishing—sometimes called "quishing"—embeds malicious URLs inside QR codes placed in emails, printed materials, or physical locations like parking meters and EV charging stations. Most email security tools cannot scan QR code contents before the user's device processes them, and mobile browsers often don't display the full destination URL before loading the page. Quishing bypasses email URL scanners entirely because the malicious link is embedded in an image rather than a clickable text URL, making it an increasingly common evasion technique heading into 2026.
Phishing Detection Checklist: Red Flags to Spot Before You Click
- Check the sender email address for misspellings, extra characters, or suspicious domains (e.g., microsft.com or arnazon.com)
- Hover over every link to preview the actual destination URL before clicking — the real URL appears in your browser's status bar
- Question generic greetings like "Dear Customer" or "Dear User" instead of your actual name
- Treat unexpected attachments — especially ZIP files, Office documents with macros, or PDFs from unknown senders — as suspicious until verified
- Verify unusual requests (wire transfers, password resets, W-2 data) through a separate, independently verified communication channel
- Check for branding inconsistencies: wrong logos, colors, or fonts compared to previous legitimate messages from the same organization
- Be skeptical of any message creating extreme urgency or threatening account suspension or legal action
- Never provide passwords, PINs, Social Security numbers, or credit card details via email or text — no legitimate organization requests these this way
- Scan QR codes only from trusted, physically verified sources — never from unsolicited emails or unfamiliar printed materials
What to Do If You Clicked a Phishing Link
If you clicked a phishing link or entered credentials on a suspicious site, act immediately. Most attackers begin exploiting compromised accounts within minutes of credential capture—the window for containing damage is narrow.
Change the compromised password on every site where you reused it. Credential reuse turns one compromised account into many, which is why unique passwords for every account are essential. Use a password manager to generate and store unique credentials for every account going forward.
Enable multi-factor authentication on the affected account immediately if you haven't already. Even if attackers have your password, MFA requires a second verification factor they cannot easily obtain. Prioritize your email account first—access to your email allows attackers to reset passwords across every connected service.
Contact your bank without delay if you entered any financial information. Most banks provide zero-liability protection when fraud is reported promptly. Monitor statements closely for 60 days and consider placing a fraud alert with Equifax, Experian, and TransUnion if personal information like your Social Security number was exposed.
Run a full malware scan on your device using updated antivirus software. If you downloaded an attachment, disconnect from your network before scanning to prevent potential spread to other devices. Malware installed through phishing can establish persistent backdoor access, install keyloggers to capture future passwords, or serve as a foothold for ransomware deployment across your network.
For business accounts, report the incident to your IT team or security provider immediately—they need to assess whether attackers have already used your credentials to access other systems. Under NIST SP 800-61 incident response guidelines, response must be swift, coordinated, and documented. Follow your organization's incident response plan to contain the breach, preserve evidence, and determine the full scope of compromise. Document everything: save copies of the phishing message, any attacker correspondence, and a complete timeline of events for potential insurance claims or law enforcement use.
Report the phishing attempt to the Anti-Phishing Working Group at reportphishing@apwg.org. Forward IRS-themed phishing emails to phishing@irs.gov to help the agency track tax-related fraud campaigns.
The Takeaway: Speed Is Everything After a Phishing Click
The average attacker begins exploiting stolen credentials within minutes. If you suspect you've been phished, change passwords, enable MFA, and notify your bank or IT team before doing anything else. Every minute of delay expands the potential damage and the scope of accounts that may need to be secured.
Learn How Attackers Target Your Industry
Our phishing defense resource center covers attack techniques, detection methods, and compliance requirements specific to tax professionals, healthcare providers, and financial services firms.
Building Organizational Phishing Resilience
The most effective defense against phishing combines regular security awareness training with realistic phishing simulations. Organizations that run monthly simulations see phishing click rates drop from approximately 30% to under 5% within a year. Training must cover current attack trends—not just generic awareness—and show employees real examples of phishing emails targeting your specific industry and role.
Effective programs use the NIST NICE Framework approach: knowledge reinforcement through repeated exposure, realistic simulations without punishment, and immediate feedback when users click simulated phishing links. Sessions should be brief (10–15 minutes monthly), engaging, and relevant to actual threats your organization faces. Punishment-based approaches backfire—employees who fear consequences stop reporting suspicious emails, which eliminates your early warning system entirely.
Technical Controls That Add Essential Defense Layers
Deploy email filtering solutions that scan attachments for malware, analyze URLs for known phishing indicators, and quarantine suspicious messages before they reach inboxes. Modern Secure Email Gateways (SEGs) use machine learning to detect zero-day phishing attempts that signature-based filters miss. Pair this with URL rewriting—routing every link in incoming email through a real-time security scanner that checks destinations against threat intelligence feeds at the moment of click, not at delivery time.
Implement DMARC, DKIM, and SPF email authentication protocols to prevent spoofing of your own domain. DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers how to handle messages that fail authentication checks. Organizations with enforced DMARC policies block approximately 90% of domain spoofing attempts. The FTC recommends DMARC implementation in its Safeguards Rule compliance guidance for financial institutions. Start with a monitoring policy (p=none) to inventory all legitimate email sources, then advance to quarantine, and finally to reject once all authorized senders are confirmed.
Establish a clear, friction-free process for reporting suspicious emails. A single-click reporting button in email clients works best—anything requiring more steps gets skipped under deadline pressure. Respond to every report with feedback to reinforce the behavior. According to the Ponemon Institute, organizations where employees actively report phishing reduce breach costs by an average of $186,000 per incident.
AitM Phishing Now Bypasses Standard MFA
Adversary-in-the-Middle (AitM) phishing intercepts authentication sessions in real time, capturing both your credentials and authenticated session cookies—even after you complete an MFA step. Microsoft reported a 146% increase in AitM attacks targeting Microsoft 365 accounts in 2025. SMS codes and TOTP authenticator apps offer no protection against this attack class. Only FIDO2 security keys and passkeys, which are cryptographically bound to the legitimate domain, reliably defeat AitM phishing.
Advanced Phishing Techniques to Watch in 2026
Attackers continuously evolve their methods to bypass security controls and exploit new technologies. The techniques emerging in 2025 and 2026 require updated defenses that go beyond traditional email filtering and awareness training.
AI-Generated Phishing Content
Large language models enable attackers to generate perfectly grammatical, contextually appropriate phishing emails at scale. AI eliminates the spelling and grammar errors that once served as reliable detection signals. More concerning, AI can analyze a target's writing style from public social media posts and generate personalized messages that match their communication patterns—making spear phishing more convincing and far less resource-intensive to produce at volume. Organizations can no longer rely on linguistic red flags alone as a detection strategy. Read more about how AI is reshaping the threat environment in 2026.
Deepfake Voice and Video Phishing
AI voice cloning creates convincing audio deepfakes of executives requesting wire transfers or credential resets. Video deepfakes are an emerging threat for collaboration platforms—attackers impersonate executives in Microsoft Teams or Zoom calls to authorize fraudulent transactions. The MITRE ATT&CK framework now includes techniques for social engineering via deepfake media under technique T1598.
Organizations should establish out-of-band verification procedures for any high-risk request made via phone or video: a callback to a known, previously confirmed number, a code word system, or secondary approval from a separate person. These procedural controls defeat deepfake attacks regardless of how realistic the audio or video becomes, because they don't depend on detecting the fake—they require verification through a channel the attacker cannot control.
Adversary-in-the-Middle (AitM) Phishing
AitM phishing intercepts authentication sessions in real time. Attackers create proxy sites that sit between the victim and the legitimate login page, capturing credentials and session cookies simultaneously. Because the attacker relays the one-time code to the real service while stealing the authenticated session, traditional MFA provides no protection against this technique.
Defense requires phishing-resistant MFA methods—specifically FIDO2 security keys or passkeys that are cryptographically bound to the legitimate domain and cannot be proxied. The comparison table above shows which MFA methods provide genuine AitM protection. For organizations running Microsoft 365, enabling Conditional Access policies that require FIDO2 authentication for administrative and finance roles is a practical first step.
Phishing Defense for Tax Professionals and Regulated Industries
Tax Professionals
Tax professionals face an elevated phishing threat because they hold exactly what attackers want: Social Security numbers, financial records, direct deposit information, and access credentials for tax preparation software connected to millions of returns. The IRS identifies tax preparers as a top-targeted group and requires them to maintain documented security programs under IRS Publication 4557.
A Written Information Security Plan (WISP) is the IRS-required foundation for phishing defense at tax practices. The WISP must document your email security controls, employee training program, incident response procedures, and acceptable use policies. Tax preparers handling 11 or more returns annually are required to maintain a compliant WISP, and the IRS has signaled increased enforcement attention on preparers without documented security programs. Our free WISP template for tax preparers walks through every required element.
Healthcare Organizations
Healthcare organizations face parallel requirements under HIPAA Security Rule §164.308(a)(5), which mandates security awareness training that specifically addresses phishing and malicious software. The Office for Civil Rights has cited inadequate phishing training as a contributing factor in multiple enforcement actions resulting in significant civil monetary penalties. For dental and medical practices, our HIPAA cybersecurity requirements guide covers phishing defense obligations specific to covered entities and business associates.
Financial Institutions and FTC-Regulated Businesses
Financial institutions and businesses subject to the FTC Safeguards Rule must implement safeguards specifically addressing phishing under 16 C.F.R. Part 314. The rule requires multi-factor authentication, employee training, and technical controls to detect and prevent unauthorized access—all directly applicable to phishing defense. Businesses that handle client financial data but haven't reviewed their safeguards obligations since the 2023 rule amendments took effect should do so now—enforcement activity has increased steadily in the years following those updates.
Bottom Line: Technology and People Together
Phishing attacks succeed when technology alone or people alone carry the defense. The organizations that best contain phishing combine email authentication (DMARC/DKIM/SPF), phishing-resistant MFA (FIDO2 or passkeys), Secure Email Gateway filtering, and regular simulated phishing training—each layer compensating for the weaknesses of the others. For regulated industries, these controls aren't advisory: they're documented requirements with enforcement consequences.
Get Expert Help Securing Your Organization Against Phishing
Our security team helps businesses implement email authentication, phishing-resistant MFA, employee training programs, and compliance controls tailored to your industry and regulatory requirements.
Frequently Asked Questions About Phishing
Phishing is a cyberattack that uses deceptive messages—typically email, SMS, or phone calls—to impersonate trusted entities and trick victims into revealing credentials, clicking malicious links, or transferring money. It's effective because it targets human psychology rather than technical vulnerabilities. Even technically sophisticated users can be deceived by well-crafted, contextually appropriate messages, especially when attackers use AI-generated content, actual compromised accounts, or deepfake audio and video to make the approach feel completely legitimate.
Key indicators include: a sender address that doesn't match the claimed organization (check for misspellings like "microsft.com" or unusual domains), generic greetings instead of your name, unexpected urgency or threats, requests for passwords or financial information, and links that point to different domains when you hover over them. Note that AI-generated phishing emails increasingly lack the spelling and grammar errors that once made them easy to spot, so linguistic quality alone is no longer a reliable detection signal.
Act immediately: (1) Change the compromised password on every site where you reused it. (2) Enable MFA on the affected account, prioritizing email first. (3) Contact your bank if financial information was entered. (4) Run a malware scan, disconnecting from your network first if you downloaded anything. (5) Report the incident to your IT team if it involves a business account. (6) Document everything—the phishing message, any attacker correspondence, and a timeline—for potential insurance claims or law enforcement. Speed matters: attackers often begin exploiting stolen credentials within minutes.
Standard MFA—including SMS codes and TOTP authenticator apps—protects against many attacks but not all. Adversary-in-the-Middle (AitM) phishing intercepts authentication sessions in real time, capturing session cookies even after you complete an MFA step. Only phishing-resistant MFA methods, specifically FIDO2 security keys and passkeys, are cryptographically bound to the legitimate domain and cannot be proxied. For high-risk accounts and regulated environments, FIDO2 or passkeys are the recommended standard.
Traditional phishing emails often contained spelling errors, awkward phrasing, and generic templates—red flags that trained users learned to spot. AI-generated phishing produces grammatically perfect, contextually personalized messages at scale. Attackers can analyze a target's public social media posts and replicate their communication style, making spear phishing more convincing while requiring far less manual effort. This shift makes linguistic quality an unreliable detection signal, placing more emphasis on technical verification: sender authentication checks, URL inspection, and out-of-band confirmation for unusual requests.
Yes. Small businesses are frequently targeted because they often have weaker defenses than large enterprises while still holding valuable data—client financial records, tax information, payment credentials, and healthcare data. Business Email Compromise (BEC) attacks, which caused $2.9 billion in losses in 2025 according to the FBI, frequently target small and mid-sized businesses. Attackers prioritize access and data value, not company size.
Business Email Compromise (BEC) involves first compromising a legitimate email account—often through an initial phishing attack—then using that real, trusted account to send fraudulent requests. Unlike standard phishing that impersonates an organization, BEC messages come from actual trusted addresses, making them far harder to detect through standard filtering. BEC typically targets finance teams with wire transfer requests, payroll redirection schemes, or W-2 data theft, and attackers often monitor the compromised mailbox for weeks before acting to time their fraud at the most plausible moment.
Monthly simulated phishing exercises combined with brief (10–15 minute) awareness sessions produce the best results. Research shows organizations running monthly simulations reduce click rates from approximately 30% to under 5% within a year. Annual training alone is insufficient—attack techniques evolve faster than a yearly cycle, and employees who aren't regularly tested lose situational awareness over time. Effective programs also provide immediate, non-punitive feedback when users click simulated phishing links.
Yes. IRS Publication 4557 requires all tax preparers handling 11 or more returns annually to maintain a Written Information Security Plan (WISP) that documents email security controls, employee training, incident response procedures, and acceptable use policies. The IRS has signaled increased enforcement attention on preparers without compliant WISPs. Additional required baseline elements include MFA on all tax software and encrypted client portals for transmitting sensitive taxpayer data.
Smishing is phishing delivered via SMS (text message) rather than email. Common smishing tactics include fake package delivery notifications, bank fraud alerts, and IRS impersonation during tax season. Smishing is particularly effective because mobile devices make it harder to inspect URLs before clicking, text messages carry a higher default trust level for many users, and fewer people apply the same scrutiny to texts that they apply to email. The same core defense applies: verify unexpected messages through official channels before taking any action.
Schedule
Want personalized advice?
Our cybersecurity experts can help you implement these best practices. Free consultation.



