What is Phishing?
Phishing is a cyber attack that uses a fake email, text message, phone call or website to trick someone into handing over credentials, money or sensitive data by impersonating a trusted person or organisation. It works by exploiting trust and urgency rather than a technical flaw, which is why it remains the most reported cybercrime in the world.
For a business this rarely stays a personal problem for long. The same email that tricks one employee into typing a password can hand an attacker the login that unlocks a finance system, a customer database or an entire network. The scale keeps growing too. The FBI’s Internet Crime Complaint Center logged 191,561 phishing complaints in 2025, its single most reported crime type, and reported phishing losses nearly tripled in a year, climbing from 70 million dollars in 2024 to 215.8 million dollars in 2025, even though the number of complaints barely moved. Fewer, better aimed attacks are doing far more damage.
How Phishing Is Made
Every phishing attack follows the same basic shape. An attacker picks a pretext, a request that feels routine or urgent enough to act on without stopping to check it. They borrow a trusted identity, often a lookalike domain, a spoofed display name or a genuinely compromised account. They deliver that pretext through email, text message, a phone call or a QR code. The final step is the ask, whether that means typing a password into a fake login page, opening an attachment, approving a login prompt or moving money to a new account. None of this needs a software vulnerability. It needs one person to believe the story for a few seconds.
Running that trick used to take skill and time. Not any more. Phishing-as-a-service kits are rented on criminal forums complete with hosting, fake login pages and built-in support. A newer generation of kits, sometimes called adversary-in-the-middle or AiTM kits, sit between the victim and the real website and capture the session after multi-factor authentication has already been approved. That is why MFA alone no longer guarantees safety.
Generative AI has cut the cost of the con further. Microsoft’s 2025 Digital Defense Report found that people are four and a half times more likely to click an AI-written phishing message, a 54 percent click-through rate against 12 percent for a manually written one. IBM’s Cost of a Data Breach Report 2025 puts a number on the speed of that shift. A convincing, personalised phishing email that took a skilled attacker around 16 hours to write by hand now takes about 5 minutes with generative AI. A joint analysis by Verizon and Anthropic in the 2026 Data Breach Investigations Report found phishing behind 44 percent of AI-assisted break-ins, the single most common use of AI in an attack, though mostly to automate and scale tricks that already worked rather than to invent new ones.
Types of Phishing Attacks
Phishing is a family of attacks, not one email format. Each type below relies on the same trick, borrowed trust, applied through a different channel or aimed at a different target.
- Email phishing: a generic, mass-mailed message aimed at as many inboxes as possible, built to harvest credentials or deliver malware.
- Spear phishing: a targeted message built around research on one person, using a name, employer or live project to make the pretext believable.
- Whaling: spear phishing aimed at senior executives or board members, where a single approval can move a large sum of money.
- Business email compromise (BEC): an attacker impersonates an executive, supplier or vendor to redirect a real payment or invoice to an account they control.
- Vishing: voice phishing carried out by phone, often used to talk an IT helpdesk into resetting a password or multi-factor authentication.
- Smishing: phishing by text message, exploiting the trust people place in SMS and a small screen that hides the true web address.
- Quishing: phishing delivered through a QR code, in an email, a poster or even a parking meter, which slips past filters built to scan links in text.
- Clone phishing: a near-identical copy of a real, previously delivered message, with the genuine link or attachment swapped for a malicious one.
- Adversary-in-the-middle (AiTM): a kit that sits between the victim and the real website in real time, stealing the session after multi-factor authentication has already succeeded.
In practice these blend together. The cases below show a single vishing phone call opening the door to a ransomware payload, and a well-written invoice doing the same job as a technical exploit.
Business Impact
Phishing rarely stays cheap once it succeeds.
Globally, the FBI’s Internet Crime Complaint Center recorded almost 21 billion dollars in reported losses across 1,008,597 complaints in 2025, up 26 percent on 2024. Phishing and spoofing remained the most reported crime type at 191,561 complaints, and business email compromise alone accounted for 3.05 billion dollars of that total. IBM’s Cost of a Data Breach Report 2025 found phishing to be the single most common way attackers first got in, present in 16 percent of breaches, at an average cost of 4.8 million dollars per breach against a global average of 4.44 million dollars. Verizon’s 2026 Data Breach Investigations Report puts the human element behind 62 percent of all breaches, with phishing holding steady as a leading way in even as attackers increasingly exploit software vulnerabilities too.
Sweden carries its own version of this cost. Brå, the National Council for Crime Prevention, recorded 232,862 reported fraud offences in Sweden in 2025, and the police’s National Fraud Centre estimates the criminal proceeds from completed fraud at around 5.7 billion kronor for the year. A large share of that runs through phishing and its voice-based cousin, vishing, a pattern the cases below make concrete.
Real-World Cases
Three cases, three channels, the same underlying trick.
Marks & Spencer: The Phone Call That Cost £300 Million
In April 2025 a threat actor tracked as Scattered Spider phoned the outsourced IT helpdesk that supported Marks & Spencer, a major British retailer, and impersonated an employee closely enough to talk an agent into resetting a privileged account’s multi-factor authentication. From there the group reached deep into the retailer’s systems, stole customer data and deployed DragonForce ransomware. M&S’s own trading update put the damage at around £300 million in lost operating profit, and the independent Cyber Monitoring Centre assessed the combined hit on M&S and the Co-op, breached by the same group within days, at £270 million to £440 million. Harrods was struck around the same time. The same collective had already run an almost identical helpdesk call against MGM Resorts and Caesars Entertainment in September 2023, costing MGM around 100 million dollars, which shows this is a proven playbook rather than a one-off. The control that would have stopped it is simple. A helpdesk should never reset a privileged account’s password or multi-factor authentication on a phone call alone, without an independent, out-of-band check.
The $120 Million Invoice: Google and Facebook
Between 2013 and 2015 a Lithuanian man named Evaldas Rimasauskas ran a business email compromise scheme against two US technology companies, later confirmed as Google and Facebook. He registered a company under a name almost identical to Quanta Computer, a hardware supplier both companies genuinely used, then sent phishing emails and forged invoices that convinced staff to wire payments to his own accounts instead. The scheme moved more than 120 million dollars before it was caught, according to the US Department of Justice, which sentenced Rimasauskas to five years in prison in 2019. No malware and no hacking were involved. The fraud worked because nobody at either company picked up the phone to confirm a change in payment details with a contact they already knew. That one phone call, made to a number already on file rather than one supplied in the suspect email, is the control that stops almost every invoice fraud of this kind.
Sweden’s BankID Vishing Wave
Sweden’s own version of phishing rarely arrives as an email. It arrives as a phone call. A caller poses as a bank, the police or a government agency, creates urgency about a supposedly compromised account and asks the victim to open BankID, the digital identity app used by most of the adult population, then approve a login or a signature. The victim is really authenticating the caller’s own attempt to access or move money out of the account. Finansinspektionen recorded close to 143,000 payment-service frauds in the first half of 2025 alone, worth around 575 million kronor, and a large share ran through exactly this pattern. In one case reported by police in July 2025, a man in Norrtälje lost more than 200,000 kronor after several days of calls from people posing as the police and his bank. The single rule that stops this form of vishing is the one BankID and the police repeat constantly. Never open BankID or approve a login at the request of someone who called you.
Phishing and Compliance
Sweden’s cybersecurity law now treats phishing readiness as a board-level duty, not a helpdesk problem. Cybersäkerhetslagen (SFS 2025:1506), which transposes the EU’s NIS2 Directive into Swedish law, came into force on 15 January 2026. Article 21.2g of NIS2 names security awareness training among the required baseline security measures, which puts phishing simulation and staff training inside the law rather than outside it. Article 20 goes further and makes the management body, the board, responsible for approving and overseeing those measures, with supervisory authorities able to hold board members personally accountable. An organisation that suffers a successful phishing attack also has a reporting clock running: a 24-hour early warning to MCF (formerly MSB) and the relevant sector authority, a full notification within 72 hours and a final report within a month. Fines for essential entities reach up to 10 million euros or 2 percent of global turnover, and up to 7 million euros or 1.4 percent for important entities.
Two other duties usually follow close behind a successful phish. If personal data is exposed, GDPR Article 33 starts its own 72-hour clock, this time to IMY, Sweden’s data protection authority. Financial entities carry an additional layer under DORA Article 17, which sets out ICT incident management obligations supervised by Finansinspektionen, and financial services remains one of the most heavily phished sectors anywhere. Read more on the NIS2 Sweden hub, and see how phishing-specific training fits the Article 21.2g duty on the security awareness training page.
How to Spot Phishing
The old tells are fading fast. Bad spelling, generic greetings and clumsy logos used to be reliable warning signs. AI-written lures have largely erased them. Microsoft’s 2025 Digital Defense Report found AI-generated phishing getting a 54 percent click-through rate against 12 percent for a manually written message, precisely because it reads as fluent and personal rather than foreign and generic. Detection by eye alone is no longer a safe strategy, though a few signals still hold up.
On email, check whether the sender’s actual address matches the display name and the organisation it claims to be from, look twice at any request to act urgently or in secret and hover over a link before clicking it to see where it truly leads rather than trusting the visible text.
On the phone or by text, be suspicious of any unsolicited call or message that asks you to open an authentication app, read back a one-time code or approve a login you did not start. A genuine bank, employer or government agency will never need you to do any of these things at their request over the phone.
At the helpdesk, treat any request to reset a password or multi-factor authentication for a privileged account as suspicious by default until the requester’s identity is confirmed through a second, independent channel, exactly the step that was missing at Marks & Spencer, Co-op and MGM Resorts.
None of this makes detection foolproof, which is the honest caveat. The organisations in the cases above were not careless. They were outmatched by a caller or an email that looked and sounded exactly right. That is why the next section treats verification habits and technical controls as the real defence, not a sharper eye.
How to Defend
Phishing is beaten with layers, not a single tool, and each layer targets a different point where the trick can fail.
People: run recurring, realistic security awareness training that covers phone and text messages as well as email. Verizon’s 2026 DBIR found voice and SMS phishing simulations getting meaningfully higher engagement than email simulations, so a training programme built only around email is already training for yesterday’s attack. Give staff one blame-free way to report a suspicious message, and act on those reports quickly.
Process: require a second, independent check for anything that matters. Verify any change to payment details or bank account numbers by phone, using a number you already hold rather than one supplied in the message. Require two people to approve any payment above a set threshold. Write a helpdesk rule that a privileged account’s password or multi-factor authentication is never reset from a phone call alone, and test that rule with an unannounced drill.
Technology: enforce DMARC, SPF and DKIM at full strength so spoofed messages from your own domain get rejected rather than delivered. Move away from one-time codes and toward phishing-resistant, device-bound authentication such as passkeys. Adversary-in-the-middle kits are built specifically to intercept a one-time code after it has already been typed in. Filter attachments and QR codes at the gateway, not just links.
None of these controls is exotic or expensive to start. The organisations in the cases above were not missing a clever piece of technology. They were missing the ordinary, unglamorous habit of checking twice before acting once.
