It’s a beautiful summer morning in May, 2024. Jane sits at her desk, sunlight flickering across her desk space. She takes a sip of her coffee, and looks across her very busy office. Her phone suddenly chimes.

She opens a text message from Okta Security warning her that someone had logged into her account from an unknown device. They inform her she needs to log through the attached link in the text to secure her account. She clicks, and it opens up a login page. The logo, the colour scheme, the grammar and font. Everything looks legit.

The site asks for her email and password to verify it’s actually her. She enters her details, and the page tells her that she has stopped the attack. Jane turns off her phone, glad she has secured her account. Or so she thinks.

Across the world, Jane was unknowingly one of thousands of people that took part of a massive phishing campaign orchestrated by a threat group known as 0ktapus. The campaign spanned for over a year, leaving a sea of casualties behind it. The result? Over 130 companies fell victim, including Microsoft, Epic Games, Twitter, CoinBase, AT&T, and Cloudflare.

But what is Phishing? And why was this attack so successful?

Phishing 101

Phishing is a cyberattack that involves an attacker using contact media such as emails, text messages, or phone calls to trick you into handing out sensitive information in some form or manner. It’s worth noting that phishing can take various forms and shape, including:

• Spear phishing (targeted emails)

• Bulk phishing (mass mailing)
• Whaling (targeting executives)
• Smishing (text messages)
• Vishing (voice calls)
• Quishing (QR code phishing)

And while you may think it’s pretty easy to spot a fake email, call, or simply stop scanning QR codes, its not that simple. According to Verizon’s 2025 Data Breach Investigations report, phishing accounts for 17% of all data breaches, and 44% of all ransomware incidents worldwide. And so the million dollar question:

Why is it so effective?

Old Tricks Still Work

The fundamentals of phishing haven’t changed, only the packaging has. At its heart, phishing exploits not technology, but human nature. It plays on our tendencies as a species towards fear, urgency, curiosity, and even greed.

For example, how would you feel seeing an email from your bank claiming some “suspicious activity on your account”? The fear of losing your money may drive you to quick, and sometimes irrational actions. Threat actors understand this better than anyone.

They pretend to be your trusted contacts, embed malicious links, or attach infected documents to messages. Smishing in particular has grown explosively as people have shifted from desktops to smartphones, with a 2025 Proofpoint survey finding that 75% of organizations reported at least one smishing attempt in the last year alone.

Defenders have largely caught up. Modern spam filters now intercept most phishing attempts before they ever reach our inboxes. Organisations have fortified their lines with multi-factor authentication, Zero Trust frameworks, and strict domain authentication records. Yet, the story doesn’t end there. Because as defenders improve, so do the attackers.

New Tricks in 2025

Phishing isn’t what it used to be. The days of badly written “Nigerian prince” emails are long gone. Today’s scams are polished, data-driven, and in some cases, frighteningly personal. Attackers have evolved and their favourite new ally is Generative AI. A couple of new techniques in their playbook include:

1. AI-Generated Phishing
2. Phishing Through Collaboration Tools
3. Multi-Channel Attacks

AI-Generated Phishing

With large language models now freely accessible, attackers can generate perfectly written, context-aware, British (or American) English emails in seconds. These messages can be adapted to regional slang, mimic corporate tone, and even adjust vocabulary based on the target’s profession. An employee in finance might get a convincingly worded ‘invoice discrepancy’ email, while a software engineer might receive one about a ‘critical GitHub update’. Deepfakes have also become quite convincing, adding an extra layer of authenticity.

For example, in 2024, a major UK engineering firm lost over £20 million ($25 million) after an AI-generated deepfake of the company’s CFO approved a fraudulent wire transfer during a video meeting. The scary part was that the meeting had multiple participants, and only the victim was a real person. Every other ‘person’ was a deepfake of other employees, showing just how sophisticated the attack was. It was like something pulled from the script of Money Heist.

Phishing Through Collaboration Tools

Phishing no longer confines itself to emails. Attackers now target workplace chat platforms like Slack, Microsoft Teams, and Discord, blending into the casual chatter. A simple “Can you check this link before the meeting?” can open the door to disaster.

An example would be a campaign by Curly Spider and STAC5143, two APTs (Advanced Persistent Groups), in late 2024. Sophos found that both groups were using Microsoft Office tools, particularly Teams and the Office 365 platform, to send mails, deploy malware and carry out their activities within their target organisations.

Multi-Channel Attacks

The latest phishing campaigns are like hydras: cut off one head, and another appears elsewhere. A victim might first receive a phone call (vishing) from a “bank representative,” followed by a follow-up email confirming the conversation, and finally a text message with a “secure link.” By layering channels, attackers create a narrative that feels authentic. Even if one method doesn’t work, the others can be quite convincing. It’s social engineering with an Oceans Eleven ring.

Take Pepco’s phishing attack incident for instance. In the month of February 2024, Pepco disclosed a sophisticated fraudulent phishing attack that cost its Hungarian sector roughly £12.2 million ($16.3 million). Pepco’s public statement didn’t list the exact sequence of steps used by the fraudsters, but incidents of that scale generally follow a multi-channel choreography: a carefully timed email or invoice request to create context, a corroborating phone call from someone posing as a vendor or bank official, and then a final message (email or text) containing payment instructions.

Practical Defence Strategies

If all this sounds terrifying, it’s because it is. But the good news is, you have ways to defend yourself too. While technology helps, the human element remains central. After all, phishing is a mind game rather than a software game. Here are a couple of tactics:

Recognize the Signs

In 2025, phishing messages look legitimate, but subtle clues remain. Unexpected requests for login credentials, slightly mismatched URLs, or urgency in tone are all red flags. Some messages even appear to come from verified domains, but when hovered over, could reveal something that looks very different.

Tip: Always pause before you click. Scepticism is the best antivirus.

Train Continuously

Security awareness training isn’t just for IT anymore. Its for marketing, accounting, and anyone else on a payroll. Modern phishing simulations test employees in real-world scenarios. KnowBe4’s 2025 Phishing Report found that consistent phishing awareness programs lowered organisations’ Phish-Prone Percentage (PPP) by as much as 86% over a year, with lasting improvement across all industries.

Strengthen Technical Barriers

Multi-Factor Authentication (MFA) still matters, though it’s not invincible. Attackers can exploit “MFA fatigue”, bombarding users with repeated approval prompts until they relent. To counter this, implement number-matching MFA, context-based authentication, and device recognition.

AI-based email filters are also improving, analysing not just content, but behavioural patterns and detecting anomalies based on sender timing, tone, or context.

Build a Culture of Vigilance

The best defence isn’t software, but the humans operating it. Encourage employees (and executives) to verify requests through alternate channels. A quick phone call or in-person check can prevent million-dollar losses. Celebrate users who report suspicious messages, and make cybersecurity awareness part of the company DNA.

Conclusion

The prevalence of phishing isn’t just a testament to the genius of attackers. It’s a reminder that the weakest link in cybersecurity is still human trust. As technology grows smarter, so do attackers, adapting old tricks to new tools.

But if there’s one thing it has taught us, it’s that awareness evolves too. The same AI used to create phishing messages is now being trained to detect them. Security teams are becoming storytellers, educators, and behavioural analysts all at once.

Phishing will never truly disappear. It will simply change form. The challenge, then, is not to eliminate it but to evolve beyond it. In the end, cybersecurity isn’t just about firewalls and filters, but about cultivating what every good fisherman fears most: a world that no longer takes the bait.

---

And with that cyber ladies and gentlemen, we have come to the end of this article. If you liked it, share it, give us a shoutout on social media, or discover more about the world of cybersecurity, here at Sycom Academy.

Cover Image: Anne Nygård