Threats & attacks

What is Phishing

The complete guide to phishing, spear phishing, vishing and every other form the scam takes, with real cases, the compliance angle and the controls that actually stop it.

Key takeaways
  • Phishing is still the most reported cybercrime, and 2025’s reported losses to the FBI’s IC3 nearly tripled to $215.8 million even as complaint volume held flat.
  • Business email compromise, not headline ransomware, moved the biggest total: $3.05 billion in reported 2025 losses.
  • AI-written phishing emails get a 54 percent click-through rate against 12 percent for manually written ones, so spelling mistakes are no longer a safe tell.
  • Spear phishing, vishing, smishing, quishing and clone phishing are all phishing, just with a different channel or target.
  • A single ten-minute helpdesk phone call cost Marks & Spencer roughly £300 million in 2025, using the same trick that hit MGM Resorts in 2023.
  • Sweden’s BankID makes vishing a uniquely local risk, with police reporting daily calls targeting bank customers.
  • Security awareness training is now a legal duty under NIS2 Article 21.2g and Sweden’s Cybersäkerhetslagen, not just good practice.
  • Detection by eye is unreliable on its own. Verification through a second, known channel is the control that actually holds.
  • Phishing-resistant, device-bound MFA such as passkeys defeats the adversary-in-the-middle kits that steal ordinary one-time codes.
  • A documented rule that helpdesks never reset privileged access from a phone call alone would have stopped several of the largest breaches of the past three years.

What is Phishing?

Phishing is a cyber attack that uses a fake email, text message, phone call or website to trick someone into handing over credentials, money or sensitive data by impersonating a trusted person or organisation. It works by exploiting trust and urgency rather than a technical flaw, which is why it remains the most reported cybercrime in the world.

For a business this rarely stays a personal problem for long. The same email that tricks one employee into typing a password can hand an attacker the login that unlocks a finance system, a customer database or an entire network. The scale keeps growing too. The FBI’s Internet Crime Complaint Center logged 191,561 phishing complaints in 2025, its single most reported crime type, and reported phishing losses nearly tripled in a year, climbing from 70 million dollars in 2024 to 215.8 million dollars in 2025, even though the number of complaints barely moved. Fewer, better aimed attacks are doing far more damage.

How Phishing Is Made

Every phishing attack follows the same basic shape. An attacker picks a pretext, a request that feels routine or urgent enough to act on without stopping to check it. They borrow a trusted identity, often a lookalike domain, a spoofed display name or a genuinely compromised account. They deliver that pretext through email, text message, a phone call or a QR code. The final step is the ask, whether that means typing a password into a fake login page, opening an attachment, approving a login prompt or moving money to a new account. None of this needs a software vulnerability. It needs one person to believe the story for a few seconds.

Running that trick used to take skill and time. Not any more. Phishing-as-a-service kits are rented on criminal forums complete with hosting, fake login pages and built-in support. A newer generation of kits, sometimes called adversary-in-the-middle or AiTM kits, sit between the victim and the real website and capture the session after multi-factor authentication has already been approved. That is why MFA alone no longer guarantees safety.

Generative AI has cut the cost of the con further. Microsoft’s 2025 Digital Defense Report found that people are four and a half times more likely to click an AI-written phishing message, a 54 percent click-through rate against 12 percent for a manually written one. IBM’s Cost of a Data Breach Report 2025 puts a number on the speed of that shift. A convincing, personalised phishing email that took a skilled attacker around 16 hours to write by hand now takes about 5 minutes with generative AI. A joint analysis by Verizon and Anthropic in the 2026 Data Breach Investigations Report found phishing behind 44 percent of AI-assisted break-ins, the single most common use of AI in an attack, though mostly to automate and scale tricks that already worked rather than to invent new ones.

Types of Phishing Attacks

Phishing is a family of attacks, not one email format. Each type below relies on the same trick, borrowed trust, applied through a different channel or aimed at a different target.

  • Email phishing: a generic, mass-mailed message aimed at as many inboxes as possible, built to harvest credentials or deliver malware.
  • Spear phishing: a targeted message built around research on one person, using a name, employer or live project to make the pretext believable.
  • Whaling: spear phishing aimed at senior executives or board members, where a single approval can move a large sum of money.
  • Business email compromise (BEC): an attacker impersonates an executive, supplier or vendor to redirect a real payment or invoice to an account they control.
  • Vishing: voice phishing carried out by phone, often used to talk an IT helpdesk into resetting a password or multi-factor authentication.
  • Smishing: phishing by text message, exploiting the trust people place in SMS and a small screen that hides the true web address.
  • Quishing: phishing delivered through a QR code, in an email, a poster or even a parking meter, which slips past filters built to scan links in text.
  • Clone phishing: a near-identical copy of a real, previously delivered message, with the genuine link or attachment swapped for a malicious one.
  • Adversary-in-the-middle (AiTM): a kit that sits between the victim and the real website in real time, stealing the session after multi-factor authentication has already succeeded.

In practice these blend together. The cases below show a single vishing phone call opening the door to a ransomware payload, and a well-written invoice doing the same job as a technical exploit.

Business Impact

Phishing rarely stays cheap once it succeeds.

Globally, the FBI’s Internet Crime Complaint Center recorded almost 21 billion dollars in reported losses across 1,008,597 complaints in 2025, up 26 percent on 2024. Phishing and spoofing remained the most reported crime type at 191,561 complaints, and business email compromise alone accounted for 3.05 billion dollars of that total. IBM’s Cost of a Data Breach Report 2025 found phishing to be the single most common way attackers first got in, present in 16 percent of breaches, at an average cost of 4.8 million dollars per breach against a global average of 4.44 million dollars. Verizon’s 2026 Data Breach Investigations Report puts the human element behind 62 percent of all breaches, with phishing holding steady as a leading way in even as attackers increasingly exploit software vulnerabilities too.

Sweden carries its own version of this cost. Brå, the National Council for Crime Prevention, recorded 232,862 reported fraud offences in Sweden in 2025, and the police’s National Fraud Centre estimates the criminal proceeds from completed fraud at around 5.7 billion kronor for the year. A large share of that runs through phishing and its voice-based cousin, vishing, a pattern the cases below make concrete.

Real-World Cases

Three cases, three channels, the same underlying trick.

Marks & Spencer: The Phone Call That Cost £300 Million

In April 2025 a threat actor tracked as Scattered Spider phoned the outsourced IT helpdesk that supported Marks & Spencer, a major British retailer, and impersonated an employee closely enough to talk an agent into resetting a privileged account’s multi-factor authentication. From there the group reached deep into the retailer’s systems, stole customer data and deployed DragonForce ransomware. M&S’s own trading update put the damage at around £300 million in lost operating profit, and the independent Cyber Monitoring Centre assessed the combined hit on M&S and the Co-op, breached by the same group within days, at £270 million to £440 million. Harrods was struck around the same time. The same collective had already run an almost identical helpdesk call against MGM Resorts and Caesars Entertainment in September 2023, costing MGM around 100 million dollars, which shows this is a proven playbook rather than a one-off. The control that would have stopped it is simple. A helpdesk should never reset a privileged account’s password or multi-factor authentication on a phone call alone, without an independent, out-of-band check.

The $120 Million Invoice: Google and Facebook

Between 2013 and 2015 a Lithuanian man named Evaldas Rimasauskas ran a business email compromise scheme against two US technology companies, later confirmed as Google and Facebook. He registered a company under a name almost identical to Quanta Computer, a hardware supplier both companies genuinely used, then sent phishing emails and forged invoices that convinced staff to wire payments to his own accounts instead. The scheme moved more than 120 million dollars before it was caught, according to the US Department of Justice, which sentenced Rimasauskas to five years in prison in 2019. No malware and no hacking were involved. The fraud worked because nobody at either company picked up the phone to confirm a change in payment details with a contact they already knew. That one phone call, made to a number already on file rather than one supplied in the suspect email, is the control that stops almost every invoice fraud of this kind.

Sweden’s BankID Vishing Wave

Sweden’s own version of phishing rarely arrives as an email. It arrives as a phone call. A caller poses as a bank, the police or a government agency, creates urgency about a supposedly compromised account and asks the victim to open BankID, the digital identity app used by most of the adult population, then approve a login or a signature. The victim is really authenticating the caller’s own attempt to access or move money out of the account. Finansinspektionen recorded close to 143,000 payment-service frauds in the first half of 2025 alone, worth around 575 million kronor, and a large share ran through exactly this pattern. In one case reported by police in July 2025, a man in Norrtälje lost more than 200,000 kronor after several days of calls from people posing as the police and his bank. The single rule that stops this form of vishing is the one BankID and the police repeat constantly. Never open BankID or approve a login at the request of someone who called you.

Phishing and Compliance

Sweden’s cybersecurity law now treats phishing readiness as a board-level duty, not a helpdesk problem. Cybersäkerhetslagen (SFS 2025:1506), which transposes the EU’s NIS2 Directive into Swedish law, came into force on 15 January 2026. Article 21.2g of NIS2 names security awareness training among the required baseline security measures, which puts phishing simulation and staff training inside the law rather than outside it. Article 20 goes further and makes the management body, the board, responsible for approving and overseeing those measures, with supervisory authorities able to hold board members personally accountable. An organisation that suffers a successful phishing attack also has a reporting clock running: a 24-hour early warning to MCF (formerly MSB) and the relevant sector authority, a full notification within 72 hours and a final report within a month. Fines for essential entities reach up to 10 million euros or 2 percent of global turnover, and up to 7 million euros or 1.4 percent for important entities.

Two other duties usually follow close behind a successful phish. If personal data is exposed, GDPR Article 33 starts its own 72-hour clock, this time to IMY, Sweden’s data protection authority. Financial entities carry an additional layer under DORA Article 17, which sets out ICT incident management obligations supervised by Finansinspektionen, and financial services remains one of the most heavily phished sectors anywhere. Read more on the NIS2 Sweden hub, and see how phishing-specific training fits the Article 21.2g duty on the security awareness training page.

How to Spot Phishing

The old tells are fading fast. Bad spelling, generic greetings and clumsy logos used to be reliable warning signs. AI-written lures have largely erased them. Microsoft’s 2025 Digital Defense Report found AI-generated phishing getting a 54 percent click-through rate against 12 percent for a manually written message, precisely because it reads as fluent and personal rather than foreign and generic. Detection by eye alone is no longer a safe strategy, though a few signals still hold up.

On email, check whether the sender’s actual address matches the display name and the organisation it claims to be from, look twice at any request to act urgently or in secret and hover over a link before clicking it to see where it truly leads rather than trusting the visible text.

On the phone or by text, be suspicious of any unsolicited call or message that asks you to open an authentication app, read back a one-time code or approve a login you did not start. A genuine bank, employer or government agency will never need you to do any of these things at their request over the phone.

At the helpdesk, treat any request to reset a password or multi-factor authentication for a privileged account as suspicious by default until the requester’s identity is confirmed through a second, independent channel, exactly the step that was missing at Marks & Spencer, Co-op and MGM Resorts.

None of this makes detection foolproof, which is the honest caveat. The organisations in the cases above were not careless. They were outmatched by a caller or an email that looked and sounded exactly right. That is why the next section treats verification habits and technical controls as the real defence, not a sharper eye.

How to Defend

Phishing is beaten with layers, not a single tool, and each layer targets a different point where the trick can fail.

People: run recurring, realistic security awareness training that covers phone and text messages as well as email. Verizon’s 2026 DBIR found voice and SMS phishing simulations getting meaningfully higher engagement than email simulations, so a training programme built only around email is already training for yesterday’s attack. Give staff one blame-free way to report a suspicious message, and act on those reports quickly.

Process: require a second, independent check for anything that matters. Verify any change to payment details or bank account numbers by phone, using a number you already hold rather than one supplied in the message. Require two people to approve any payment above a set threshold. Write a helpdesk rule that a privileged account’s password or multi-factor authentication is never reset from a phone call alone, and test that rule with an unannounced drill.

Technology: enforce DMARC, SPF and DKIM at full strength so spoofed messages from your own domain get rejected rather than delivered. Move away from one-time codes and toward phishing-resistant, device-bound authentication such as passkeys. Adversary-in-the-middle kits are built specifically to intercept a one-time code after it has already been typed in. Filter attachments and QR codes at the gateway, not just links.

None of these controls is exotic or expensive to start. The organisations in the cases above were not missing a clever piece of technology. They were missing the ordinary, unglamorous habit of checking twice before acting once.

Myths & Facts

Myth

You can always tell phishing from bad spelling and clumsy grammar.

Phishing is only an email problem.

Multi-factor authentication makes an account phishing-proof.

Only careless or junior staff fall for phishing.

Spam filters and antivirus software stop most phishing.

This is an IT problem, not something finance or HR need to worry about.

Fact

AI-written phishing now gets a 54 percent click-through rate against 12 percent for manually written lures, according to Microsoft's 2025 Digital Defense Report, because it reads as fluent and personal rather than foreign.

Marks & Spencer and MGM Resorts were both breached through a single vishing phone call to an IT helpdesk, not an email, and Verizon's 2026 DBIR shows voice and text phishing simulations now outperforming email ones.

Adversary-in-the-middle kits and helpdesk vishing routinely bypass or reset MFA in real time, which is why phishing-resistant, device-bound methods such as passkeys are now recommended over one-time codes.

Finance teams at Google and Facebook wired more than 120 million dollars combined to a fabricated supplier over two years, proof that the sophistication of the con matters more than the carelessness of the victim.

IBM's Cost of a Data Breach Report 2025 still found phishing the single most common way attackers first got into a network, present in 16 percent of breaches despite widespread filtering.

Business email compromise targets finance and HR directly through invoice and payroll fraud, and the FBI recorded 3.05 billion dollars in BEC losses in 2025 alone.

Test Yourself

Four real-world scenarios, then six knowledge questions. See how prepared you would be under pressure.

Scenario simulation

  1. Someone calls your company's IT helpdesk claiming to be a senior manager who is locked out and urgently needs a password reset before an important meeting.

    What should the helpdesk agent do?

    • Reset the password straight away since the caller sounds convincing and time is short
    • Ask the caller to confirm their identity through a second, independent channel before resetting anything
    • Reset it but note the caller's name in the ticket for later review
  2. Your regular supplier emails to say their bank account has changed and asks you to send the next payment to a new account straight away.

    What is the safest next step?

    • Update the payment details and send the payment as requested since it came from their usual email address
    • Call the supplier on a phone number you already have on file to confirm the change before paying
    • Ask a colleague to double check the email for spelling mistakes before paying
  3. You get a call from someone saying they are from your bank, warning that your account has been compromised and asking you to open BankID to confirm your identity.

    What should you do?

    • Open BankID and approve the request since the caller already knew some of your details
    • Hang up and contact your bank directly using the number on your card or their official app
    • Ask the caller detailed questions to test whether they really work for the bank
  4. You receive a perfectly written, well-formatted email from what looks like your CEO, asking you to buy gift cards for a client event and send the codes over immediately.

    What is the best response?

    • Send the codes quickly since the email reads professionally and mentions a real client event
    • Reply to the email asking for more details before doing anything
    • Contact the CEO directly through a known number or in person before buying anything

Knowledge test

  1. Which of these is the best definition of phishing?

    • A virus that spreads automatically between computers
    • A fake message or call that impersonates a trusted source to steal money or data
    • A tool that scans a network for open ports
    • A type of firewall configuration error

    Phishing is a social engineering attack built on impersonation and trust, not a piece of malware or a technical misconfiguration.

  2. What is spear phishing?

    • A mass email sent to as many addresses as possible
    • A phishing attack targeted at one specific person using research about them
    • A firewall rule that blocks suspicious IP addresses
    • An antivirus scanning technique

    Spear phishing is targeted and personalised, which is what makes it more convincing than a generic, mass-mailed phishing attempt.

  3. According to the FBI's 2025 Internet Crime Report, how did reported phishing losses change between 2024 and 2025?

    • They fell by half
    • They stayed exactly the same
    • They nearly tripled, from 70 million to 215.8 million dollars
    • They were not tracked separately

    Complaint numbers barely moved, but reported losses climbed from 70 million to 215.8 million dollars, showing more damaging, better targeted attacks.

  4. What made the 2025 Marks & Spencer breach possible?

    • A software vulnerability in the company's website
    • A phone call to an IT helpdesk that led to a privileged password reset
    • A physical break-in at a company data centre
    • An unpatched firewall

    The attackers social engineered a third-party IT helpdesk by phone, the same technique used against MGM Resorts and Caesars Entertainment in 2023.

  5. Why is multi-factor authentication no longer a guarantee against phishing on its own?

    • MFA has been made illegal in the EU
    • Adversary-in-the-middle kits and helpdesk vishing can intercept or reset it
    • MFA only works on mobile phones
    • Most companies have stopped using it

    Kits that sit between a victim and the real website, and social engineered helpdesk resets, both let attackers get past MFA in real time.

  6. What does NIS2 Article 21.2g specifically require?

    • Encrypting all customer data
    • Security awareness training as a baseline security measure
    • Hiring a named CISO within 30 days
    • Annual penetration testing only

    Article 21.2g names security awareness training among the required baseline measures, which Sweden's Cybersäkerhetslagen now enforces domestically.

Why Training Matters

Most of the incidents in this guide did not fail because of missing technology. They failed because one person, under pressure, did something reasonable, resetting a password or approving a request, without an easy way to pause and check it first. Regular, realistic training changes that moment. It gives people a rehearsed habit to fall back on, a phrase to use, a number to call and permission to say no to an urgent request until it is verified. Under NIS2 Article 21.2g and Sweden’s Cybersäkerhetslagen, that training is also now a baseline legal requirement rather than a nice-to-have, with the organisation’s board carrying responsibility for making sure it happens.

Frequently Asked Questions

What is phishing?

Phishing is a cyber attack that uses a fake email, text message, phone call or website to impersonate a trusted person or organisation and trick someone into handing over credentials, money or sensitive data. It relies on manipulating trust and urgency rather than exploiting a technical flaw, which is why training and verification habits matter as much as software.

What does phishing mean, and where does the term come from?

Phishing means using a fake message or call to fish for something valuable, a password, a payment or personal data, by posing as someone the target trusts. The name is a deliberate play on fishing, with ph borrowed from 1970s phone phreaking, the earlier hacker slang for manipulating telephone systems.

What is a phishing attack, and how does one actually unfold?

A phishing attack is the delivery of a fake, trusted-looking message designed to make someone act without checking it first, whether that means clicking a link, opening a file or approving a payment. Most follow the same three steps: pick a believable pretext, borrow a trusted identity and ask for something specific once trust is established.

What is spear phishing, and how is it different from ordinary phishing?

Spear phishing is a targeted phishing attack built around research on one specific person, using details like their name, employer or a live project to make the message believable. Ordinary phishing is sent broadly and hopes someone bites, while spear phishing is aimed and often far more convincing because it fits the target's real life.

What does a phishing email look like?

A phishing email usually mimics a real sender closely, using a lookalike domain or a spoofed display name, and pushes urgency around a locked account, an overdue invoice or a security alert. It typically carries a link to a fake login page, and it is now often written by AI, so spelling mistakes are no longer a reliable warning sign.

What is a phishing scam, and how much do they actually cost?

A phishing scam is any phishing attack built around a financial hook, a fake invoice, a wire-transfer request or a too-good investment, aimed at moving money rather than harvesting a password. The FBI's Internet Crime Complaint Center recorded 215.8 million dollars in direct phishing losses in 2025, on top of 3.05 billion dollars lost to business email compromise scams.

What should I do if I think I have clicked a phishing link?

Disconnect the device from the network, change the password for any account that shares that password and report it to your IT or security team rather than staying quiet. If the click also approved a login or a payment, call your bank or IT helpdesk straight away on a number you already know, not one from the message itself.

Is phishing illegal, and do businesses have to report it?

Phishing is a crime in essentially every jurisdiction, typically prosecuted as fraud, wire fraud or unauthorised computer access depending on what was taken. In Sweden a business with a successful phishing-driven incident also carries a legal duty to report it under NIS2 and Cybersäkerhetslagen, and separately to notify IMY within 72 hours if personal data was exposed.

Get a 30-Minute Security Briefing. No Pitch Deck.

Talk to a Sweden-based analyst. We'll review your posture, map your NIS2 gaps, and give you a clear picture of where you stand, in plain language.

Book a Free Briefing
No commitment Sweden-based analyst

How eBuilder Security Can Help

Awareness is the first layer. These are the services that turn it into measurable protection.