The Evolving Face of Phishing: Types, Recent Breaches, and How to Spot Them

Phishing attacks are continuously evolving, becoming more targeted, sophisticated, and damaging than ever. From email scams to AI-powered deepfakes, attackers are exploiting new vectors and methods every day.  

Here’s a breakdown of key phishing types, real-world breaches, and practical advice to help keep your organization safe.

1. Email Phishing: Classic and Ongoing Threat 

Definition:  

Traditional phishing involves deceptive emails that ask recipients to click on a malicious link, provide credentials, or download harmful attachments.    

Real-World Examples:  

In February 2024, Change Healthcare suffered a phishing-based breach that affected over 190 million users. Hackers used compromised login credentials to infiltrate systems, causing widespread disruption in healthcare operations and resulting in a $22 million ransom payment. 

In 2023, a sequence of phishing-related attacks exploited vulnerabilities in third-party tools like MOVEit, enabling attackers to extract personal data from organizations, including the BBC and U.S. government agencies. This highlights how phishing can facilitate broader supply chain threats. 

Spotting Tips:

• Hover over links before clicking.  

• Verify the sender’s domain, even in seemingly legitimate contexts.  

• Don’t rush; urgent or alarming language often signals danger.

2. Spear Phishing: Customized Deceptions

Definition:  

Spear phishing is highly targeted phishing that uses personal or corporate details to deceive specific individuals.  

Real-World Examples:  

The targeted breach at Change Healthcare in 2024 relied on employee login details to initiate a significant attack. 

In 2025, a case in the financial sector involved a spoofed invoice accompanied by a deepfake video of the CFO, which duped a senior officer into transferring $9.2 million to a fraudulent account, blending spear phishing with deepfake technology. 

Spotting Tips:

• Confirm unexpected financial or sensitive requests via separate communication channels. 

• Watch for unusual phrasing or overly realistic personalization that could be spoofed. 

• Implement multi-person approval for payments. 

3. Whaling: Going After the “Big Fish”

Definition:  

Whaling is a form of spear phishing aimed at high-level executives, using messages that appear to be legal notices or board-level communications.  

Real-World Example:  

In mid-2025, the UK’s Milford Entities, a luxury property management firm, lost $19 million due to a phishing email impersonating the Battery Park City Authority, tricking staff into wiring funds to a fraudulent account. 

Spotting Tips:  

• Critical financial operations should require dual authorization. 

• Any unusual or high-value requests should be verified personally or via a trusted executive assistant. 

4. Clone Phishing: Hijacked Threads

Definition: 

Clone phishing attacks replicate a previously sent legitimate email thread but swap in malicious links or attachments. 

Real-World Examples: 

While there is no specific public incident tied to this, clone phishing remains popular for delivering credential-stealing malware, especially in government and enterprise environments.   

Spotting Tips: 

• Be cautious with familiar email threads; confirm attachments haven’t changed. 

• If uncertain, directly contact the original sender outside the email chain. 

5. Vishing & Smishing: Phone and Text-Based Attacks

Definition:  

Vishing: Voice phishing involving deceptive calls impersonating trusted entities (e.g., IT, HR, banks).  

Smishing: SMS phishing that sends fraudulent messages prompting victims to click on malicious links.  

Real-World Examples:  

In August 2025, Cisco fell victim to vishing, where an attacker tricked a representative into granting access, resulting in the export of user profile data. 

Following a Salesforce database compromise in August 2025, a wave of scams targeting Google users occurred, with attackers using vishing tactics to call users from 650 area codes, claiming to be Google support and attempting to steal Gmail passwords. 

Spotting Tips:  

• Never provide credentials over the phone or via SMS if unsolicited. 

• Legitimate companies (e.g., Google) don’t call about breaches or ask for passwords. 

• Use two-step verification and official support channels for reporting. 

6. Quishing (QR Code Phishing): Weaponizing Convenience

Definition:  

QR phishing, also known as quishing, takes advantage of the trust users have in QR codes. Attackers trick users into scanning a code that directs them to a malicious website or installs malware. Since the destination URL is often hidden, the convenience of scanning QR codes makes it easy for attackers to exploit users.  

Real-World Examples:  

In the UK, a concerning parking scam involved fake QR codes placed on parking machines. Drivers scanned these codes, believing they were paying for parking, but were redirected to fraudulent payment sites. One victim lost £13,000 as a result. In 2024, the UK’s Action Fraud reported 1,386 cases of such scams, with an additional 502 reported in the first quarter of 2025, indicating a sharp increase in these incidents. 

In South Australia, scammers manipulated QR codes in retail and dining locations, leading customers to download malware or reveal personal information. The Australian government’s cyber agency recorded 30 incidents of quishing during the fiscal year 2023–2024. 

Spotting Tips: 

• Always verify QR codes before scanning, especially those sent via email or SMS. 

• Be cautious with QR codes on physical flyers, posters, or public signs. 

• If scanning for authentication or payment, check that the resulting URL is correct and begins with HTTPS. 

7. Deepfake Whaling: AI Meets Phishing

Definition:  

Deepfake whaling attacks use AI-generated audio or video to impersonate executives.  

Real-World Example:  

In 2024, there were 105,000 reported deepfake attacks in the U.S., resulting in over $200 million in losses. High-profile organizations such as Ferrari, WPP, Wiz, and Arup were targeted in AI-powered executive impersonation schemes. 

Spotting Tips:  

• Confirm any urgent requests via video call or in-person. 

• Keep staff alert to unusual communications, even if they sound entirely authentic. 

8. Phishing-as-a-Service (PhaaS): A Scalable Threat

Definition:  

Sophisticated phishing kits are available on the dark web, allowing even low-skilled attackers to launch phishing campaigns.  

Real-World Example:  

In 2025, phishing-as-a-service (PhaaS) platforms have emerged as a significant threat, allowing cybercriminals to execute highly convincing attacks with minimal technical skills. One of the most notable examples is Tycoon 2FA, which is responsible for nearly 90% of documented PhaaS activity. Other platforms include EvilProxy and a newer competitor called Sneaky 2FA. 

These platforms are specifically designed to bypass two-factor authentication (2FA), a security measure widely used by organizations. For example, Sneaky 2FA utilizes Telegram bots to automate phishing campaigns, primarily targeting Microsoft 365 accounts through adversary-in-the-middle (AiTM) techniques. 

A typical attack begins with a phishing email that directs the victim to a fake Microsoft login page. These fraudulent pages often auto-fill the victim’s email address using Microsoft’s “autograb” feature, which enhances the legitimacy of the scam and increases the likelihood of success. 

Spotting Tips: 

• Implement layered email filtering and anti-phishing tools. 

• Conduct regular training sessions to improve user awareness, as even low-quality phishing attempts can be surprisingly effective at scale. 

9. OAuth Phishing: A Consent Scam You Didn’t See Coming

Definition:  

OAuth phishing, also known as “consent phishing,” is a tactic that tricks users into granting a malicious third-party application access to their accounts through OAuth 2.0. Unlike standard credential theft, this method allows attackers to gain long-term access by exploiting trusted login systems such as Google, Microsoft, or Adobe.  

Real-World Example:  

In 2025, researchers uncovered a widespread campaign in which attackers impersonated major companies like Adobe, SharePoint, and DocuSign. Phishing emails, sent through legitimate platforms like SendGrid, redirected users to fake Microsoft OAuth screens. Victims were prompted to grant seemingly harmless permissions (e.g., “view your basic profile”), but by doing so, they inadvertently gave attackers access to their Microsoft 365 accounts. This campaign affected over 3,000 user accounts across more than 900 organizations. 

Spotting Tips:  

• Carefully review the permission screen before approving any application, even if it looks legitimate. 

• Never authorize access for unknown or unexpected apps, especially those that suddenly request OAuth consent. 

• Remember: even OAuth-based logins (like “Sign in with Google/Microsoft”) can be exploited if the application itself is malicious. 

Phishing Types Quick Reference

Stay One Step Ahead 

Phishing is no longer just about spam emails; it has become increasingly sophisticated, AI-driven, and delivered through trusted services like Microsoft OAuth. From executive-level deepfake scams to wide-reaching phishing-as-a-service campaigns, attackers are innovating at a rapid pace. 

The best defense? A well-trained workforce. 

Get in touch today to schedule a Security Awareness Training program tailored to your team. We will equip your staff to recognize phishing threats early, respond with confidence, and protect your business from costly breaches.