Estimated read time: 12 minutes | Category: Scam Alerts | Last updated: June 2025

The Email That Costs Everything
It looks exactly like an email from your bank. The logo is correct. The formatting matches. The sender address looks right at a glance. The message says your account has been compromised and you need to verify your details immediately — or your account will be suspended.
You click the link. The website looks exactly like your bank’s website. You enter your username, password, and — because the page asks for it — your one-time passcode. You submit. Nothing seems to happen. You try again. Still nothing. You close the tab, mildly frustrated, and make a mental note to call the bank tomorrow.
By the time you make that call, your account has been emptied.
This is phishing — the most common cybercrime in the world, responsible for over $18 billion in losses globally in 2023, and the entry point for the majority of the world’s most damaging data breaches. It has been around since the 1990s. It keeps working because it exploits something that does not change — the human tendency to respond quickly to urgent messages from trusted sources.
And in 2025, it is getting significantly harder to spot.
What We Know For Certain
- [FACT] Phishing was responsible for over $18 billion in global losses in 2023, according to the FBI’s Internet Crime Complaint Center annual report.
- [FACT] Phishing is the most common initial attack vector in corporate data breaches — accounting for approximately 36% of all breaches according to the Verizon Data Breach Investigations Report.
- [FACT] Approximately 3.4 billion phishing emails are sent every day globally — making phishing one of the highest-volume crimes in human history.
- [FACT] AI-generated phishing content — using large language models to produce grammatically perfect, personalised phishing emails — has significantly increased the quality and effectiveness of phishing attacks since 2023.
- [FACT] Smishing (SMS phishing) and vishing (voice phishing) have grown significantly as email security has improved — attackers have diversified to channels with less established protection.
- [FACT] Multi-factor authentication — when properly implemented — prevents the majority of credential-based phishing attacks, but real-time phishing kits have been developed specifically to intercept MFA codes.
- [FACT] The most targeted organisations for phishing impersonation consistently include major banks, technology companies (Microsoft, Google, Apple), delivery services (FedEx, DHL, Royal Mail), and government agencies (HMRC, IRS, DVLA).
How Phishing Works — The Core Mechanics
Phishing works by impersonating a trusted entity to trick the target into taking an action — clicking a link, providing credentials, downloading a file, or transferring money. The sophistication varies enormously but the psychological mechanism is consistent: create urgency, impersonate trust, and exploit the tendency to act before thinking.
The Fake Email
[FACT] A standard phishing email has several components designed to bypass both technical filters and human scepticism. The sender display name is set to match a legitimate organisation — “PayPal Security Team” or “Apple Support.” The email content uses official logos, correct formatting, and urgent language. A link is provided that appears legitimate in the display text but leads to a fraudulent website.
[FACT] The fraudulent website — a spoofed page — is typically an almost pixel-perfect copy of the legitimate site, often hosted on a domain that resembles the real one: paypa1.com, apple-support-verify.com, hmrc-refund-gov.co.uk. The goal is to capture the user’s credentials before they notice anything is wrong.
The Urgency Trap
[ANALYSIS] The most consistent feature of phishing emails is artificial urgency. “Your account will be suspended in 24 hours.” “Unusual activity detected — verify immediately.” “Your payment has failed — update now.” Urgency bypasses deliberate thinking — it triggers an automatic response mode in which people act quickly rather than carefully. Phishing emails are specifically designed to prevent the target from pausing to think critically about what they are reading.

The Major Types of Phishing Attack
Standard Email Phishing
[FACT] Mass-volume email phishing sends identical or near-identical messages to millions of addresses simultaneously, impersonating a widely used service — a bank, PayPal, Microsoft, Amazon, or a delivery company. The success rate per email is low — perhaps 1 in 1,000 — but the volume means thousands of victims per campaign. This is the oldest and still most common form of phishing.
Spear Phishing
[FACT] Spear phishing targets specific individuals using personalised information gathered from social media, corporate websites, or previous data breaches. An email might reference the target’s name, their employer, their manager, a recent transaction, or a project they are known to be working on. The personalisation significantly increases the success rate — research suggests spear phishing emails are approximately 3x more likely to be clicked than mass phishing emails.
[FACT] Business Email Compromise — a high-value variant of spear phishing in which criminals impersonate a company executive to instruct finance staff to make fraudulent wire transfers — cost businesses $2.9 billion in the United States in 2023 alone.
Smishing — SMS Phishing
[FACT] Smishing uses text messages rather than email to deliver phishing content. Common smishing templates include fake parcel delivery notifications (“Your package cannot be delivered — click here to reschedule”), fake bank fraud alerts, and fake HMRC/IRS tax refund notifications. SMS messages are opened at significantly higher rates than emails — approximately 98% of texts are read — making smishing highly effective despite lower volume.
[FACT] Fake parcel delivery smishing has been particularly prevalent in the UK and Australia, with messages impersonating Royal Mail, Australia Post, FedEx, and DHL directing recipients to fraudulent websites that capture payment card details under the pretence of paying a small redelivery fee.
Vishing — Voice Phishing
[FACT] Vishing uses phone calls rather than text or email. Callers impersonate bank fraud departments, HMRC/IRS tax authorities, police, or technical support teams. Common scenarios include: “We’ve detected fraud on your account and need you to move your money to a safe account” (the safe account belongs to the criminal); “You owe unpaid taxes and will be arrested unless you pay immediately”; “Your computer has a virus and we need remote access to fix it.”
[FACT] AI voice cloning technology has introduced a new vishing variant — calls that use cloned voices of family members or colleagues to make fraudulent requests. In 2023 multiple documented cases emerged of business executives receiving calls from what appeared to be their CEO’s voice, instructing urgent wire transfers.
Whaling
[FACT] Whaling targets high-value individuals specifically — C-suite executives, board members, high-net-worth individuals. The investment in research and personalisation is higher, but so is the potential payout. Whaling attacks frequently involve impersonation of legal firms, regulatory bodies, or other executives, and typically seek either financial transfers or access to sensitive corporate systems.
Clone Phishing
[FACT] Clone phishing takes a legitimate email that the target has previously received — a newsletter, a delivery confirmation, a password reset — and creates an identical copy with the links replaced by malicious ones. The “From” address is spoofed to match the original sender. The target receives what looks like a resend of a familiar email, making them significantly less likely to be suspicious.
AI Phishing — The New Threat
[FACT] Until recently, phishing emails could often be identified by poor grammar, spelling errors, and awkward phrasing — telltale signs of non-native English speakers generating content at volume. This is no longer a reliable indicator.
[FACT] Large language models including ChatGPT and its competitors can generate grammatically perfect, naturally phrased phishing emails in any language at negligible cost. Security researchers have demonstrated that AI-generated phishing emails are significantly harder for both humans and automated filters to identify as fraudulent.
[FACT] AI is also being used to personalise phishing attacks at scale — scraping publicly available information from LinkedIn, company websites, and social media to generate personalised spear phishing content automatically for thousands of targets simultaneously.
[ANALYSIS] The practical implication is that grammatical quality is no longer a reliable indicator of email legitimacy. An email can be perfectly written, well-formatted, and correctly branded — and still be a phishing attempt. The checks that matter are technical and procedural, not linguistic.

How to Spot a Phishing Attempt — Every Time
The display name of an email can say anything — “Apple Support,” “HMRC,” “Your Bank.” The actual sending address cannot be faked in the same way. Click or hover on the sender name to reveal the actual email address. A genuine Apple email comes from @apple.com. A genuine HMRC email comes from @hmrc.gov.uk. If the actual address is @apple-security-verify.net, @hmrc-refunds.co, or any variation that is not the official domain — it is phishing. Be aware that sophisticated attackers sometimes register domains that look very similar to legitimate ones — paypa1.com, micosoft.com, appIe.com (with a capital i instead of lowercase L).
If an email tells you there is a problem with your bank account, your PayPal, your Amazon order, or any other service — do not click the link in the email. Open a new browser tab and navigate directly to the organisation’s website by typing the address yourself, or use your saved bookmark. Log in there. If there is a genuine problem, it will be visible in your account. If there is nothing there, the email was phishing. This single habit prevents the majority of successful phishing attacks.
Before clicking any link in any email, hover your mouse over it without clicking. The actual URL the link goes to will appear in the bottom of your browser window or as a tooltip. If the displayed link text says “www.paypal.com” but the actual URL shown is “paypal-verify-account.ru/login” — do not click it. The display text of a link and its actual destination are entirely independent. Phishers always show you a legitimate-looking display text while pointing the link somewhere else.
If you receive an unexpected email, text, or call requesting urgent action — particularly involving money, credentials, or access — verify it through an independent channel before acting. Call the organisation using a phone number from their official website or the back of your bank card — not a number provided in the suspicious communication. Email them using an address you find independently. A genuine urgent situation will still be genuine five minutes later after you have made a verification call.
Multi-factor authentication (MFA) — where logging in requires both a password and a second factor such as an authentication app code or hardware key — prevents the majority of credential phishing attacks. Even if a phisher captures your username and password, they cannot log in without the second factor. Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) rather than SMS codes where possible — SMS-based MFA can be bypassed by SIM swapping attacks. Hardware security keys (YubiKey) provide the strongest protection available.
Password managers prevent a specific type of phishing attack — credential entry on fake websites. A password manager stores your credentials for specific URLs and will not auto-fill on a fake site because the URL does not match. If you navigate to paypa1.com and your password manager does not offer to fill your credentials — the site is not the one your credentials are stored for, which is a clear warning signal. Password managers also encourage unique passwords for every site, limiting the damage if one set of credentials is captured.
Real Examples — What Phishing Looks Like in 2025
The Fake Parcel Notification
[FACT] “Your Royal Mail parcel could not be delivered. A small redelivery fee of £1.99 is required. Click here to pay.” The link goes to a near-perfect copy of the Royal Mail website. After entering payment card details for the £1.99 fee, the full card details are captured and used for much larger fraudulent transactions.
The Fake Bank Fraud Alert
[FACT] “Unusual activity has been detected on your account. To protect you we have temporarily limited your access. Verify your identity to restore full access.” The link goes to a fake bank login page. Credentials entered are captured in real time and used to access the actual account within minutes — before the victim has noticed anything is wrong.
The CEO Email
[FACT] An email appearing to come from the company CEO is sent to the finance director: “I’m in a meeting and need you to urgently process a wire transfer to our new supplier. I’ll explain later — please treat this as confidential for now.” The urgency, the authority, and the confidentiality request combine to pressure rapid action before verification occurs.
The Apple ID Suspension
[FACT] “Your Apple ID has been locked due to suspicious activity. Click below to unlock your account.” The link goes to a perfect copy of the Apple sign-in page. Credentials entered give the attacker full access to the victim’s Apple ID — and everything connected to it, including iCloud backups, Find My iPhone location data, and any apps or subscriptions.
If You Have Already Clicked
If you believe you have responded to a phishing attack:
- If you entered banking credentials: Call your bank immediately using the number on the back of your card. Report suspected fraud. Ask them to freeze your account and check for unauthorised transactions.
- If you entered a password: Change the password immediately on the legitimate site, and on any other site where you use the same password. Enable MFA if you have not already.
- If you downloaded a file: Disconnect from the internet. Run a full antivirus scan. Contact your IT department if this occurred on a work device.
- If you made a bank transfer: Call your bank immediately — some transfers can be recalled within a short window under the Contingent Reimbursement Model (UK) or equivalent schemes.
- Report the phishing attempt:
- UK: report@phishing.gov.uk (NCSC)
- USA: reportphishing@apwg.org and phishing-report@us-cert.gov
- Australia: ReportCyber at cyber.gov.au
Conclusion
Phishing works because it is simple, scalable, and exploits something fundamental about how humans respond to urgency and authority. No amount of technical sophistication on the defender’s side fully compensates for a user who clicks a link in an urgent email without pausing to verify it.
The protection is not technical literacy in a general sense — it is specific habits applied consistently. Go direct rather than clicking links. Verify unexpected requests through independent channels. Enable MFA. Use a password manager. Check the actual sender address, not just the display name.
These habits take seconds. The attacks they prevent can cost thousands.
The email is almost always the first step. Protecting yourself at that first step — before a link is clicked, before credentials are entered — is where the defence matters most.
Written and reviewed by the MysteryVerse editorial team. Statistics sourced from the FBI Internet Crime Complaint Center 2023 Annual Report, the Verizon 2023 Data Breach Investigations Report, the Anti-Phishing Working Group (APWG) Phishing Activity Trends Report Q4 2023, and the UK National Cyber Security Centre annual review.
This article is updated regularly as phishing techniques evolve. Last updated June 2025.
Spotted an error or know of a new phishing technique we should cover? Contact us.