Modern phishing scams have become harder to spot, often using language, branding, and sender details that closely mimic legitimate communications. And as cybercriminals adopt AI-driven tactics, scams are becoming faster, smarter, and more convincing.

This guide breaks down how phishing works, what it looks like in 2025, and how both individuals and businesses can spot and stop it. We'll explore the latest phishing stats, common techniques, and the tools available to protect your data. 

We’ll discuss: 

• Phishing in the modern age
• What are the latest statistics on phishing attacks?
• How do phishing scams impact businesses and individuals?
• What are the most common phishing techniques?
• How can you recognise phishing attempts?
• What tools are available to prevent phishing?

Let’s start from the top.

Phishing in the modern age

Phishing attacks have come a long way from the mass email spam tactics of the early 2000s. Today, attackers use highly targeted techniques, sometimes powered by artificial intelligence, to create messages that closely resemble legitimate communications. These scams aren’t just more convincing… they’re often tailored to specific people or organisations using details gathered from public sources, breached data, or social media.

Instead of quantity, today’s phishing scams rely on quality: well-researched, well-written emails that can be hard to distinguish from the real thing. Some impersonate colleagues or suppliers; others mimic well-known services like Microsoft, Google, or Amazon.

The line between a real message and a fake one has never been blurrier - and that’s exactly the point. In this environment, protecting yourself requires more than just spam filters. It demands a combination of awareness, vigilance, and up-to-date security tools that can detect threats in real time.

What are the latest statistics on phishing attacks?

Phishing is still one of the most widespread and destructive cyber‑threats businesses and individuals face. Recent data shows the problem is not only persisting, but also evolving in scale and sophistication.

• In Q2 2025 the Anti‑Phishing Working Group (APWG) logged over 1.13 million unique phishing attacks, up from about 1.00 million in Q1 2025.
  
  
• Phishing remains the top reported breach vector in 2025, accounting for 31% of all reported security breaches to date.
  
  
• A UK government survey found that 37% of businesses reported receiving a phishing attack in the past 12 months in 2025, down slightly from 2024, but still representing hundreds of thousands of organisations.
  
  
• Average breach costs continue to rise: organisations hit by phishing‑related breaches now report average losses of approximately US $4.9 million.
  
  

These figures show that while some metrics may show marginal improvements, phishing remains a growing threat.

How do phishing scams impact businesses and individuals?

The damage caused by phishing extends far beyond a single compromised inbox. For businesses, phishing can trigger data breaches, operational downtime, financial loss, and long-term damage to brand trust. A successful attack may result in the loss of customer data, intellectual property, or credentials that open the door to wider system access.

According to IBM’s 2025 Cost of a Data Breach report, the average cost of a phishing-related data breach is $4.4 million, and the reputational damage can be just as severe. Clients, partners, and stakeholders are less likely to continue working with a company that fails to safeguard sensitive information.

For individuals, the risks are equally serious. Phishing can lead to identity theft, unauthorised bank transactions, credit fraud, or even full account takeovers. In many cases, recovering from these scams can take months, especially when personal data ends up on the dark web.

But beyond the immediate damage, phishing often acts as the gateway to broader cyberattacks, such as ransomware infections or business email compromise (BEC). Once an attacker gains access through a phishing email, they may move laterally across systems, collecting more data or planting malware undetected.

What are the most common phishing techniques?

Phishing scams come in many forms, some obvious, others deceptively subtle. Here are the most common techniques currently used by cybercriminals:

Email phishing

This is the most well-known form. Attackers send mass emails that look like they’re from trusted organisations, such as banks, online retailers, or even government agencies. The emails typically contain urgent requests to update account information or click on suspicious links.

Spear phishing

Unlike generic email phishing, spear phishing is highly targeted. Attackers research their victims, crafting personalised messages using names, job roles, or even recent business activity to appear legitimate. These attacks are often used to breach business networks.

Whaling

Whaling is spear phishing aimed at high-ranking executives or senior decision-makers. The goal is often to extract sensitive company data, authorise fraudulent payments, or compromise strategic accounts.

Smishing (SMS phishing)

Smishing uses text messages instead of email. The messages often mimic service alerts from banks or delivery services, urging recipients to click malicious links or enter credentials on fake websites.

Vishing (Voice phishing)

Vishing scams happen over the phone. Callers may impersonate IT support or government agencies, attempting to trick victims into revealing passwords or granting remote access to devices.

Clone phishing

In clone phishing, a legitimate email is replicated and slightly altered, typically by swapping out a safe link or attachment with a malicious one. The altered email appears as a follow-up or resend, making it more believable.

Spoofed websites

Cybercriminals create fake websites that closely mirror real ones, using domains that are nearly identical to the legitimate versions. Victims who input login credentials or payment details are handing them directly to the attacker.

How to recognise phishing attempts

Phishing scams can be surprisingly convincing. The messages often look like they’re from a service you trust, like your bank, a colleague, or even a delivery company, but something’s off. Knowing how to spot the signs early is one of the most effective ways to protect yourself or your business from falling into the trap.

Here’s what to look for:

Generic or unfamiliar greetings

Phishing emails often start with vague salutations like “Dear customer” or “Dear user,” rather than addressing you by name. While not always a red flag on its own, it’s worth paying closer attention if the rest of the message feels off.

Urgency or pressure tactics

Many phishing attempts use language designed to panic you, like “Your account has been suspended,” “Urgent action required,” or “Confirm your details within 24 hours.” This is a tactic to get you to act before thinking clearly.

Unexpected requests for personal information

Legitimate companies will not ask you to confirm passwords, bank details, or login credentials over email or text. If a message is asking you to do this, it’s a strong sign it’s a scam.

Suspicious attachments or links

Phishing emails often include links or attachments designed to install malware or harvest credentials. Hover your cursor over any link before clicking; if the destination doesn’t match the sender or looks unfamiliar (like a slightly misspelt domain), don’t click.

Poor grammar and spelling

Professional organisations typically maintain a high standard in their communications. If you notice typos, awkward phrasing, or inconsistent formatting, it could be a sign that the email isn’t genuine.

Inconsistent sender address

Check the sender’s email address carefully. A message claiming to be from Microsoft but sent from a Gmail account, or one with subtle misspellings (like “micr0soft-support.com”) should raise a red flag.

Requests to download software or enable macros

Be especially wary of emails asking you to download a file or enable macros in a document; this is a common method used to install malware on your device.

What tools are available to prevent phishing?

Preventing phishing is no longer just about being cautious: it’s about building layers of security across your people, processes, and tech. The good news? There are a number of tools that can significantly reduce your risk.

Email filtering and threat detection

Modern email security tools, like Microsoft Defender for Office 365, Mimecast, or Proofpoint, scan inbound emails for malicious links, attachments, or spoofed sender addresses. They use real-time threat intelligence to flag suspicious content before it reaches your inbox.

AI-powered phishing protection

Many cybersecurity platforms now use machine learning to detect suspicious patterns in emails. These tools analyse behaviour, intent, and historical data to identify threats that traditional filters might miss. Some platforms also provide real-time link analysis, flagging sites that may have been safe yesterday but are compromised today.

Multi-factor authentication (MFA)

Even if credentials are compromised, MFA acts as a safety net. Requiring a second form of verification (like a code from your phone or biometric scan) can stop attackers from gaining access with a stolen password alone.

Browser and URL protection

Some endpoint protection tools provide safe browsing features, warning users before they land on a known phishing site. Extensions like Google Safe Browsing or Cisco Umbrella can help flag threats early.

User training and simulated phishing tests

One of the most effective ways to reduce phishing risk is education. Several platforms offer ongoing security awareness training and phishing simulations, helping staff learn how to recognise real-world threats in a controlled environment.

DMARC, SPF, and DKIM authentication

These email authentication protocols help verify the legitimacy of the sender and reduce the risk of spoofing. Configuring them correctly adds an additional layer of trust to your domain and prevents attackers from impersonating your email address.

Conclusion: Staying ahead of phishing threats

Phishing may be one of the oldest tricks in the cybercriminal playbook, but it’s far from outdated. In fact, it’s evolving faster than ever, fuelled by AI, social engineering, and increasingly convincing tactics. Whether you’re running a business or just managing your own inbox, understanding how phishing works is the first step in staying secure.

But knowledge alone isn’t enough. To effectively protect your data, systems, and team, you need the right mix of education, technology, and vigilance. From recognising red flags in suspicious emails to deploying advanced threat detection tools, it’s all about creating layers of defence.

At Lyon Tech, we help businesses build those layers, whether it’s training teams to spot phishing attempts or setting up secure systems to stop threats before they land - because when it comes to phishing, the best outcome is prevention.

Looking to strengthen your cybersecurity and reduce phishing? Get in touch - we’re here to help.

‍