Phishing. You’ve Been Exposed, Whether You Know It or Not.

Right now, as you read this, approximately 3.4 billion phishing emails are being sent. Every day. That is not a typo. Every 39 seconds, another wave of fraudulent messages goes out — to inboxes, to phones, to social media accounts — each one designed to look legitimate enough that you do not notice the hook until it is too late.

Phishing is the most common form of cybercrime in the world. It accounts for over 22 percent of all reported internet crimes. It is responsible for losses of $25 billion annually. And despite being decades old, it is becoming more effective, not less — because the tools attackers use to craft it have become dramatically more sophisticated.

The word comes from fishing — the idea of casting a lure and waiting for something to bite. In cybersecurity, phishing refers to any attempt to deceive someone into revealing sensitive information or taking an action that compromises their security, by pretending to be a trustworthy source.

The classic version is an email. It looks like it is from your bank, your employer, a government agency, or a service you use. It tells you something urgent — your account has been compromised, a payment has failed, a package could not be delivered, you are owed a refund. It asks you to click a link and enter your information. The link goes to a fake website that looks identical to the real one. You enter your credentials. They are captured. The attacker has what they came for.

That is the basic model. Modern phishing has evolved far beyond it.

The Many Forms of the Hook

Phishing has diversified significantly beyond email. Understanding the full range of methods is the first step to recognizing them.

Email phishing. The original and still most common form. Mass-produced emails impersonating trusted brands — banks, delivery companies, government agencies, streaming services, retailers. In 2024, Adobe was the most impersonated brand. DHL was the most impersonated delivery service. These campaigns are sent in volumes of millions, and even a tiny click rate translates to thousands of victims.

Spear phishing. Targeted phishing directed at a specific individual. Unlike mass campaigns, spear phishing is personalized — the attacker has researched you, knows your name, your employer, your role, possibly your recent activity. The message references details that make it feel authentic. New employees face spear phishing attacks impersonating senior colleagues within an average of three weeks of joining a company. Targeted phishing campaigns achieve click rates of over 53 percent.

Smishing. Phishing via SMS text message. Roughly 70 percent of all mobile phishing attacks now happen through text rather than email. Common forms include fake delivery notifications, bank alerts, and messages claiming to be from government agencies about tax refunds or unpaid fines. The links in these messages go to credential-harvesting sites.

Vishing. Voice phishing — phone calls from people pretending to be bank representatives, tech support agents, government officials, or utility companies. The caller creates urgency, establishes false authority, and extracts information verbally. AI-generated voice cloning has made vishing significantly more convincing, with some attacks now using synthetic voices of people the target actually knows.

Quishing. QR code phishing — a relatively new method where attackers embed malicious URLs in QR codes. Because QR codes are opaque — you cannot read the URL before scanning — they bypass the visual checks most people apply to suspicious links. QR code phishing surged significantly in 2024 as attackers found it bypassed email security filters that would catch traditional malicious links.

Business Email Compromise. A sophisticated form targeting organizations, where attackers impersonate executives, suppliers, or partners to authorize fraudulent payments or data transfers. Business Email Compromise caused $2.77 billion in reported losses in 2024 alone and its volume surged 54 percent in the first half of 2025 compared to 2023.

The traditional advice for spotting phishing was straightforward: look for spelling mistakes, grammatical errors, generic greetings, suspicious sender addresses, and poorly designed layouts. These signals worked because phishing campaigns were mass-produced quickly with minimal attention to quality.

AI has eliminated most of these tells.

Large language models have reduced the time required to produce a convincing phishing email from sixteen hours to five minutes. The messages now read as fluently as correspondence from the real organizations they impersonate. They use correct grammar, appropriate terminology, and accurate formatting. They can be personalized at scale. Over 86 percent of organizations have already encountered at least one AI-generated phishing or social engineering incident.

The arms race between attackers and defenders is real — and right now the attackers have a meaningful advantage in speed and volume.

The signals have changed but they have not disappeared. Here is what to look for in the current environment:

Urgency and pressure. Phishing messages almost always create a sense of emergency — your account will be suspended, your payment has failed, you must act within 24 hours. Legitimate organizations rarely demand immediate action under threat of consequence. When a message creates pressure, slow down rather than speed up.

The sender address does not match. The display name may say PayPal or your bank, but the actual email address sending the message will be from a different domain. Look at the full address, not just the name. Attackers use domains like paypa1.com, paypal-security.net, or subtly misspelled versions of legitimate addresses.

The link destination does not match the display text. Hover over any link before clicking it — on desktop the destination URL appears in the bottom of the browser. If the displayed text says paypal.com but the actual URL goes somewhere else, it is fraudulent. Do not click.

You were not expecting it. A package delivery notification for a package you did not order. A bank alert for an account you do not have. A refund for a purchase you did not make. Unsolicited contact claiming to relate to something you did not initiate is a significant red flag.

It asks for information a legitimate organization would not need via this channel. Banks do not ask for your full password via email. Government agencies do not request payment via gift card. Tech support does not call you unsolicited to ask for remote access to your computer. If the request feels unusual for the supposed sender, trust that instinct.

Recognition is the most important defense. Beyond that, these practical measures reduce your exposure significantly.

Never click links in unsolicited messages. If you receive an email or text claiming to be from your bank, go to the bank’s website directly by typing the address into your browser — not by clicking any link in the message. The same applies to any service you use.

Enable two-factor authentication on every account that supports it. Even if a phishing attack captures your password, two-factor authentication means the attacker cannot access your account without the second factor. It is the most effective single mitigation against credential theft.

Verify unexpected requests through a separate channel. If you receive an email from your employer, your bank, or a supplier requesting something unusual, call them directly using a number you already have — not a number provided in the suspicious message — and confirm the request is legitimate.

Check URLs before scanning QR codes. Most phone cameras preview the URL destination before opening it. Check that preview before proceeding. If the URL looks unfamiliar, do not scan.

Report phishing attempts. In the UK, forward suspicious emails to report@phishing.gov.uk. In the US, report to the Anti-Phishing Working Group at reportphishing@apwg.org or to the FTC at reportfraud.ftc.gov. Reporting helps authorities track campaigns and warn others.

The hook is in every inbox, every text thread, every phone call from an unknown number. Now that you know what it looks like, you have a significant advantage over the millions of people who do not.