Cyber Security. 29.08.25

What is Phishing? Definition, types of attacks & more

Phishing is one of the oldest and most persistent forms of cyber attack and in 2025, it’s more convincing and dangerous than ever.

At its core, phishing is about deception: attackers impersonate trusted people or organisations to trick you into sharing passwords, approving payments, or clicking malicious links. The tactics have evolved rapidly thanks to AI, deepfake technology, and vast pools of breached data now used to target victims.

In 2025, phishing scams accounted for  $13.7 million in financial losses in Australia alone - and that figure is only growing.

Why phishing still works

Despite decades of awareness campaigns and security investment, phishing remains one of the most effective tactics in a cybercriminal’s playbook. That's because it preys on three powerful factors: human psychology, technological advancement, and the sheer volume of leaked personal data now available online.

  • Emotional manipulation works

    Phishing attacks rely on urgency, fear, curiosity, or authority to trick users into taking action; clicking a link, opening an attachment, or handing over credentials. When that urgency is framed as a missed payment, a legal threat, or an internal HR issue, people often act before they think.

  • Technology is helping attackers, too

    With the rise of AI, attackers can now generate near-perfect emails that mimic tone, branding, and even writing style. Deepfake voice and video make impersonation far more convincing than in years past, meaning traditional cues like spelling errors or awkward grammar are no longer reliable red flags.

  • Breached data is fuelling precision

    Thanks to years of global data breaches, attackers now have access to billions of real email addresses, passwords, and personal details. This allows them to craft highly targeted spear phishing campaigns that feel credible because they often include accurate information about the recipient.

Types of phishing attacksTypes of phishing attacks

While the basic concept has stayed the same, the tactics employed by cyber criminals have evolved with time. With advancements in technology, these attacks are quickly becoming more realistic.

According to the Australian Cyber Security Centre (ACSC), 91% of cyber attacks in 2024 started with a phishing email. That means protecting your inbox isn’t just important, it’s critical.

Here are six of the most dangerous types of phishing scams we’re seeing today, plus how to spot them and stay protected.

1. Deepfake Phishing Attacks


What it is: Attackers use AI-generated audio or video to impersonate executives and request sensitive actions like payments or file access.

Who it targets: Finance teams, legal departments, executive assistants.

How to recognise it: Unusual requests delivered via voice message or video, often with urgency or emotional appeal.

Prevention tips:

  • Always verify sensitive requests through a secondary channel

  • Use voice verification or biometrics for high-risk approvals

  • Don’t rely on caller ID or voice alone

2. AI-Powered Spear Phishing


What it is: AI-driven attacks that craft highly personalised messages using scraped data.

Who it targets: Executives, employees with public-facing profiles, IT admins.

How to recognise it: Emails that seem unusually relevant or written in your tone/style, but sent from unfamiliar addresses.

Prevention tips:

  • Conduct ongoing phishing simulations and training

  • Use email filtering with AI threat detection

  • Enforce MFA to reduce account takeover risks

3. Extortion Emails


What it is: Scammers claim to have compromising information or footage and demand a ransom to prevent its release.

Who it targets: Anyone, but often individuals with exposed credentials from previous breaches.

How to recognise it: The email is sent from a spoofed version of your address and includes personal data (like old passwords).

Prevention tips:

  • Don’t engage or respond

  • Change passwords immediately

  • Report to IT/security team and delete the message

4. Business Email Compromise (BEC)


What it is: Attackers impersonate a trusted internal party (like the CEO or CFO) to initiate fraudulent transactions or steal sensitive data.

Who it targets: CFOs, finance teams, HR, executive support.

How to recognise it: Last-minute payment requests, banking detail changes, or urgent messages that bypass standard processes.

Prevention tips:

  • Use approval workflows and dual verification for payments

  • Educate execs and finance staff on BEC tactics

  • Monitor for domain spoofing or lookalike domains

5. Smishing & Vishing


What it is: Phishing via SMS (smishing) or voice calls (vishing). Messages often impersonate banks, logistics firms, or internal IT teams.

Who it targets: Mobile users, especially in hybrid/remote work environments.

How to recognise it: Short messages with suspicious links, caller impersonations, or requests for sensitive information.

Prevention tips:

  • Don’t click links in unsolicited SMS messages

  • Verify all voice requests, especially those involving credentials or access

  • Use mobile threat detection software if available

6. Clone Phishing


What it is: A legitimate email is copied, and the content is modified with malicious links or attachments — then resent to the original recipient list.

Who it targets: Anyone receiving repeat emails especially in finance, logistics, or support roles.

How to recognise it: Duplicate emails with slight changes in links, formatting, or sender details.

Prevention tips:

  • Check links before clicking, hover to verify destinations

  • Be wary of repeat emails with modified attachments

  • Use email authenticity tools (like DMARC, SPF, DKIM)

Real-World Examples

Change healthcare attack
MGM breach

 


How to protect your business from phishing in 2025

Phishing threats are increasing in sophistication and volume, but with the right tools, training, and policies, you can significantly reduce your exposure.

Build the Right Tech Stack

  • Deploy advanced email filtering and threat detection solutions

  • Implement DMARC, SPF, and DKIM to verify legitimate senders

  • Use MFA across all critical systems to block unauthorised access

  • Monitor for credential leaks and suspicious login activity with SIEM tools

Invest in Ongoing Training

  • Run regular phishing simulations to build user awareness

  • Train staff to spot social engineering red flags

  • Tailor sessions for high-risk teams like finance, HR, and exec support

Create Strong Policies and Response Plans

  • Define clear protocols for reporting phishing attempts

  • Document your incident response plan and test it regularly

  • Establish approval workflows for financial transactions and sensitive data access

A strong phishing defence isn’t built overnight but consistent, layered protection will make a measurable difference.

If you suspect you've been targeted or compromised, don’t wait. Report it immediately and isolate the affected systems.

The Cost of inaction

Failing to prepare for phishing attacks can have wide-reaching consequences not just financially, but operationally and reputationally.

Financial Losses

Successful phishing scams can lead to direct financial theft, costly ransom payments, legal fees, and regulatory fines. In some cases, breaches cost organisations millions and trigger long-term compliance investigations.

Reputational Damage

A breach undermines customer trust and brand credibility. Whether it’s leaked data or disrupted service, the reputational fallout from a phishing attack can lead to lost clients, stalled deals, and bad press.

Operational Disruption

From email downtime to compromised systems, phishing attacks can grind operations to a halt. The time and cost of recovery, especially without a tested response plan, can be significant.

Prevention is far less costly than recovery. Investing in layered defences today protects your bottom line tomorrow.

Staying one step ahead

Phishing attacks are evolving and so should your defences. At The Missing Link, we don’t just react to threats, we help you stay ahead of them with a strategic, layered approach to cyber security. From proactive threat detection to tailored user training and policy development, we work with you to build resilience across your organisation.

Get in touch to strengthen your defences and ensure your business is protected against the phishing threats of today and tomorrow.

 

Author

Sanjana Abraham

As a Content Marketing Specialist, I focus on translating complex concepts into clear and engaging content. My background in brand management and PR has shaped my approach, reinforcing my belief in the power of storytelling as a strategic tool. I've seen firsthand how the right words can shape perception, build trust, and drive meaningful impact. Outside of the world of content, you'll find me travelling, reading, or diving into a new creative hobby.