If you’ve been defending organisations for more than a few years, phishing used to be straightforward: spray and pray emails (the fancy ones using a visually similar domain name to the victim's) - some poor grammar, a malicious attachment, and occasional success.
In 2025 phishing looks nothing like that cliché. Attackers have stitched together powerful automation, freely available generative AI, telephony deepfakes, and legitimate cloud services into multi-stage scams that bypass conventional detection and exploit human trust in new ways.
Below, I break down the major phishing types we're seeing in the field this year, what’s new, and some practical mitigations to allow you to begin defending yourself against these emerging threats.
Bulk campaigns remain a staple because they still yield results when combined with better lures (delivery notices, payment requests, fake invoices). Reports from industry vendors show phishing volumes rising again from late 2024 through 2025, often using legitimate services and compromised mailboxes to send or host content.
2. Spearphishing (targeted email attacks)These are highly tailored emails aimed at individuals or executives – researched via LinkedIn, breach data, or scraped social profiles. Attackers invest time crafting contextually relevant narratives (project updates, HR requests, vendor invoices) that make a click or reply likely. Vendor trend reports continue to flag these as high-impact.
3. Business Email Compromise (BEC)Classic financial fraud involving compromised or spoofed executive mailboxes, fraudulent wire instructions, invoice changes, etc. remains a top-loss driver for organisations. The FBI/IC3 and private IR teams still rank BEC among the costliest scams.
Rather than steal passwords, attackers will often instead trick users into granting malicious OAuth app permissions (so the attacker gets tokens to read/send mail, access files, etc.). This bypasses traditional MFA and is increasingly common—security teams are seeing campaigns that route through legitimate cloud identity flows.
2. MFA fatigueAttackers bombard users with repeated MFA push notifications until someone accepts out of annoyance or confusion. It’s cheap, automated, and (surprisingly!) effective against poorly trained users. Defenders are treating this as a standard attack vector now.
3. Deepfake-enabled vishing and real-time impersonation.AI voice cloning and real-time deepfake video are no longer sci-fi. Fraudsters can synthesise a CEO’s voice for an urgent funds transfer or create a live-looking face/voice impersonation in a videoconference to build trust. Several recent analyses and incident reports document this spike and its real-world cost.
4. QR-code phishing (“quishing”) and physical delivery lures.QR codes have become an easy way to hide malicious redirects. Recent incidents include unsolicited packages and delivered receipts containing QR codes that lead to credential harvesters or malware installs. Law-enforcement advisories and threat researchers have highlighted this as a growing consumer and enterprise risk.
5. AI-assisted hyper-personalised phishing.Generative models let attackers produce bespoke lures at scale – polished language, correct corporate styling, and customised context for each recipient. This reduces the time/cost to create convincing spear-phish campaigns and improves click-through rates. Recorded threat telemetry shows a significant increase in AI-linked phishing activity.
6. Multi-channel & multi-stage attacks.Today’s successful scams often combine email, SMS, voice, and social engineering: an initial email plants the seed, a follow-up SMS (“did you get my message?”) pushes urgency, and a voice call closes the deal. Defenders must therefore map cross-channel indicators.
Attackers use SendGrid, cloud storage, OAuth providers, and even marketing platforms to host lures and stand up redirect chains that look “normal” to security filters. This increases dwell time and reduces immediate blocking.
2. Token theft and consent abuse beat passwords and MFA.
If attackers get tokens via OAuth or session theft, they can access mail and files without ever needing a password – this is a major shift from purely credential-based fraud.
3. Automation + personalisation = scale.
Generative AI makes convincingly personalised text, voice, and video cheap – so attackers combine volume with quality.
These eliminate the human-accept-MFA vector and stop many token-based thefts.
2. Tighten OAuth governance.
Block or review third-party app consent, implement app whitelisting and conditional access policies, and monitor for unusual token scopes or long-lived tokens.
3. Defend MFA from fatigue.
Configure push rate-limiting, require biometric confirmation for high-risk actions, and educate users on unsolicited push notifications.
4. Improve email and endpoint controls.
DMARC/DKIM/SPF deployment, attachment sandboxing, and runtime detection for credential-harvesters hosted on legitimate services.
5. Train with realistic, multi-channel simulations.
Include SMS, voice, and QR-code scenarios; simulate MFA fatigue; teach people to validate unusual payment requests with an out-of-band process.
6. Prepare IR runbooks for deepfake incidents.
Verify identity via pre-agreed channels before any high-value transfer; log and report suspicious calls immediately.
Technology will continue to swing back and forth: attackers weaponise whatever makes life easier – today, that’s AI, legitimate cloud services, and telephony deepfakes - but the constant is human trust. In 2025, the difference between a stopped scam and a costly compromise is often a simple verification habit and a tiny change to access controls.
If you’re unsure of what this means for you or how best to support your organisation, get in touch with us today. Our experienced team is here to help you be proactive and stay ahead of emerging phishing threats as they evolve.