What Is Phishing? Definition, Types, Warning Signs, and How to Prevent Cyberattacks That Target the Human Layer
In 2024, internet crime drove $16.6 billion in reported losses, and that figure climbed sharply the following year. Behind almost every ransomware incident, wire fraud case, and data breach sits a single deceptive email, voice call, or text message engineered to exploit human trust rather than a technical flaw.

Phishing is the mechanism that turns one careless click into an organizational compromise, and it now arrives across email, SMS, voice, and AI-generated deepfake video simultaneously. This guide covers the following:
- What is phishing, how it is defined, and how it differs from spam, spoofing, and pretexting.
- How phishing cyberattacks work across reconnaissance, engagement, and extraction.
- Every major phishing variant, from bulk campaigns to business email compromise (BEC).
- How AI has reshaped phishing and why cybersecurity awareness training is the decisive defense.
- How to recognize warning signs and respond after a phishing cyberattack.
Most organizations still train for inbox threats while cyberattackers move to voice, SMS, and deepfake video. Adaptive Security builds multi-channel readiness that mirrors how phishing actually lands.
What Is Phishing? A Clear Definition
Phishing is a form of social engineering in which cyberattackers use deceptive digital communications to impersonate trusted entities and manipulate recipients into revealing credentials, clicking malicious links, or authorizing fraudulent transactions. The term derives from a fishing analogy: cyberattackers cast bait across a wide pool of targets, expecting a fraction to bite. Unlike brute-force methods that target technical infrastructure, phishing targets human psychology, exploiting urgency, fear, curiosity, and trust to bypass even well-configured security controls.
Phishing consistently ranks as the dominant social engineering tactic in confirmed data breaches, and the data keeps reinforcing that pattern. According to Verizon's 2026 Data Breach Investigations Report, 62% of confirmed incidents involve a human element, with social engineering and phishing accounting for a large share of initial access events. Vulnerability exploitation has overtaken credential abuse as the top initial access vector overall, yet the human layer remains the most reliably exploited surface in the enterprise.
Stolen credentials remain a primary prize for phishing operators because they unlock systems without triggering malware alarms. According to Verizon's 2026 Data Breach Investigations Report, stolen credentials were involved in 13% of all breaches, a figure that understates their downstream impact once a single account becomes a foothold for lateral movement.
Phishing vs. Spam: What Is the Difference?
Spam and phishing are often conflated, but the distinction matters for risk. Spam refers to bulk, unsolicited commercial messages: promotions for dubious products, newsletters no one signed up for, and advertisements sent indiscriminately to massive recipient lists. Spam is irritating but generally not malicious in intent, and its primary goal is a sale rather than a security breach.
Phishing, by contrast, is engineered deception with a specific criminal objective. Every element of a phishing message is built to trick the recipient into an action that compromises security: entering credentials on a fraudulent login portal, downloading malware, approving a fraudulent wire transfer, or forwarding sensitive data. Where spam blasts millions of inboxes with identical content, phishing campaigns, particularly spear phishing, are increasingly personalized using open-source intelligence (OSINT) gathered from LinkedIn, corporate websites, and social media.
A spam filter can catch bulk solicitations, but a targeted phishing email built around an employee's actual job role and reporting structure will sail through technical controls and land in the inbox. That is where trained human judgment becomes the last line of defense, and where a cybersecurity awareness training program earns its keep.
Phishing vs. Spoofing vs. Pretexting
These three terms describe overlapping but distinct concepts, and using them interchangeably obscures how cyberattacks actually work. Spoofing is a technique: the act of falsifying sender information, caller ID, or website appearance to make a communication look like it originates from a trusted source. A cyberattacker spoofing a CEO's email address has not yet committed phishing; they have simply forged the header. Spoofing is a building block that also supports malware distribution and denial-of-service cyberattacks.
Phishing is the broader cyberattack method that puts spoofing to work. When a spoofed CEO email arrives with an urgent request to wire funds or share a document, and the message carries a malicious link or fraudulent instruction, the combination of spoofed identity plus deceptive call-to-action constitutes phishing. Not all phishing uses spoofing; some cyberattackers compromise real accounts and send messages from legitimate infrastructure. Spoofing amplifies effectiveness by removing the most obvious red flag, an unfamiliar sender address.
Pretexting is the narrative layer, the fabricated scenario that makes the deception believable. A caller claiming to be from IT, reporting a device compromise, and requesting a verification code is using a pretext. Pretexting can unfold over the phone (vishing), through SMS (smishing), or across multiple channels at once, and unlike spoofing it requires no technical forgery. A single phishing cyberattack often combines all three: a spoofed identity, a convincing pretext, and a deceptive request that triggers the breach. Organizations that run realistic phishing simulations give employees repeated practice spotting exactly these layered deceptions before a real cyberattack lands.
A targeted phishing message built around an employee's real role bypasses filters that catch bulk spam. Adaptive Security trains the human judgment that technical controls cannot replace.
Is Phishing Considered a Cybercrime?
Phishing is prosecuted as a criminal offense under multiple legal frameworks across jurisdictions, and penalties have escalated as cyberattacks grow more sophisticated and damaging. Understanding the legal exposure clarifies why phishing is treated as serious fraud rather than a nuisance, and why law enforcement now coordinates internationally to dismantle the infrastructure behind it.
In the United States, phishing falls under the Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030. The CFAA prohibits accessing a protected computer without authorization or in excess of authorization. Phishing campaigns, which typically trick victims into surrendering credentials that grant unauthorized access, are regularly charged under this statute. Prosecutors frequently layer CFAA charges with wire fraud statutes, where each phishing email can constitute a separate count, and identity theft statutes under 18 U.S.C. § 1028, creating substantial sentencing exposure.
Under the European Union's General Data Protection Regulation (GDPR), phishing that leads to a personal data breach can trigger administrative fines of up to €20 million or 4% of annual global turnover, whichever is higher. The GDPR Enforcement Tracker recorded 2,685 fines with complete enforcement details as of March 2026, with penalized organizations frequently citing phishing-related data breaches as the root cause of the underlying exposure. In the United Kingdom, the Computer Misuse Act 1990 and the Serious Crime Act 2015 together carry penalties of up to life imprisonment for the most serious unauthorized access offenses that cause significant damage or endanger human welfare. Australia's Criminal Code Act 1995 imposes comparable criminal consequences, and in Canada criminal phishing is prosecuted under the Criminal Code of Canada rather than its privacy statutes.
What makes phishing prosecutions challenging is attribution. Sophisticated campaigns route through multiple jurisdictions, use compromised infrastructure, and employ cryptocurrency to obscure financial trails. High-profile convictions nonetheless demonstrate that law enforcement is closing the gap, with extraditions and coordinated takedowns now carrying real legal exposure. Interpol's Operation Synergia II, which ran from April to August 2024 across 95 member countries, dismantled phishing, ransomware, and infostealer infrastructure and took down roughly 76% of approximately 30,000 suspicious IP addresses identified, according to Interpol's official reporting. The era of consequence-free phishing is closing, even as the cyberattacks themselves grow more personalized and harder to detect.
Phishing prosecutions are rising, but a single successful lure still costs organizations millions before any case reaches court. Adaptive Security reduces that exposure by hardening the human layer cyberattackers target first.
How Phishing Cyberattacks Work

Every phishing cyberattack follows a structured lifecycle refined into a repeatable, scalable operation. The process moves from reconnaissance and message crafting through victim engagement to the final extraction of value. Knowing each phase in detail is what separates organizations that detect cyberattacks at the bait stage from those that discover the breach weeks after the catch.
1. The Three Stages of a Phishing Cyberattack: Bait, Hook, and Catch
The cyberattack begins long before the victim sees an email. Cyberattackers harvest personal and organizational details through OSINT, scraping LinkedIn profiles, corporate leadership pages, press releases, conference recordings, and social media to build a targeting dossier. This reconnaissance shapes every element of the lure, so a finance team member sees an urgent invoice from a known vendor timed to a real project close, and an HR director receives a benefits enrollment link aligned with the company's actual open enrollment window. The sender name, subject line, tone, and signature block are all engineered to bypass skepticism by mirroring legitimate internal communications.
The hook activates the moment the target clicks a link, downloads an attachment, scans a QR code, or replies with the requested information. Nothing visibly alarming happens. The landing page may be a pixel-perfect replica of a Microsoft 365 login portal, complete with the organization's own branding lifted from its public website. In advanced campaigns the victim is redirected through a chain of benign-looking URLs, a compromised WordPress site, then an open redirect on a trusted SaaS platform, before arriving at the credential harvesting page. According to Verizon's 2024 Data Breach Investigations Report, the median time for a user to click a phishing link is 21 seconds, with credential entry following in roughly 28 seconds. At that speed, no employee has time to pause and verify.
Once credentials are harvested, cyberattackers move immediately. They log into the compromised account, establish persistence by creating inbox forwarding rules or registering new MFA devices, and begin lateral movement toward higher-value targets. If the phishing cyberattack delivered a trojan, keylogger, or infostealer, the catch phase extends silently for days or weeks as the payload exfiltrates data and opens backdoors. A single harvested credential set becomes a foothold, and lateral movement from that foothold is what turns it into a ransomware incident, a data exfiltration event, or a business email compromise (BEC) that drains six figures from a corporate account.
2. Phishing Kits and the Cyberattack Supply Chain
Phishing no longer requires technical skill. Commoditized phishing kits sold on illicit marketplaces have turned what was once a specialized trade into a turnkey operation anyone can purchase. These kits bundle pre-built email templates, professionally designed landing pages replicating login screens for Microsoft 365, Google Workspace, DocuSign, and major financial institutions, and credential harvesting scripts with built-in evasion features designed to bypass email security gateways.
Captured credentials then flow into a structured underground economy. A single set of stolen corporate credentials sells for $200 to $1,000 in underground forums and illicit marketplaces, while domain admin or cloud admin access can fetch $10,000 or more, according to dark web data pricing tracked by DeepStrike in 2025. This pricing structure makes phishing a volume business: more campaigns yield more credentials, and more credentials yield more profit. The economics of scale drive continuous reinvestment in more convincing templates and AI-generated content that defeats traditional detection.
Stolen credentials rarely stop at the initial buyer. Initial Access Brokers (IABs) act as middlemen, purchasing harvested credentials in bulk, validating them, and reselling verified access to ransomware operators at a premium. A credential captured in one phishing campaign can be sold, repackaged, and weaponized multiple times across different cyberattack groups. This supply chain transforms phishing from a one-off scam into a professionalized, multi-stage criminal industry that feeds every category of cyberattack from BEC to ransomware deployment to nation-state espionage.
Phishing kits let unskilled criminals launch enterprise-grade campaigns for the price of a subscription. Adaptive Security prepares employees for the polished lures these kits produce, before credentials reach an underground marketplace.
3. Common Technical Techniques in Phishing
Cyberattackers deploy an array of technical methods to make phishing messages and landing pages indistinguishable from legitimate communications, exploiting gaps in both email authentication protocols and human perception. The techniques below recur across nearly every campaign, and recognizing them is foundational to any cybersecurity awareness training.
Domain and email spoofing manipulate sender identity at the protocol level. Domain spoofing alters the visible "From" address so the message appears to originate from a trusted domain, while email spoofing forges SMTP envelope and header fields, allowing messages to pass basic authentication checks when an organization's SPF, DKIM, and DMARC records are missing or misconfigured. A spoofed email arriving with a familiar executive's display name is among the most effective phishing lures in existence.
Typosquatting and homograph attacks exploit the gap between what users see and what the browser resolves. Typosquatting registers domains with common misspellings, such as micorsoft.com instead of microsoft.com, on the assumption that hurried users miss the difference. Homograph attacks replace Latin letters with visually identical Unicode characters, so a Cyrillic character substituted for a Latin one produces a domain that looks identical yet resolves to a server the cyberattacker controls.
URL shortening and malicious redirects add layers of obfuscation. Cyberattackers use shortening services to hide malicious destinations behind innocuous strings, and malicious redirects chain multiple legitimate domains so that each hop erodes the ability of URL scanners and secure email gateways to trace the full path. Session hijacking, keyloggers, and trojans extend phishing far beyond credential theft: session hijacking captures active session tokens after a victim logs in, bypassing multi-factor authentication entirely; keyloggers record every keystroke; and remote access trojans (RATs) provide persistent, interactive control over compromised devices for weeks or months. Testing defenses against the full chain requires phishing simulations that replicate multi-stage cyberattacks across email, voice, SMS, and video channels.
Types of Phishing Cyberattacks
The types of phishing cyberattacks organizations face today span a wide spectrum, from mass-distributed generic lures sent to millions of inboxes to surgical campaigns targeting a single executive after weeks of reconnaissance. The primary distinction between phishing types lies in targeting specificity. Bulk phishing casts the widest possible net hoping for a fractional response rate, while spear phishing and whaling zero in on individual high-value targets using OSINT gathered from LinkedIn, corporate websites, and social media.
Channel-based variants like vishing, smishing, and quishing bypass email filters entirely by moving the cyberattack surface to phone calls, SMS, or QR codes where traditional security controls are thinner and employee skepticism is lower. While each type exploits a different vector, every variant shares the same psychological foundation: manipulating trust, urgency, and authority to override rational skepticism and trigger immediate compliance.
Bulk Email Phishing, Spear Phishing, and Whaling
Bulk email phishing is the volume play. Cyberattackers distribute generic messages, such as fake password resets, package delivery notifications, and tax refund lures, to massive recipient lists, counting on a tiny response rate to generate returns. These campaigns are often riddled with spelling errors and generic salutations because personalization is absent by design, yet even a fraction of a percent click-through across 100,000 messages yields hundreds of compromised targets. According to the FBI Internet Crime Complaint Center's 2025 Internet Crime Report, phishing and spoofing generated 191,561 complaints, the highest number of reports of any crime type.
Spear phishing represents the precision-strike evolution of the same tactic. Rather than blanketing inboxes, cyberattackers research a specific individual, including their role, direct reports, current projects, travel schedule, and vendor relationships, and build a message that references real-world context the target recognizes as legitimate. Generative AI models can now scrape a target's digital footprint and produce flawless, context-aware phishing emails in seconds, compressing what once took days of manual OSINT work into automated workflows.
Whaling takes spear phishing to the organizational apex. These cyberattacks target C-suite executives, board members, and senior finance personnel, individuals with wire transfer authority, access to sensitive strategic data, and the standing to override standard verification procedures. A whaling email might appear to come from a board member requesting confidential merger documents, or from a CEO instructing the finance team to expedite a payment. When a whaling cyberattack succeeds, the financial damage is rarely measured in thousands of dollars.
Spear phishing and whaling succeed because they reference details an employee recognizes as real. Adaptive Security trains high-risk roles against the personalized lures cyberattackers reserve for them.
Business Email Compromise (BEC) and Its Variants
Business email compromise (BEC) is a specialized form of phishing in which cyberattackers impersonate trusted business figures, such as executives, vendors, legal counsel, or HR personnel, to trick employees into transferring funds, sharing sensitive data, or altering payment instructions. Unlike credential-harvesting phishing, BEC often contains no malware or malicious links, making it invisible to traditional email security tools. BEC sits at the costly center of internet crime year after year because it weaponizes routine financial workflows rather than technical exploits.
According to the FBI's Internet Crime Report 2025 (released April 2026), BEC losses reached $3.046 billion across 24,768 incidents, averaging roughly $123,000 per case, with virtually all funds routed through manager-level approvers. The figure underscores why verification discipline at the point of payment matters as much as any email filter.
BEC manifests in four main subtypes. Account takeover occurs when a cyberattacker gains access to a legitimate employee email account, often through credential phishing, and uses that trusted identity to send fraudulent instructions to colleagues and external partners. VIP impersonation involves spoofing or closely mimicking a senior executive's email address to issue urgent wire transfer requests, the variant behind the $25.6 million Arup fraud in Hong Kong, where a finance employee was deceived into transferring funds after a video call in which every participant was a deepfake. Payroll diversion targets HR departments with fake employee requests to change direct deposit details, and extortion-based BEC threatens to release sensitive company data unless a payment is made, often masquerading as a ransom demand without the actual encryption component.
Vishing, Smishing, and Quishing: Phishing Beyond Email
Vishing, or voice phishing, weaponizes the phone channel. Cyberattackers call employees while impersonating IT support, bank fraud departments, or government agencies, using urgent scripts designed to extract credentials, remote access, or payment card details. Hybrid vishing campaigns are increasingly common: an email arrives first to establish the pretext, followed by a phone call that references the email, creating a multi-channel consistency that overwhelms verification instincts. AI voice cloning has escalated the threat, allowing a cyberattacker to clone an executive's voice from publicly available audio and instruct a subordinate to authorize a payment in real time. According to the CrowdStrike 2026 Global Threat Report, the average adversary breakout time, the window between initial access and lateral movement, dropped to 29 minutes, with the fastest measured at just 27 seconds.
Smishing exploits SMS and messaging apps, where shortened URLs mask malicious destinations and mobile interfaces strip away the visual cues users rely on to evaluate email legitimacy. Most employees trust text messages more instinctively than email, a cognitive bias that cyberattackers exploit deliberately, so a smishing message purporting to come from a CEO asking for a quick favor feels more personal and urgent than its email equivalent.
Quishing, or QR code phishing, has surged as QR codes became embedded in everyday workflows. Cyberattackers place malicious QR codes in physical locations, embed them in PDF attachments, or slip them into email bodies where they bypass URL scanners, and the employee scans the code expecting a menu, meeting link, or document and lands on a credential-harvesting page instead. QR code destinations cannot be previewed before scanning, so employees should review the URL that appears on the device screen after scanning but before proceeding, and should never scan codes received in unsolicited messages or placed in unexpected physical locations.
Clone Phishing, Pharming, Angler Phishing, and Other Variants
Clone phishing replicates a legitimate email the target has already received, such as an actual invoice, meeting invite, or shipment notification, and replaces links or attachments with malicious duplicates. Because the email mirrors real correspondence the recipient recognizes, suspicion drops to near zero. Pharming operates at the infrastructure layer: cyberattackers poison DNS servers or compromise host files so that typing a legitimate URL redirects the user to a fraudulent website that silently harvests credentials at scale.
Angler phishing targets social media channels, where cyberattackers create fake customer service accounts that monitor brand mentions and intercept frustrated customers seeking support. When someone posts at their bank about a locked account, the angler phisher responds within minutes with a link to a fake resolution portal. Snowshoeing phishing distributes campaigns across numerous IP addresses and domains at low volume so that no single IP accumulates a poor reputation, evading reputation-based spam filters. Barrel phishing sends two messages, the first innocuous to build trust, followed by the malicious payload, while evil twin WiFi cyberattacks create rogue access points mimicking legitimate networks in public spaces, and watering hole cyberattacks compromise websites that specific employee groups visit regularly.
The financial sector bears disproportionate risk across all these vectors. According to the APWG Phishing Activity Trends Report Q2 2025, financial institutions were the most-attacked sector, absorbing 18.3% of all phishing cyberattacks. According to Check Point Research's Q4 2025 Brand Phishing Report, Microsoft was the most impersonated brand at 22%, followed by Google at 13%, Amazon at 9%, and Apple at 8%, a lineup reflecting the enterprise and consumer tools employees interact with most. Mapping each phishing type against the channels an organization uses is what turns a taxonomy into a phishing simulation strategy that covers the full cyberattack surface, not just the inbox.
Phishing has outgrown the inbox, spreading to voice, SMS, QR codes, and social media. Adaptive Security maps phishing simulation coverage to every channel an organization actually uses.
How to Prevent Phishing Cyberattacks

Preventing phishing demands a layered defense that stacks technical controls, continuous workforce training, and verification discipline. The strongest posture deploys phishing-resistant multi-factor authentication (MFA), configures email authentication protocols to block domain spoofing, and runs ongoing phishing simulations that build real-world detection instincts. No single control stops every cyberattack, so the most resilient organizations layer all three and adapt as cyberattacker tactics shift.
1. Technical Defenses: MFA, DMARC, SPF, DKIM, and Email Filters
Experience the Adaptive platform
Take a free tourMulti-factor authentication remains the highest-impact control against credential-based phishing. According to Microsoft telemetry, MFA blocks more than 99% of password-based account compromise attempts. Standard MFA is no longer enough on its own, because adversary-in-the-middle (AiTM) cyberattacks now proxy authentication sessions in real time: the user sees a legitimate-looking login page, enters credentials and an MFA code, and the cyberattacker captures both the password and the session token. MFA fatigue cyberattacks, which flood targets with push notifications until one is accepted, compound the exposure.
Phishing-resistant MFA eliminates these paths. FIDO2 and WebAuthn standards bind authentication to the specific domain that requested it, using public-key cryptography stored on a physical security key or device-bound passkey, so a user who lands on a fake login page finds the authenticator refusing to complete the handshake. CISA explicitly recommends phishing-resistant MFA for all organizations, and the U.S. federal government has mandated it for federal agencies. Organizations that have not yet migrated should prioritize privileged accounts, finance teams, and executive users first.
Email authentication protocols close the domain spoofing vector that fuels business email compromise (BEC). According to DMARCguard research, as of February 2026 only 30.4% of domains have adopted DMARC and just 12.8% enforce it with quarantine or reject policies, while SPF adoption sits at 56.0%. Without DMARC enforcement, SPF alone provides limited protection because it validates only the envelope sender rather than the visible "From" address, so organizations should configure all three protocols and move DMARC policy to a reject posture as quickly as sender configuration allows. Password managers add a further defense by refusing to autofill credentials on mismatched domains, and email filters, web filters, and browser-based Safe Browsing protections complete the technical layer by blocking known malicious URLs and attachments before employees ever see them.
2. Organizational Prevention: Cybersecurity Awareness Training and Phishing Simulations
Technical controls reduce the volume of cyber threats that reach employees, and cybersecurity awareness training equips employees to recognize what gets through. The two layers are complementary, and neither substitutes for the other. A mature cybersecurity awareness training program turns the human layer from the most exploited surface into a functioning line of defense.
Phishing simulation tests measure real-world susceptibility by sending employees realistic but safe phishing emails, voice calls, or SMS messages and tracking who interacts with them. According to the IBM Cost of a Data Breach Report 2025, employee security training was identified among the leading factors in reducing breach costs, and AI-powered prevention tools cut average breach costs by $2.2 million compared to organizations not using them. As NIST computer scientist Julie Haney and University of Maryland Associate Professor Wayne Lutters concluded in their peer-reviewed analysis published in Computer (October 2020), compliance metrics do not tell the whole story and fail to measure whether a program produces sustained change in employee attitudes and behaviors.
The mechanism that makes phishing simulations effective is behavioral rehearsal. Each phishing simulation gives employees a low-stakes opportunity to practice threat recognition in their actual work environment, so when the same employee encounters a real cyberattack weeks later, pattern recognition triggers before the click. Short, role-specific modules delivered in under ten minutes and triggered automatically when an employee fails a simulation produce far higher retention than annual slide decks completed once per compliance cycle.
Regulatory pressure reinforces the operational case. GDPR requires appropriate technical and organizational measures to protect personal data, which EU supervisory authorities interpret to include workforce cybersecurity awareness training. HIPAA's Security Rule mandates security awareness training for all workforce members with access to protected health information, PCI DSS Requirement 12.6 requires a formal security awareness program, and SOC 2 criteria expect organizations to train personnel on their security responsibilities. CAT content mapped to these frameworks satisfies auditor scrutiny while building genuine behavioral resilience through Adaptive Security's phishing simulations.
Annual slide decks fade from memory long before the next real lure arrives. Adaptive Security delivers role-specific cybersecurity awareness training triggered the moment an employee fails a simulation.
3. Consumer and Small Business Protection: Free Tools and Safe Practices
Individuals and small businesses operate with fewer resources than enterprises but face the same phishing-related cyber threats. The defense principles remain identical, and only the tools and scale differ. According to Verizon's 2026 Data Breach Investigations Report, 96% of ransomware victims were small and medium-sized businesses (SMBs), which present unpatched devices, compromised credentials, and limited recovery capabilities, so the smallest organizations often carry the heaviest relative risk.
Free anti-phishing tools provide meaningful protection without cost. Google Password Manager and Apple iCloud Keychain both refuse to autofill on mismatched domains, while Google Safe Browsing and Microsoft SmartScreen, built into Chrome and Edge respectively, block known phishing sites automatically. For email authentication, free DMARC monitoring services let domain owners analyze their email traffic without upfront investment, and every major email provider includes spam and phishing filters that users should verify are enabled at the highest sensitivity setting.
Safe browsing habits constitute the human layer of protection for consumers. Hovering over links to preview the actual URL before clicking, typing URLs directly into the browser rather than following email links, and never providing credentials or payment information in response to an unsolicited message are foundational practices. Software and operating system updates must be installed promptly, since many phishing cyberattacks exploit known vulnerabilities that patches have already closed.
Data backups stored offline or in immutable cloud storage provide the last line of defense against ransomware, transforming a ransom demand from an existential crisis into an inconvenience. The same foundation protects organizations of every size: MFA on every account, DMARC on the domain, a password manager on every device, and the discipline to verify unusual requests through a second channel.
What to Do After Falling Victim to Phishing

When a phishing cyberattack succeeds, the affected device should be disconnected from the network immediately to contain any malware deploying in the background. Every password that may have been exposed should be changed from a clean, uncompromised device, starting with the account where credentials were entered, and the incident should be reported through internal channels and to the appropriate external authorities. The window between compromise and containment is measured in minutes, and acting quickly on containment, reporting, and recovery is what separates a close call from a breach that costs real money.
Not every phishing cyberattack announces itself, since malware can operate silently for weeks, logging keystrokes, exfiltrating files, or waiting for a privileged session before activating. According to the FBI Internet Crime Complaint Center's 2025 Internet Crime Report, internet crime drove $20.877 billion in reported losses, a 26% jump over the prior year, and many victims discovered the breach long after the initial click. Every phishing interaction should be treated as a potential compromise, with the steps below followed regardless of what is or is not visible on screen.
1. Immediate Steps After Clicking a Phishing Link
The device should be disconnected from the network before anything else. Unplugging the Ethernet cable, disabling Wi-Fi, and turning off Bluetooth and cellular hotspot tethering can prevent malware from reaching a command-and-control server, exfiltrating data, or moving laterally to other systems. The device should not be powered off, because a shut-down machine cannot be forensically analyzed and the action may destroy volatile evidence an incident response team needs.
A full anti-malware scan should run using up-to-date definitions. Where an organization provides endpoint protection software, that tool should be used; on a personal device, a reputable scanner with the latest signature updates downloaded from a clean network connection is appropriate. Most modern tools detect and quarantine credential stealers, remote access trojans (RATs), and keyloggers, the three most common payloads delivered through phishing links, and any malicious files identified should be preserved until the IT or security team has captured forensic artifacts.
Every potentially compromised password should be changed from a separate, clean device, beginning with the account directly targeted and extending to any account that shares that credential or a close variant. Passwords should never be reused across services, because a single phished credential becomes a skeleton key when cyberattackers try it against email, banking, and social media accounts. Multi-factor authentication should be enabled or reset on every account that supports it, prioritizing email and financial accounts; if the cyberattacker captured a valid session token rather than a password alone, resetting MFA and terminating all active sessions through each service's account security settings is the only way to break their access. Where the incident occurred on a work device or involved corporate credentials, the organization's IT or security team should be notified immediately, since CISA guidance emphasizes that early reporting enables teams to check for lateral movement, block malicious domains, and alert other employees who received the same phishing email.
2. How to Report a Phishing Cyberattack
Reporting serves two purposes: it protects the organization from follow-on cyberattacks, and it feeds the intelligence pipeline that law enforcement and industry groups use to dismantle phishing infrastructure. Prompt, well-documented reporting is a force multiplier for everyone targeted by the same campaign.
Within an organization, the phish alert button integrated into the email client should be used where one is available. Modern tools like Adaptive Security's Phish Triage classify reported emails as Safe, Spam, or Malicious within seconds and can trigger organization-wide inbox remediation when a threat is confirmed. Where no phish alert button exists, a ticket should be opened with the IT or security team and the phishing email forwarded as an attachment, which preserves the original headers containing the routing and authentication data investigators need.
External reporting channels matter equally. A complaint can be filed with the Federal Trade Commission at ReportFraud.ftc.gov, which shares reports with thousands of law enforcement partners. For BEC incidents involving wire transfers or financial fraud, a report should be filed immediately with the FBI Internet Crime Complaint Center at ic3.gov. Phishing emails can also be forwarded to the Anti-Phishing Working Group at apwg.org, a coalition that aggregates threat data to accelerate takedowns, and to the abuse contact at the impersonated organization, most of which maintain a dedicated address their security team monitors. Each report filed makes the phishing ecosystem incrementally harder to operate.
A single unreported phishing email can sit in dozens of inboxes while one compromised account spreads laterally. Adaptive Security's Phish Triage classifies and remediates reported messages across the organization in seconds.
3. Recovering Compromised Accounts and Preventing Repeat Phishing
Recovery begins with financial surveillance. Bank accounts, credit card statements, and investment accounts should be monitored daily for at least 90 days after a phishing incident, because cyberattackers often test stolen credentials with small, innocuous transactions before executing larger transfers. Placing a fraud alert with one of the three major credit bureaus is free, lasts one year, and requires creditors to verify identity before opening new accounts, while a credit freeze offers stronger protection by blocking all access to the credit report until it is lifted.
Data should be restored from clean backups created before the phishing incident rather than from the compromised device's current state, since cyberattackers may have modified or encrypted files that appear normal. Where clean backups are unavailable and the device holds critical data, a forensic specialist should be engaged before any recovery attempt, because amateur efforts can overwrite the very data being saved. Account recovery settings and forwarding rules should be reviewed on every compromised account, as cyberattackers routinely add hidden forwarding rules that silently copy every message to an external address even after the password has changed; unfamiliar recovery phone numbers, secondary email addresses, and app-specific passwords are all common persistence mechanisms.
Evidence should be preserved even as recovery proceeds. Saving the phishing email in its original format with full headers intact, screenshotting any messages or unusual behavior, and maintaining logs of every action taken supports law enforcement investigations, documents the response for regulatory compliance, and strengthens any insurance claim. A post-incident review should then close the vulnerability that let the cyberattack succeed: identifying exactly what made the phishing attempt convincing, whether a spoofed executive name, a vendor impersonation, or manufactured urgency, and sharing the finding with the security team turns one click into a measurable improvement across every layer of the organization's security posture.
How AI Is Changing Phishing Cyberattacks

AI has transformed phishing from a high-volume, low-quality spam operation into precision-targeted cyberattacks. Today's campaigns exploit OSINT to personalize every message, clone trusted voices and faces in real time, and coordinate simultaneously across email, voice, SMS, and video. Organizations relying solely on email-based defenses and annual awareness training are now exposed to multi-channel cyberattacks that legacy tools were never designed to detect.
According to Sumsub's Identity Fraud Report 2024, deepfake fraud incidents grew fourfold year-over-year, and the trend has accelerated since. According to Sumsub's 2025–2026 Identity Fraud Report, deepfake attacks increased 2,100% globally, up from 1,740% in North America during 2022 to 2023, with sophisticated fraud surging 180% year-over-year across deepfakes, synthetics, and telemetry tampering. The cost of underestimating this shift is measured in millions, and the $25.6 million stolen from engineering firm Arup via a deepfake video conference stands as the landmark warning.
AI-Generated Phishing Emails and Hyper-Personalization at Scale
For years, the most reliable red flag in a phishing email was bad writing. Awkward phrasing, grammatical errors, and stilted language tipped off even untrained employees that something was wrong. Large language models have erased that signal entirely.
Generative AI produces flawless, context-aware prose in any language and any tone, formal for a CFO, casual for a team chat message, urgent for a vendor payment request. Cyberattackers no longer need fluency in the target's language; they need a prompt. The result is phishing copy indistinguishable from legitimate corporate communication, eliminating the single most accessible detection cue employees historically relied on.
More dangerous than polished grammar is the personalization these models enable at scale. Cyberattackers feed LLMs with OSINT data scraped from LinkedIn profiles, company blogs, earnings call transcripts, social media posts, and press releases, and within seconds the AI generates spear phishing messages referencing specific internal projects, real vendors, actual upcoming events, and named colleagues. A 2024 study published via Harvard Business Review found that AI-generated spear phishing emails achieved a 54% click-through rate compared to 12% for human-written phishing emails, while reducing campaign costs by over 95%. Conversational phishing escalates this further: rather than delivering a single payload, AI chatbots engage victims in multi-turn dialogues, building rapport over several exchanges before requesting credentials, mirroring the rhythm of legitimate business communication.
Deepfake-Enabled Vishing and Multi-Channel Phishing
The same AI advances reshaping email phishing have made voice and video cyberattacks trivially accessible. AI voice cloning services can generate convincing synthetic voices from short audio samples, with some tools producing usable results from as little as one to two minutes of clean audio, precisely the type of material available in earnings recordings, conference talks, and video posts. Cyberattackers combine cloned voices with caller ID spoofing to impersonate executives, IT staff, or business partners in phone-based vishing.
The $25.6 million Arup deepfake fraud in Hong Kong is the case that forced boards to pay attention. In early 2024, a finance employee received what he initially flagged as a suspicious email from the company's UK-based CFO requesting a secret transaction, and his skepticism dissolved after joining a multi-person video conference where every participant he recognized was an AI-generated deepfake. According to CNN's reporting on the case, Hong Kong police confirmed that everyone the employee saw on the call was fabricated, and he authorized 15 wire transfers totaling $25.6 million before discovering the deception.
Deepfake video adds visual authority to what voice cloning alone achieves, because when an employee sees a CEO's face moving and speaking on a video call, the psychological weight of that visual proof overrides the skepticism an email alone might trigger. The defining characteristic of AI-enabled phishing is multi-channel coordination: a cyberattack might start with a spear phishing email from a spoofed executive account, followed minutes later by a vishing call using that executive's cloned voice, then a deepfake video reinforcing urgency. Each channel validates the others, dismantling the doubt that any single message might raise, and this cross-channel layering is the Arup pattern now replicated across organizations as deepfake tools become cheaper and require no technical expertise.
AI-Powered Phishing Detection and Defense
The same AI technology that arms cyberattackers also equips defenders. Machine learning classifiers now analyze email content, metadata, sender behavior, and URL characteristics in real time, identifying phishing attempts that rule-based filters miss by detecting subtle linguistic patterns, anomalies in writing style, and inconsistencies between displayed sender names and actual headers. These systems flag the AI-generated cues that distinguish synthetic phishing from legitimate executive communication.
Automated phish triage addresses one of security operations' most persistent pain points: alert fatigue. When employees report suspected phishing via a one-click button, AI classifiers assign confidence scores of Safe, Spam, or Malicious and auto-resolve cases above configurable thresholds without analyst intervention, shrinking the queue from hundreds of daily reports to the genuinely ambiguous few and cutting mean time to response from hours to minutes. Behavioral analytics provide a second defensive layer by monitoring for anomalous activity after a potential compromise, so if an account begins forwarding email externally, accessing unusual file shares, or logging in from an unfamiliar location at an odd hour, the system flags the behavior even if the initial phishing email slipped through.
On the training front, AI-powered cybersecurity awareness training platforms now personalize education based on each employee's actual risk profile. Rather than assigning every employee the same generic module, these systems analyze individual OSINT exposure, simulation failure history, and role-based risk factors to deliver targeted microlearning, so a finance team member who failed a vendor impersonation simulation receives training on that exact scenario while an executive whose voice and video appear extensively online gets deepfake awareness content. This moves security awareness from compliance theater to behavioral conditioning, and modern phishing simulation platforms now recreate the full spectrum of AI-powered cyberattacks across email, voice, SMS, and deepfake video, so employees experience these threats in a controlled environment before encountering a real one.
How Adaptive Security Stops Phishing at the Human Layer

Security teams that close the human layer stop the cyberattacks that bypass every technical control, and that outcome is exactly what Adaptive Security is built to produce. By running multi-channel phishing simulations across email, voice, SMS, and AI-generated deepfake video, Adaptive Security exposes employees to the same coordinated lures cyberattackers now deploy, turning the most exploited surface in the enterprise into a measurable line of defense.
Managers gain visibility they cannot get from annual compliance modules, because Adaptive Security translates simulation results into role-specific risk profiles and triggers targeted cybersecurity awareness training the moment an employee interacts with a simulated threat. A finance approver who clicks a vendor impersonation lure receives training on that precise scenario, and an executive whose likeness appears across public video receives deepfake awareness content, so remediation lands where exposure is highest rather than spreading thin across a generic curriculum.
Compliance leaders meet GDPR, HIPAA, PCI DSS, and SOC 2 expectations through a single cybersecurity awareness training program that maps content to each framework while building genuine behavioral resilience. Adaptive Security closes the gap between satisfying an auditor and actually changing how employees respond under pressure, which is where real phishing risk reduction begins.
Phishing now arrives across voice, SMS, and deepfake video, while once-a-year email training was never built for that reality. Adaptive Security turns multi-channel phishing simulation data into measurable risk reduction.
Frequently Asked Questions About Phishing
What Percentage of Data Breaches Involve Phishing and the Human Element?
The human layer remains the dominant factor in confirmed breaches. According to Verizon's 2026 Data Breach Investigations Report, 62% of confirmed incidents involve a human element, with phishing and social engineering accounting for a large share of initial access events. Phishing is consistently among the most common entry points because it sidesteps technical controls and targets human judgment directly, which is why a cybersecurity awareness training program is treated as a core control rather than an optional add-on. These figures underscore why phishing remains both a common and a costly entry point for cybercriminals targeting organizations of every size.
How Many Phishing Emails Are Sent Each Day Globally?
An estimated 3.4 billion phishing emails are sent globally every day, making phishing the highest-volume cyberattack vector in cybersecurity. This figure is widely cited across industry reports, including data from the Anti-Phishing Working Group, and translates to roughly 39,000 phishing emails per second. Even with advanced email security gateways and spam filters in place, a percentage of these messages inevitably reach employee inboxes, which is why human awareness is an essential layer of defense rather than a fallback.
Is Phishing Considered a Cybercrime and What Are the Legal Consequences?
Phishing is a cybercrime in virtually every jurisdiction. In the United States it is prosecuted under the Computer Fraud and Abuse Act (CFAA), with identity fraud statutes adding further imprisonment exposure when stolen personal information is involved. Under the EU's GDPR, organizations that fail to protect against phishing-related data breaches face fines of up to €20 million or 4% of annual global turnover, and the FBI investigates phishing through its Internet Crime Complaint Center while international coordination through Interpol has produced high-profile takedowns. Victims can also pursue civil remedies, including compensation for financial losses and identity theft damages.
What Is the Difference Between Phishing and Spam?
Phishing is social engineering fraud designed to steal credentials or install malware, while spam is unsolicited commercial messaging with no criminal intent. The critical distinction is purpose: spam aims to sell something, while phishing aims to steal something. The two also differ in sophistication, since spam relies on volume by blasting generic messages to millions of recipients, while phishing, particularly spear phishing, uses OSINT research to craft personalized lures that reference the target's name, employer, colleagues, and recent activity to appear legitimate.
Can Someone Get Hacked Just by Opening a Phishing Email?
In the vast majority of cases, simply opening a phishing email will not infect a device, because modern email clients sandbox message content and block automatic script execution. The real danger comes from what happens next: clicking a malicious link, downloading an attachment, enabling macros, or providing credentials to a fraudulent login portal. Opening the message can still expose the recipient, since tracking pixels embedded in it confirm to cyberattackers that the address is active and engaged, often marking it for follow-up. Building genuine resilience against today's phishing cyberattacks requires more than awareness alone; it demands continuous, realistic practice that mirrors the threats employees actually face.
Key Takeaways
- Understanding what is phishing starts with one fact: it targets human psychology rather than technical infrastructure, which is why no firewall alone can stop it.
- Phishing now spans email, voice, SMS, QR codes, and AI-generated deepfake video, so single-channel defenses leave the largest gaps unguarded.
- Spear phishing, whaling, and business email compromise succeed by referencing real context, making a cybersecurity awareness training program the decisive countermeasure.
- AI has erased the grammatical red flags that once exposed phishing, shifting the burden of detection from filters to trained human judgment.
- Layered prevention works best: phishing-resistant MFA, enforced DMARC, and ongoing phishing simulations together harden both the technical and human layers.
- A mature cybersecurity awareness training platform converts the most exploited surface in the enterprise into a measurable, reportable line of defense.
Knowing what is phishing changes nothing until employees can recognize it under pressure across every channel. Adaptive Security turns that knowledge into rehearsed, measurable defense.
As experts in cybersecurity insights and AI threat analysis, the Adaptive Security Team is sharing its expertise with organizations.
Get started with Adaptive Security
Related articles

Phishing Scams: The Complete Guide to Types, Warning Signs, Recognition, and Organizational Defense

Spear Phishing Scams: How Targeted Attacks Work, the Eight Types, and a Defense Strategy That Reduces Organizational Risk

Spear Phishing Emails: A Complete Guide to Detection, Prevention, and Defense Across People, Process, and Technology
Get started