Phishing

What is Phishing?

One of the most common and tried-and-true social engineering attacks utilised by threat actors, phishing is an email-based ruse that attempts to trick users into undertaking a specific action, often clicking a link or executing a file, but may also include handing over data, access, or funds to a threat actor.

During a phishing attack, a threat actor will often pose as an entity known to or trusted by the user, such as a work colleague, an IT person, or even an employee of a familiar financial institution. This digital disguise allows the threat actor to create the illusion of trust, enhancing the odds of success. The threat actor will, through this disguise, send a message to the target, primarily via email, that typically seeks to convince the recipient to click a malicious link or open a malicious file.

Phishing attacks will often prey on the target’s emotions, such as creating sense of urgency to get the user to act. An example would be a threat actor stating there’s been an issue with the target’s bank account, an immediate IT issue, or posing as a colleague that needs fast access to certain assets for a work project.

While there are many types of phishing attacks, these attacks historically, and still can, occur on a 1:1 basis, where a threat actor is simply targeting one individual to gain funds. A common version of this attack would be email scams targeting elderly individuals requesting funds. But phishing is also increasingly used against organisations, with the targeted individuals merely serving as middlemen who may unknowingly provide access to an attacker. The threat actor will ask the target for credentials or to verify an access request. This access, if granted, allows threat actors to launch subsequent sophisticated attacks or steal valuable data and/or funds from the target organisation.

Phishing is almost as old as email itself; early phishing scams targeted AOL users in the 1990s through email and Instant Messenger while frequently posing as AOL employees. Phishing has evolved greatly since those early days, with threat actors learning new techniques and new developing tools to mimic known email addresses, do extensive research on their victims, and now, even using artificial intelligence (AI) to eliminate previously common giveaways such as poor grammar and misspellings and incorrect information, and instead craft personalised messages which can be automated and dispensed with at scale.

Phishing is still a widely popular tactic for threat actors looking for a quick payday or easy access to an environment. According to Arctic Wolf’s 2025 Threat Report, 72.9% of business email compromise (BEC) cases began with phishing, and 18.8% began with previously compromised credentials.

The reason threat actors continue to turn to this low-tech method of attack is a simple one – phishing works.

How A Phishing Attack Works

Like other social engineering attacks, phishing attacks follow a standard template of:

Reaching out to one or multiple individuals through a known means of communication (email, phone, instant messaging, social media, etc.)
Using that communication to pass along a fraudulent message to the individual that prompts action on their part.
Successfully gaining access, data, or funds from the victim, or even getting them to download malware

To put these steps in more phishing-specific terms, a threat actor will, for example:

Reach out to an individual at a large tech company through email, sending a message from an email address disguised to look like an internally known email address.
The threat actor will then craft and send a message, posing as a work colleague, that asks for access to a valuable server, stating they need urgent access to complete a task – perhaps for a customer or a supervisor known to the victim – and asking for help gaining that access by providing credentials. To achieve this, the threat actor may use spoofing techniques to build trust.
Trick the user into handing over credentials, allowing the threat actor to gain access to that server and exfiltrate data, launch a ransomware attack, or complete another malicious task.

Phishing message examples may include:

A message that looks like it’s from HR with a company-wide announcement

A message seemingly from the IT department asking the victim to click on a link or provide access to an application

A message with a purported link to an internal document attached

A message that asks for personal information, such as a date of birth or a Social Security number

A message that asks for credentials or asks the victim to authorise a multi-factor authentication (MFA) request

A recent example of a phishing attack is the Change Healthcare breach that occurred in early 2024. The incident, a major ransomware attack that disrupted healthcare operations and exposed personally identifiable information (PII) of millions, all began with phishing. ALPHAV/Black Cat, the ransomware group responsible, was able to purchase the credentials that gave them access from the dark web – credentials harvested by threat actors in previous phishing campaigns.

This example highlights how a simple phishing email can set off a series of events that leads to a devastating cyber incident.

Common Types of Phishing Attacks

While phishing has been traditionally email-based, the form has evolved over time to both evade security tools like email filtering and increase the chances of success. There are now a variety of techniques threat actors use that include and are beyond email, all falling under the umbrella of phishing.

Common types and techniques of phishing include:

1. Mass-email phishing

The most traditional, and still one of the most common forms of phishing is mass email phishing, where email is the medium through which a threat actor contacts and tricks a victim or multiple victims at once. These attacks are typically mass-emailed campaigns that cast a wide net with the same phishing “lures” sent to many recipients, often including a malicious link or attachment for the user to click on. These phishing emails are often characterised by the content of the messages, which will convey a sense of urgency, inciting fear or curiosity, or use some other enticing message to prompt action.

2. Vishing

This technique combines voice calls with email phishing attacks, hence “vishing.” Often, these attacks follow the same playbook as email phishing, just with a different medium. Threat actors have also been known to combine both techniques by following up an email with a voice call or having the victim call them via a prompt in the email.

3. Smishing

Smishing is a form of phishing that uses text messages (SMS) as the medium for attack. Smishing is also frequently used to get victims to approve multi-factor authentication (MFA) requests which may not be legitimate, and like vishing, may be used in tandem with another kind of phishing attack to further prompt or persuade the victim.

4. Spear phishing

Whereas more traditional phishing does not care much who the victim is, as long as they can provide funds, access, or assets, spear phishing targets a known individual and conducts research on them prior to the attack. Whether through email or another medium, a spear phishing attack will include valid information about the recipient, and their life or work, to convince them of the sender’s legitimacy.

5. Baiting

Baiting is a phishing technique that uses an enticing offer or reward, such as a free download or giveaway prize. It can also involve physical media, like a USB drive, and arrives via physical mail. In place of using urgency or fear as the motivator, baiting sees a threat actor utilise the psychology of reward to trick the victim into action.

6. Whaling

If spear phishing targets a single individual, whaling increases the stakes by targeting a high-profile individual known to have extensive access to data or funds within an organisation. Usually, those targets are in the C-suite and the emails will be highly personalised.

7. Angler phishing

Angler phishing moves the attack from email to social media. In this technique, the threat actor will often have created a fake profile of a known contact or a legitimate organisation and use the built-in trust to trick the target into handing over funds or valuable information. This kind of attack can also use baiting, offering gift cards or other rewards to following the threat actor’s instructions.

8. Pop-up phishing

This can occur on a website, a mobile device, or even on an endpoint if a threat actor has gained access to one or an entire network. The medium – a digital pop-up – will prompt the target to click on it and then surrender subsequent data or credentials.

How to Respond to Signs of Phishing

If, as a user, you suspect you’ve received a phishing message, there are a number of steps you can take to verify whether the message is legitimate. Because phishing often preys on emotions by creating a sense of urgency, it’s important to both remain calm and take your time before responding. If the message is real, the sender won’t mind that you took an extra step to verify both its contents and the subsequent request in the name of security.

If you detect a possible phishing scam, you can:

Check for any obvious misspellings or grammar issues, particularly in the subject line or in reference to the organisation the sender claims to be from. For example, a message where the subject line refers “Artic Woof” instead of “Arctic Wolf”.

Hover over any links contained in the message to see if you recognise the link or if it matches up to be what the sender says it is. For example, if the sender says the link goes your bank, but the URL is not recognised as that or appears strange, it may be a fraudulent link.

If the message contains a request, use a second medium such as a phone call to verify the request with the supposed sender.

Double check the sender’s address and verify it against your own knowledge or research, as often threat actors will use email addresses that appear similar to legitimate ones, but are not identical.

Report any suspicious messages to your IT department and/or use a “report phishing” button in your email inbox if you have one.

How To Prevent Phishing Attacks

There are many steps an organisation can take to protect against phishing attacks and prevent them from evolving from a threat to the start of serious cyber incident.

Phishing protection includes:

Employ MFA for all users. This will prevent a threat actor from utilising credentials gained during a phishing scam and will also alert security teams that there is suspicious activity tied to that user’s credentials occurring.
Deploy security awareness training. Human risk is a massive factor when it comes to phishing, as threat actors rely on users for the success of their phishing attacks. By maintaining a security awareness program that utilises microlearning, sends out phishing simulations, and provides actionable instructions and feedback, your organisation can reduce the risk of successful phishing attacks.
Install email security measures. Email security can not only filter out spam and flags suspicious emails but can also create an avenue for employees to flag and report potential phishing emails, giving security teams’ insights into the prevalence of this threat within their organisation
Provide 24×7 monitoring of endpoint, network, cloud, and identity sources. This around-the-clock monitoring ensures that if a phishing attack is initially successful, it can be detected and responded to swiftly, preventing a subsequent attack or data breach.

Explore how a comprehensive security awareness training program can reduce human risk and prevent phishing attacks.

See how Arctic Wolf helps keep a leading credit union safe from phishing attacks.

Understand the role phishing and social engineering play in cyber attacks with the 2025 Arctic Wolf Threat Report.

Arctic Wolf

Arctic Wolf provides your team with 24x7 coverage, security operations expertise, and strategically tailored security recommendations to continuously improve your overall posture.

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Customer Portal Policy	Accessibility Statement	Sustainability Statement	Information Security	Cookies Settings

Platform

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Expertise by Industry

Resource Centre

Trending Resources

NIS2 aims to make the EU as a whole more resilient to cyber threats and strengthen cooperation between Member States on cybersecurity.

The Arctic Wolf State of Cybersecurity: 2025 Trends Report serves as an opportunity for decision makers to share their experiences over the past 12 months and their perspectives on some of the most important issues shaping the IT and security landscape.

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

Security Bulletins

Multiple Unpatched Vulnerabilities in Versa Concerto Disclosed

RVTools Supply Chain Attack Delivers Bumblebee Malware

Follow-Up: Samsung Patches Zero-Day Vulnerability in MagicINFO 9 Server (CVE-2025-4632)

Company

Careers

Press