What is Phishing
Phishing is the fraudulent message attack behind most enterprise breaches. Learn how attackers run modern campaigns across email, SMS, voice, QR, and chat, and how to defend against the AI-generated next wave.
By Dmytro Koziatynskyi Last reviewed
Phishing is the most common initial attack vector for breaches
Phishing is a fraudulent message that impersonates a trusted brand, colleague, or system to make a target click a link, open an attachment, share a credential, or approve a transaction. It is the umbrella term for email phishing, spear phishing, vishing, smishing, quishing, clone phishing, whaling, and business email compromise. The mechanics differ by channel; the goal is the same. Move the target into an action they would not take if they paused to verify. The attack has stayed dominant for two decades because it bypasses every endpoint control by targeting human judgment under pressure.
The Verizon 2024 Data Breach Investigations Report attributes 68% of breaches to a non-malicious human element, and the Anti-Phishing Working Group recorded 4.7 million phishing attacks across 2023, including 1.077 million in the fourth quarter alone. The FBI Internet Crime Complaint Center logged 21,489 business email compromise complaints in 2023, with reported losses of $2.9 billion. Microsoft Threat Intelligence tracked adversary-in-the-middle phishing campaigns hitting more than 10,000 organizations in a single 2023 campaign run. The volume is industrial, the targeting is industrial, and the cost curve only gets cheaper as the tradecraft scales.
Attacker tradecraft jumped two generations in 2024. Large language models compress days of native-speaker copy into seconds, removing the broken-English signal defenders relied on. Adversary-in-the-middle kits like Evilginx, Modlishka, and EvilProxy proxy the legitimate login flow in real time and harvest the post-MFA session cookie, which makes one-time codes useless. Voice cloning APIs build convincing pretexts from a 30-second sample, and deepfake video tooling now drops faces into Zoom and Teams calls live. The 2024 Arup case, in which a finance worker authorized a $25 million wire after a video call with deepfake company executives, is the new baseline rather than the outlier.
If you are a buyer reading this page, you almost certainly already run a secure email gateway, DMARC, and an annual phishing module. That stack catches the cheap attacks. The expensive attacks (the ones that breach quarter and reputation) walk through it. The rest of this page covers the modern attack chain, three named incidents, the eight defensive layers that actually work, and the role-based exercise approach that builds the verification reflex you need at the human layer.
How phishing attacks unfold
Reconnaissance
Attackers harvest target data from LinkedIn, breach dumps, GitHub, SEC filings, conference recordings, and corporate directories. Tools like LinkedIn Sales Navigator, Hunter.io, and Apollo turn a target organization into a roster with names, titles, reporting lines, and email patterns. Specialized groups (Scattered Spider, TA453, FIN7) maintain dossiers on finance, IT help desks, and executive assistants because those roles control the levers attackers want. The 2023 MGM Resorts breach started here, with the attackers reportedly identifying a help-desk technician through LinkedIn before placing a vishing call.
Lure crafting
The attacker writes a pretext that exploits authority, urgency, scarcity, or rapport. AI tooling now drafts the copy in fluent business English, customized to the target's role and current calendar. Templates rotate by season: shipping notices in November and December, tax pretexts in March and April, mandatory MFA enrollment during tooling rollouts, vendor invoice changes after a real merger announcement. Cofense and Proofpoint annual reports both flag QR code lures, calendar-invite attachments, and OAuth consent pages as the fastest-growing template categories of the past 18 months.
Delivery and gateway evasion
Messages route through bulletproof hosting, hijacked mailboxes, or compromised marketing platforms (HubSpot, Mailchimp) to inherit a trusted reputation. Attackers split URLs across CAPTCHA-gated redirectors, Cloudflare Turnstile pages, and Telegram chat handoffs to defeat sandbox detonation. QR codes hide the URL inside an image so secure email gateways cannot scan it. Lookalike domains use homoglyphs (rn for m, paypal-secure[.]co), freshly registered subdomains, or compromised legitimate sites. Hoxhunt reported a 587% surge in QR code phishing through 2023 because the technique slips past every URL-scanning gateway.
Credential capture and MFA bypass
Modern credential phishing pages use adversary-in-the-middle frameworks. Evilginx and Modlishka proxy the real login flow, so the user types a real password into a real-looking page and completes a real MFA prompt. The kit captures the post-authentication session cookie and replays it from the attacker's browser. MFA fatigue (also called MFA bombing) is a parallel technique: the attacker spams push prompts until the target taps approve out of annoyance. The 2022 Uber breach and the 2023 0ktapus or Scatter Swine campaign that hit Twilio, Cloudflare, and over 130 other companies both used these patterns.
Lateral movement and monetization
Once inside a mailbox or SSO session, the attacker pivots. Common moves: silent mail forwarding rules to monitor wire instructions, OAuth consent abuse to grant persistent access to Microsoft 365 or Google Workspace, harvested templates for clone phishing into the supply chain, ransomware staging from the compromised endpoint. Business email compromise actors usually wait weeks, learning vendor relationships and payment cadences, then send a single timed wire-instruction change. The FBI IC3 reported $2.9 billion in BEC losses across 21,489 complaints in 2023, with the average single loss above $130,000.
Deepfake and follow-up amplification
The 2024 generation of attacks chains channels. An email lands first, a vishing call follows within hours referencing the message, and a deepfake video call closes the deal for high-value wires. Voice cloning models from ElevenLabs-style providers need 30 seconds of source audio. Live-face video deepfakes ran in production during the 2024 Arup $25 million wire fraud and have since shown up in private-equity diligence calls and CFO authorization workflows. The attacker no longer needs to write convincing copy; they need to look and sound convincing for 90 seconds.
Real-world phishing case studies
2024 Arup deepfake video wire fraud, $25M
Engineering firm Arup confirmed in February 2024 that a finance employee in its Hong Kong office authorized 15 transfers totaling $25 million to attacker-controlled accounts after joining a video conference with what appeared to be the company CFO and several other staff. Every other participant on the call was a deepfake. The pretext arrived first by email, the call closed the trust loop, and the wire was sent before any out-of-band verification. Arup said the staff member followed instructions from familiar faces and voices. The case redefined the threat for finance and treasury teams: visual identity on a live call is no longer evidence.
2022-2023 0ktapus / Scatter Swine smishing-to-AiTM campaign
The threat group tracked as Scatter Swine, 0ktapus, and Scattered Spider hit more than 130 organizations including Twilio, Cloudflare, MailChimp, and DoorDash through a coordinated SMS phishing campaign. Texts impersonated Okta password resets and routed users to lookalike SSO portals running Modlishka-style adversary-in-the-middle proxies. The kit captured live MFA codes and replayed sessions inside minutes. Cloudflare blocked the breach because hardware FIDO2 keys were mandatory for every employee; Twilio confirmed attacker access to internal tools and customer data. The campaign showed that traditional MFA (SMS codes, push prompts, TOTP) is now bypass-by-default.
2023 Pepco Group €15.5M phishing wire fraud
Discount retail group Pepco confirmed in February 2024 that its Hungarian business unit lost approximately €15.5 million in a sophisticated phishing fraud during late February. The company described the attack as a fraudulent communication that resulted in transfers from the Hungarian operation. No customer or employee data was compromised; the loss was direct cash, transferred out of treasury operations through manipulated payment instructions. Pepco told the market that recovery was unlikely. The case illustrates the BEC pattern targeting finance teams with authority-based pretexts and shows how a single skipped callback verification can move eight-figure sums in a single morning.
How to defend against phishing
Enforce DMARC at p=reject with aligned SPF and DKIM
Quarantine mode lets spoofs through. Reject mode tells receiving mail servers to drop unauthenticated mail outright. Publish DMARC records on every sending domain (primary, marketing, transactional, parked), align SPF and DKIM with the From header, and review aggregate reports weekly. This is the cheapest control with the largest blast radius; it stops the entire class of cousin-domain spoofing that drives most CEO fraud.
Deploy phishing-resistant MFA (FIDO2 and passkeys)
Hardware-bound keys (YubiKey, Titan, platform passkeys on iOS and Android) cannot be phished by adversary-in-the-middle proxies. The cryptographic challenge is bound to the legitimate domain, so a fake login page cannot complete the handshake. Move every employee from SMS, push, and TOTP to FIDO2 or platform passkeys, starting with finance, IT, executives, and developers. Cloudflare publicly credited mandatory hardware keys with stopping the 2022 Scatter Swine campaign at its perimeter.
URL rewriting and time-of-click sandboxing at the SEG
Microsoft Defender for Office 365 Safe Links, Proofpoint URL Defense, and Mimecast equivalents rewrite every URL through a proxy and re-evaluate it at click time. This blocks delayed-weaponization attacks where the link is benign at delivery and malicious at click. Pair with attachment sandboxing for macro-laden Office files, ISO containers, and HTML smuggling payloads. URL rewriting does not defeat QR codes, which is why image-based lure detection should be enabled.
Threat-intel-fed DNS filtering and EDR
Cisco Umbrella, Cloudflare Gateway, and Quad9 with intel feeds block resolution to known phishing infrastructure before the browser ever loads the page. Pair with EDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) tuned to detect credential-harvesting browser behavior and OAuth consent abuse. The combination catches both the network indicator and the endpoint behavior even when the lure itself was novel.
Recurring role-based scenario exercises, not annual videos
Generic training plateaus inside two quarters. Role-based exercises that mirror current attacker tradecraft (deepfake video for finance, MFA-fatigue for IT help desk, OAuth consent for engineering, vendor-invoice changes for AP) keep the verification reflex live. SANS research shows monthly cadence cuts click rates from above 30% to under 5% inside 12 months. Reporting rate, the leading indicator most strongly correlated with breach resilience, climbs in parallel.
One-click report button and no-blame coaching
Install a Report Phish button in Outlook, Gmail, and the mobile mail apps. Publish median triage time and the count of confirmed phish caught in the previous month, so reporting feels useful rather than ignored. Coach repeat clickers privately with a 60-second microlesson tied to the exact pattern they missed. Public shaming kills the reporting culture you need; private coaching grows it. Most breaches that involve a phishing click also involve a delayed report; the gap, not the click, is the fault line.
Out-of-band verification for any payment or access change
Write a one-page policy that requires a callback to a published internal number before any wire change, banking detail update, MFA reset, payroll edit, or new vendor onboarding, regardless of the inbound channel. Adopt a code-word system for high-value finance requests so deepfake voice and video cannot complete the chain alone. Rehearse the policy with finance, AP, HR, and the help desk every quarter. The 2024 Arup loss was preventable by this single control.
Executive personal-device hardening and OSINT scrub
Whaling targets are researched through public profiles. Lock down executive LinkedIn (turn off followers, scrub speaking schedules), enroll personal phones in MDM if used for work mail, enforce passkeys on personal Apple and Google IDs that hold work data, and commission an OSINT pass to identify lookalike domain registrations and impersonating social accounts. The human firewall framing applies most sharply at the top of the org chart: one CFO who follows the verification reflex prevents the eight-figure loss the rest of the program is designed to avoid.
How RansomLeak trains employees to spot phishing
RansomLeak runs immersive, scenario-based exercises rather than recorded videos and static quizzes. Every exercise drops the learner inside a simulated inbox, phone call, SMS thread, or video conference and forces a real decision under realistic pressure. The catalogue covers the full phishing surface: the core phishing exercise drills inspect-and-verify against AI-generated email lures, the spear-phishing exercise builds the same reflex against targeted pretexts, the smishing and vishing exercises move the muscle to mobile and voice channels, and the QR code phishing exercise covers the image-based bypass. Each scenario ends with immediate feedback that names the cues missed and the verification step that would have caught the real attack.
Coverage extends to the 2024 attack chain. The double-barrel phishing exercise drills the two-step pattern attackers use to bypass gateway scanning, the callback phishing exercise covers the reverse-vishing variant, the business email compromise exercise walks finance teams through the exact wire-instruction-change pattern that drove $2.9 billion in 2023 IC3 losses, and the whaling-with-a-deepfake exercise puts learners inside the Arup case with a spoofed email, a cloned-voice voicemail, and a deepfake video call. Every exercise ships as a SCORM 1.2 and SCORM 2004 package so it drops into Cornerstone, Workday Learning, Docebo, SAP SuccessFactors, or any standards-compliant LMS without integration work.
Programs are scoped by role rather than blasted to all-staff. Finance and AP get BEC, vendor-invoice, and deepfake-wire scenarios. IT and help-desk staff get vishing and MFA-reset pretexts. Engineering gets OAuth consent and AI coding assistant security risks. Executives and their assistants get whaling, deepfake video, and personal-device hardening. The result is a verification reflex that transfers across email, SMS, voice, QR, and video, measured by reporting rate and time-to-report rather than click rate alone, and refreshed monthly to track attacker tradecraft as it shifts.
How does phishing work, and why is it still effective?
Phishing is a fraudulent message that impersonates a trusted brand, colleague, or system to make a target click a link, share a credential, or approve a transaction. It bypasses endpoint controls by targeting human judgment under pressure. Verizon DBIR 2024 attributes 68% of breaches to a non-malicious human element, making phishing the dominant initial-access vector. Variants include email, spear phishing, vishing, smishing, quishing, whaling, and business email compromise.
Tradecraft has evolved sharply. LLMs removed the broken-English tell defenders relied on, and APWG recorded 4.7 million phishing attacks in 2023. Adversary-in-the-middle kits like Evilginx and EvilProxy proxy live login flows and steal the post-MFA session cookie, defeating SMS, push, and TOTP factors. Voice cloning and deepfake video chained the attack in the 2024 Arup $25 million wire fraud.
Defense layers technical and human controls. Technical: DMARC at p=reject, phishing-resistant MFA (FIDO2 and passkeys), URL rewriting at the gateway, DNS filtering, and EDR. Human: role-based scenario exercises, a one-click report button, no-blame coaching, and out-of-band verification for any payment or access change. The frame is human risk management: measured behavior change at scale, not annual compliance videos.
Recommended exercises
Scenario-based simulations from the 100+ catalogue.
Phishing
Drops learners inside a realistic inbox with AI-generated email lures, building the inspect-and-verify reflex against current attacker tradecraft.
Try the exerciseSpear Phishing
Drills detection of targeted, single-target pretexts that reference real projects and colleagues, the pattern most likely to bypass generic awareness training.
Try the exerciseBusiness Email Compromise
Walks finance and AP teams through the wire-instruction-change pattern that drove $2.9 billion in 2023 FBI IC3 reported losses across 21,489 complaints.
Try the exerciseWhaling With a Deepfake
Puts executives and their assistants inside the Arup case scenario with a spoofed email, cloned-voice voicemail, and deepfake video call requesting a wire.
Try the exerciseQR Code Phishing
Covers the image-based bypass that defeats secure email gateway URL scanning, the fastest-growing phishing variant per Hoxhunt 2023 data.
Try the exerciseDouble-Barrel Phishing
Drills the two-step pattern of benign opener and malicious follow-up that bypasses gateway filters by carrying no payload in the first message.
Try the exerciseFurther reading
Deeper guides on adjacent topics.
Related glossary terms
Quick definitions for the terms in this pillar.
Frequently Asked Questions
What security leaders ask about this threat.
What is the difference between phishing and spear phishing?
Phishing is the broad category of fraudulent message attacks that impersonate a trusted source. Bulk phishing fires one generic template at millions of inboxes and counts on a tiny conversion rate. Spear phishing crafts a single message for a single target, using reconnaissance from LinkedIn, breach dumps, and corporate directories to reference real projects, colleagues, and workflows.
Whaling is spear phishing aimed at executives. Business email compromise (BEC) is the financially motivated subcategory that targets finance and AP teams with payment-redirection pretexts. All four share the same psychological levers; they differ in targeting depth and payload.
How can I tell if an email is a phishing attempt?
Check the sender domain, not the display name. Lookalike domains use homoglyphs (rn for m), extra subdomains, or freshly registered top-level domains. Hover over every link on desktop, long-press on mobile, and read the full URL before tapping. Watch for urgency cues, authority pressure, requests for credentials or payment changes, and any first-contact sender asking for action.
Verify any unexpected request through a second channel: a phone call to a saved number, a Slack message to the real person, or a fresh email to a known address. The verification reflex matters more than any single cue, because AI-generated lures now defeat grammar and tone signals.
Does MFA stop phishing?
Traditional MFA (SMS codes, push prompts, TOTP authenticator apps) does not stop modern phishing. Adversary-in-the-middle kits like Evilginx and Modlishka proxy the real login flow, so the user types a real password and approves a real MFA prompt while the kit harvests the post-authentication session cookie. The attacker replays the cookie and the session is live.
Phishing-resistant MFA (FIDO2 hardware keys and platform passkeys) does stop these attacks. The cryptographic challenge is bound to the legitimate domain, so a fake login page cannot complete the handshake. Cloudflare publicly credited mandatory hardware keys with blocking the 2022 Scatter Swine campaign at its perimeter.
What does AI-generated phishing look like?
It looks correct. Large language models removed the broken-English, awkward-phrasing, and template-cloning signals that defenders trained users to spot. AI-drafted lures match the target language fluently, mirror the tone of a colleague the attacker has read on LinkedIn, and customize references to real projects, calendar events, or reporting lines. Voice cloning extends the attack to live calls; a 30-second sample is enough.
The 2024 Arup case ran the full chain: an email pretext, a vishing follow-up, and a deepfake video call with cloned executives that authorized a $25 million wire. Detection now relies on verification reflex and policy controls, not on spotting linguistic tells.
How do I train my team to recognize phishing?
Replace annual compliance videos with monthly role-based scenario exercises that mirror current attacker tradecraft. Finance and AP need BEC and deepfake-wire scenarios; IT help-desk staff need vishing and MFA-reset pretexts; engineering needs OAuth consent and AI assistant prompt-injection patterns; executives need whaling and deepfake video. Track reporting rate and time-to-report as primary KPIs, not just click rate.
Pair the exercises with a one-click Report Phish button, no-blame coaching for repeat clickers, and an out-of-band verification policy for any payment or access change. SANS research shows monthly cadence cuts click rates from above 30% to under 5% inside 12 months.
What should an employee do after they click a phishing link?
Stop typing immediately, even if the page looks like a real login. Do not enter credentials, do not approve any MFA prompt, and do not download or open any file the page offers. Disconnect the device from corporate networks (turn off WiFi, unplug the cable) and report the incident to the security team or help desk through the published reporting channel right away.
If credentials were entered, the security team will rotate the password, revoke active sessions, audit OAuth consents, and check for new mail-forwarding rules in the mailbox. Speed matters: the gap between click and report is the window an adversary-in-the-middle attacker uses to land the session cookie. There is no penalty for fast reporting; the penalty lives in the silence.
Sources & further reading
Primary sources cited above and adjacent guidance.
- 2024 Data Breach Investigations Report — Verizon
- Recognize and Avoid Phishing — CISA
- Internet Crime Report 2023 — FBI Internet Crime Complaint Center (IC3)
- Phishing Activity Trends Report — Anti-Phishing Working Group (APWG)
- NIST SP 800-63B: Digital Identity Guidelines — NIST
Train Your Team Against This Threat
Book a 30-minute walkthrough. We will scope the exercise sequence and rollout timeline.