Phishing is still the number one way attackers get into businesses. Not through sophisticated hacking or zero-day exploits — through a well-crafted message that tricks someone on your team into clicking a link, opening an attachment, or handing over credentials.
But here's what's changed: the phishing emails hitting your inbox in 2025 are fundamentally different from what we saw even two years ago. If your mental model of phishing is still "a badly written email from a Nigerian prince," you're defending against yesterday's threat. The game has shifted, and it's shifted fast.
What's Actually Different Now
The biggest change is AI-generated phishing. Attackers are using large language models to write messages that are grammatically perfect, contextually relevant, and available in any language. The spelling errors and awkward phrasing that used to be reliable warning signs are gone. Even seasoned security professionals report that modern phishing emails require a second look to identify — the telltale signs that training programs once relied on have largely disappeared.
But the AI problem goes beyond email text. We're now seeing:
- Voice cloning attacks. Attackers can clone a person's voice from a few seconds of audio — a conference talk, a podcast appearance, a voicemail greeting. They're using cloned voices to call finance teams and authorize wire transfers. A common pattern: the "CEO" calls on a Friday afternoon when the real CEO is traveling, creating urgency and making verification harder.
- Deepfake video calls. This is still relatively rare, but it's happened. In early 2024, a finance worker at a multinational was tricked into transferring $25 million after a video call with what appeared to be several senior executives — all deepfakes.
- AI-powered reconnaissance. Attackers are using AI to scrape LinkedIn, company websites, and social media to build detailed profiles of targets. The resulting spear phishing emails reference real projects, real colleagues, and real business context. They feel like internal communication.
This is why traditional phishing training — "look for typos, check the sender address" — is becoming insufficient on its own. The signals people were trained to spot are disappearing.
The Types of Phishing That Actually Hit Companies
Business Email Compromise (BEC) is the most financially damaging. It doesn't use malware at all. An attacker either compromises a real email account or creates a convincing lookalike domain, then impersonates an executive to request wire transfers, change payment details, or redirect invoices. The FBI's 2024 IC3 report documented $2.77 billion in BEC losses in a single year, with cumulative losses exceeding $17 billion over the past decade. Industry data consistently shows this is the attack most likely to actually cost a mid-sized company serious money.
Spear phishing is targeted. Instead of blasting thousands of generic emails, attackers research specific individuals and craft personalized messages. They reference real projects, use a colleague's name, or mimic an email thread your team is actually involved in. These are hard to detect because they look like normal business communication.
Credential harvesting sends you to a fake login page — a pixel-perfect copy of your Microsoft 365 or Google Workspace sign-in. You type in your password, and now the attacker has it. This is where MFA becomes critical: even if someone falls for the fake page, MFA stops the attacker from using the stolen credentials.
Smishing and vishing use text messages and phone calls. Smishing might be a fake delivery notification or account alert. Vishing is a phone call impersonating IT support, a bank, or a vendor. People tend to trust calls and texts more than email, which makes these effective. With voice cloning added to the mix, vishing is becoming significantly more dangerous.
CEO Fraud Is Real
BEC attacks don't need malware. They use trust and authority. An email that appears to come from the CEO asking finance to process an urgent wire transfer has succeeded at companies of every size. With voice cloning, these attacks now sometimes come as phone calls instead of emails, making them harder to question.
What Actually Reduces Phishing Risk
Research and industry data point clearly to what works and what doesn't.
MFA is non-negotiable. It doesn't prevent someone from falling for a phishing email, but it prevents the attacker from using stolen credentials to access your systems. This single control stops the majority of credential-harvesting attacks from turning into actual breaches.
Phishing simulations work, but only if you do them right. The companies that see real improvement run simulations quarterly, make them realistic, and treat failures as coaching opportunities rather than punishment. Publicly shaming people who click creates a culture where nobody reports suspicious emails — which is the opposite of what you want.
Out-of-band verification for financial transactions. Any request to change payment details, wire money, or share sensitive information should be confirmed through a separate channel — a phone call to a known number, not a reply to the email. This is the single most effective control against BEC. It's also free.
Reporting has to be frictionless. If someone gets a suspicious email, they should be able to report it in one click. A "report phishing" button in your email client, a dedicated address like [email protected] — whatever makes it easy. One reported phishing email can protect the entire organization.
What to Tell Your Team
Keep it simple. Don't deliver a technical lecture. Just make sure every employee understands three things:
Slow down when something feels urgent. Urgency is the attacker's primary tool. Any message pressuring you to act immediately — a suspended account, an angry executive, a missed deadline — deserves extra scrutiny. Real emergencies can survive a two-minute verification.
Verify through a different channel. Got an unusual request by email? Call the person. Got a call from "IT support" asking for your password? Hang up and call IT directly. Never use contact information from the suspicious message itself.
Report everything, even if you clicked. The worst thing someone can do after clicking a phishing link is hide it out of embarrassment. Early reporting dramatically reduces damage. Make it clear that reporting is expected and appreciated, not punished.
Three Steps You Can Take This Week
- Confirm MFA is enabled on all email and financial systems. Not planned — enabled. If any accounts are still unprotected, that's your top priority.
- Set up a phishing simulation program. Tools like KnowBe4 or Proofpoint can be running within days. Start with a baseline test to see where you actually stand.
- Establish a verification policy for financial requests. Any request to change bank details, wire funds, or share sensitive data gets confirmed by phone to a known number. Write it down, communicate it to the finance team, and enforce it.
Phishing will keep evolving — AI is making attacks more convincing, more personalized, and harder to detect with traditional signals. But the fundamentals still hold: verify before you trust, protect credentials with MFA, and build a culture where people report suspicious activity without hesitation. For a deeper dive on building a phishing-resistant organization, see Cybersecurity for CEOs.