search
Where Thought Leaders go for Growth
Reference a solution

Deciphering the phishing attack, so you don't take the bait!

Deciphering the phishing attack, so you don't take the bait!

By Ainhoa Carpio-Talleux

Published: 30 April 2025

Red alert on our e-mail inboxes: phishing attacks have soared. According to APWG data, phishing attacks rose from 877,536 in the second quarter of 2024 to 989,123 in the fourth quarter.

This is not just an increase, but a veritable tide of phishing attacks sweeping through our organisations. Gone are the crude messages riddled with spelling mistakes from a Nigerian hacker wanting to share his fortune. Today, cybercriminals are deploying sophisticated strategies that fool even the most seasoned professionals.

To deal with this, let's find out what "phishing" is, its different forms and how to avoid it in an attack.

What is a "phishing attack"?

Phishing attack: definition

Phishing is a hacking technique designed to steal sensitive information by pretending to be a trusted person or entity. It is a very common cyber-attack technique, affecting both individuals and large companies. But of course, the bigger the fish, the better for the hackers.

What are phishing attacks aimed at?

These hackers, or more precisely "scammers" in the jargon, have several objectives:

  • To steal your personal or professional data.
  • Assume the target's identity in order to commit fraud.
  • Hack into a computer system and install a Trojan horse or other malicious software.
  • Embezzle money via fraudulent bank transfers.
  • Access personal and professional accounts : email, social networks, web services, etc.

Example of a phishing attack

In 2024, according to the Arctic Wolf report, 70% of businesses reported business email compromise (BEC ) attacks . The result? Nearly 29% of them suffered at least one successful attack.

Case study of a phishing attack in 2025

In February 2023, a French company lost around €38 million after the accounts department responded to an e-mail appearing to come from the lawyers and the managing director, asking them to make 45 transfers in complete innocence. (source: Radio France)

The email was perfectly worded, used the correct logos, signatures and internal references, and even mentioned a real confidential project underway within the organisation.

This sophisticated attack shows just how professional phishing techniques have become, representing a major threat to your company's cyber security.

The ABCs of a phishing attack: how it works

A phishing attack can take several forms (see below). But whatever the form, there are several stages to a typical process.

1. Preparation

The hacker gathers information about his target (company, staff, habits) via social networks or the web. This is the reconnaissance phase. The fisherman identifies the fish to arm himself with the best bait to put on his hook. In other words, he will personalise the attack, which does not guarantee success, but will drastically increase its success rate.

2. Creating the lure (bait)

Development of a credible message imitating a legitimate organisation. This may come from a bank, an internal IT department, an Internet provider, etc.

The hacker will faithfully reproduce the features of the organisation:

  • The visual identity (logos, graphic charter).
  • The usual tone and style of communication.
  • Official signatures and contact details.
  • Similar web domains (e.g. amazon-security.com instead of amazon.com).

3. Distribution (casting the hook)

Mass or targeted sending of a message containing a malicious link or infected attachment. Every day, no fewer than 3.4 billion phishing emails are sent around the world, representing 1.2% of all emails according to AAG.

According to its statistics, everyone must have received a phishing attack at least once in their life. The lucky ones will not have seen it (because it will have gone to spam). The unlucky ones will be the victims, and will realise it far too late.

4. Manipulation

Encouraging the victim to click on the link or open the attachment using social engineering techniques:

  • Creating a sense of urgency ("Your account will be blocked in 24 hours").
  • Use of curiosity ("See who has consulted your profile").
  • Exploitation of fear ("Suspicious connection attempt detected").
  • Appeal to greed ("You have won an iPhone 15").

5. Compromise

Collection of identifiers entered on the fake site or installation of malicious code on the victim's device. This stage is generally invisible to the user, who thinks they are interacting with a legitimate service.

6. Exploitation

Here, depending on the form of phishing, the data is exploited in different ways.

  • Use stolen data to access accounts.
  • Making fraudulent transfers.
  • Launch other network attacks within the organisation.

💡 Did you know? Artificial intelligence has become the formidable ally of cybercriminals. The latest techniques include voice cloning (replicating a CEO's voice over the phone) and deepfakes (creating fake videos of a trusted person). These technologies make the attacks infinitely more convincing and difficult for a security service to detect.

The most common types of phishing attack

Over the years, hackers have perfected their techniques to become increasingly specific and effective.

But the principle is the same. The hacker is a fisherman. Phishing is both the bait and the hook. And the target/victim is the fish. To avoid these traps, you need to understand how they work.

Here are the most commonly used phishing attack techniques or methods.

1. Phishing by e-mail - The timeless classic

E-mail phishing remains the preferred modus operandi of hackers. It's the easiest to set up and the most widespread. Individuals are the easiest prey to phish. Basically, an organisation with an IT manager will have no problem avoiding it.

How do you recognise it?

Given the number of business emails a company can receive every day or every week, it's easy to get lost. But there are a few warning signs.

Before clicking on an e-mail link or downloading a file, check the following:

  • Suspicious sender address (look beyond the name displayed).
  • Subtle spelling mistakes (often in the sender's domain).
  • Generic greetings ("Dear customer" instead of your name).
  • Links whose URL reveals a different destination when hovered over.
  • Attachments with dubious extensions (.zip, .exe, .bat).

Typical example : an e-mail imitating your bank asks you to "confirm your bank details following a security update".

2. Spear phishing - The tailored attack

Unlike mass phishing, spear phishing targets specific individuals with personalised messages. The hacker uses public or internal information (LinkedIn, company publications, organisation charts) to create a message that is totally tailored to the target. This is yet another reminder of the importance of choosing the right information to disclose on a social network.

The success rate of these targeted attacks is 10 times higher than traditional phishing, because they are carefully crafted and extremely credible. Spear phishing is now one of the main threats to sensitive corporate data.

In practice, this can take the form of :

  • Extensive personalisation (mention of colleagues, current projects).
  • Reference to real events in the company (perhaps adulteries).
  • Precise targeting of people with access to sensitive data.
  • Perfect imitation of the organisation's communication style .

So if someone sends: "Luke, I'm your father", it's a sign.

3. Whaling - The hunt for big fish

Why go for the little fish when you can go for the big white whale (Moby Dick)? Whaling specifically targets an organisation's top executives.

These phishing attacks are meticulously prepared and extremely credible, often after weeks of studying the behaviour and communication style of the target. The bigger the fish, the better the preparation.

This just goes to show how advanced hacking has become.

The key points for understanding and identifying whaling are :

  • Personalised messages evoking the specific responsibilities of the executive.
  • Exploitation of power relationships within the company.
  • Significant but plausible financial demands.
  • Use of urgency to short-circuit verification processes.

Example : a fake email from the CFO to the CEO requesting urgent validation of a transfer to "finalise the confidential acquisition" they had recently discussed.

4. Vishing - Voice phishing

Vishing (voice phishing) exploits telephone calls to manipulate victims. The attacker poses as a colleague, technical support or banking partner and uses the urgency of the situation to get you to reveal sensitive information. With the recent arrival of AI (voice AI), this phishing technique is exploding in the new hacking trends.

Common techniques

  • Spoofing to display a legitimate number .
  • Creation of an emergency scenario requiring immediate action.
  • Exploitation of authority (false call from the IT department or a superior).
  • Use of call centre background noise to reinforce credibility.

A word of technological warning:

AI-based voice cloning tools caused these attacks to explode in 2024. A few seconds' recording of an executive's voice (available in interviews or webinars) is now all it takes to generate complete conversations perfectly imitating their tone and intonations.

What's most worrying about all this? At the moment, there is no ready-made solution for detecting this type of hacking. So we need to remain vigilant and keep abreast of advances in AI technology, which is constantly coming up with new trends every month (or even week).

5. Smishing - The SMS trap

Who said text messaging was going out of fashion? Hackers certainly haven't! Smishing (SMS phishing) exploits text messages to trick you into clicking on malicious links. This technique takes advantage of the fact that SMS messages can be consulted almost immediately by their recipients, and the short format makes it easier to hide suspicious clues.

Revealing signs

  • Unknown or alphanumeric sender numbers .
  • Short messages creating a sense of urgency ("Delivery pending", "Payment refused").
  • Shortened links masking the real destination URL .
  • Subtle spelling or grammatical errors.

In 2024, the "Smishing Triad" group ran campaigns in more than 121 countries, using around 200,000 domains for their operations, according to WIRED. These attacks are particularly effective because of their brevity and the sense of urgency they create.

Security tip of the day

Never click directly on a link received by SMS. If the message appears to come from a legitimate company (bank, post office), there are two options. Open the official application yourself or manually type their web address into a browser.

Example of SMS messages you may receive:

6. Clone phishing - Copy to better deceive

For attackers, clone phishing involves duplicating users' legitimate emails. They modify the original messages by including malicious links or attachments. The emails are then sent from spoofed accounts to make them appear authentic. Here, the attackers spoof the sender's email address to send the cloned message.

In general, the aim of clone phishing is to trick recipients into providing information about their banking or personal details.

This technique relies mainly on the victims' inattention. There are 36 ways to protect yourself. Hover over the links before opening them.

7. Pharming - Invisible hacking

This type of fraud uses malicious code to redirect victims to spoofed websites. The hacker's aim is to steal the victim's identifiers and confidential data.

Pharming attacks occur when cybercriminals manipulate the Domain Name System (DNS) or compromise a user's device to redirect them to a fraudulent website.

For your information, the DNS is a system that translates domain names (www.example.com) into IP addresses so that browsers can load the correct website.

In a pharming attack, attackers corrupt this process to redirect users to malicious websites that mimic legitimate ones.

In principle, pharming begins with the installation of malicious code on a victim's server. Once the code is complete, the victim is redirected to a spoofed website. From there, they are likely to share their sensitive data or login details.

To avoid pharming, we recommend using secure DNS (such as Cloudflare or Google DNS). You should also use SSL certificates and activate the DNSSEC protocol.

8. Phishing via social networks - Disguised attacks

If you think scrolling through Tiktok and Instagram is safe, you've missed the point. Attacks on these platforms are multiplying, encouraging you to divulge personal information.

First you get an email notification saying that you need to activate a new account, because the one you already have is going to disappear (the famous Zuckerberg messages, you know?). If you take the bait, your private data will be violated.

☝️Faites also beware of friend requests! Some fake accounts don't want your friendship, they want your data or your money.

9. QR code phishing - When a simple scan becomes a threat

QR codes are everywhere, from supermarkets to training sales websites. Hackers are finding it easier and easier to attack you using these codes. The most common cases? They create malicious codes that redirect you to a fraudulent site.

A QR code stuck on a 'free WiFi' sign? It's like a poisoned sweet... don't scan it!

In practice, QR code phishing aims to trick users into providing confidential information such as their login details, bank details or even information about their identity.

🗣️Conseil: opt for scanners that include a link preview (such as Google Lens) and never scan a QR code stuck on a public object.

10. Phishing via mobile applications - a scam in your smartphone

Phishing via mobile applications consists of getting you to install a fraudulent gadget that looks exactly like the legitimate application. Once installed, it will :

  • display the connection interfaces used by the victim ;
  • collect all data entered;
  • Operate in the background to monitor user activity.

Certain factors are conducive to this phishing attack: small screens (making it difficult to identify malicious URLs), notifications consulted quickly and automatic connections.

How can you avoid these traps? Stop following any link that appears in your Facebook news feed!

How can you recognise and prevent a phishing attack?

While phishing is an omnipresent threat in the digital world, the signs are also revealing. Sometimes it's we who choose to be blind: spelling and grammatical errors, e-mail addresses that don't include domain names, emergencies that have nothing to do with urgency, and so on.

Suppose you receive an e-mail claiming to be from your bank, asking you to check your personal details because of ' suspicious activity'. On the spur of the moment, you'd be tempted to reply! Result: you're trapped!

Now you've understood, but your employees are still clicking and replying to any e-mail! Once again, you're trapped!

What can you do about it? Staff training and awareness-raising ! No more opening infected attachments! No-one is ever stupidly redirected to a fraudulent website!

The introduction of two-factor authentication (2FA) also constitutes an additional barrier againstunauthorised access. Even if a password is compromised, 2FA requires a second verification, making it much harder for cybercriminals to access accounts.

You should also consider advanced security solutions, such as e-mail filtering software. Here, you are the one using the net to catch the criminals. Let's reverse the role, shall we?

Phishing attack: in a nutshell!

In short, phishing remains one of the most formidable cyber threats . As Netskope's data shows, the rate of phishing attacks rose sharply in 2024.

In terms of how it works, phishing involves sending messages that appear to come from a legitimate company or website. These messages generally contain a link redirecting the user to a fake website that looks like the real thing. The user will then be asked to enter personal information such as login details or credit card number. This attack can take several forms, from the most classic (phishing by e-mail) to the most sophisticated (whaling).

To protect yourself against cyberthreats, it is advisable to be more vigilant and, above all, to receive regular training. Adopting the right tools (2FA, anti-phishing filters) is also an effective shield. That said, cybersecurity must remain a collective priority (companies and employees) if we are to stand up to the ingenuity of cybercriminals.

Phishing is evolving, but so is your vigilance. So, are you ready to become a fish too smart for hackers?

Article translated from French