Deciphering the phishing attack, so you don't take the bait!

Red alert on our e-mail inboxes: phishing attacks have soared. According to APWG data, phishing attacks rose from 877,536 in Q2 2024 to 989,123 in Q4.
This isn't just an increase, it's a veritable tide of phishing attacks sweeping through our organizations. Gone are the crude, misspelled messages from a Nigerian hacker wanting to share his fortune. Today, cybercriminals deploy sophisticated strategies that fool even the most seasoned professionals.
Let's find out what "phishing" is, its different forms and how to avoid it in an attack.
What is a "phishing attack"?
Phishing attack: definition
Phishing is a hacking technique designed to steal sensitive information by pretending to be a trusted person or entity. It's a very common cyber-attack technique, affecting both individuals and large corporations. But of course, the bigger the fish, the better for the hackers.
What are phishing attacks aimed at?
These hackers, or more precisely "scammers" in the jargon, have several objectives:
- To steal your personal or business data.
- Impersonate your target to commit fraud.
- Hack into a computer system and install Trojan horses or other malware.
- Embezzle money through fraudulent bank transfers.
- Access personal and business accounts : e-mail, social networks, web services, etc.
Example of a phishing attack
In 2024, according to Arctic Wolf's report, 70% of companies reported business email compromise (BEC ) attacks . The result? Nearly 29% suffered at least one successful attack.
Case study of a phishing attack in 2025
In February 2023, a French company lost around 38 million euros after the accounting department responded to an e-mail appearing to come from the lawyers and CEO, asking them to make 45 transfers in complete innocence. (source: Radio France)
The e-mail was perfectly worded, used the correct logos, signatures and internal references, and even mentioned an actual confidential project underway within the organization.
This sophisticated attack shows just how professionalized phishing techniques have become, representing a major threat to your company's cybersecurity.
Phishing attack basics: how it works
A phishing attack can take many forms (see below). But whatever the form, a typical multi-step process can be observed.
1. Preparation
The hacker gathers information about his target (company, staff, habits) via social networks or the web. This is the reconnaissance phase. The fisherman identifies the fish to arm himself with the best bait to put on his hook. In other words, he'll personalize the attack, which doesn't guarantee success, but will drastically increase its success rate.
2. Creating the lure (bait)
Creation of a credible message imitating a legitimate organization. This may come from a bank, an internal IT department, an Internet provider...
The hacker will faithfully reproduce the organization's features:
- Visual identity (logos, graphic guidelines).
- The usual tone and style of communication.
- Official signatures and contact details.
- Similar web domains (e.g. amazon-security.com instead of amazon.com).
3. Distribution (casting the hook)
Mass or targeted sending of a message containing a malicious link or infected attachment. Every day, no fewer than 3.4 billion phishing e-mails are sent worldwide, representing 1.2% of all e-mails, according to AAG.
According to AAG statistics, a person must have received a phishing attack at least once in his or her life. The lucky ones will not have seen it (as it will have gone to spam). The unlucky will fall victim, and realize it far too late.
4. Manipulation
Encourage the victim to click on the link or open the attachment using social engineering techniques:
- Creating a sense of urgency ("Your account will be blocked in 24 hours").
- Use of curiosity ("See who viewed your profile").
- Exploitation of fear ("Suspicious connection attempt detected").
- Appeal to greed ("You've won an iPhone 15").
5. Compromise
Collection of credentials entered on the fake site, or installation of malicious code on the victim's device. This stage is generally invisible to the user, who thinks he or she is interacting with a legitimate service.
6. Exploitation
Here, depending on the form of phishing, data exploitation differs.
- Use stolen data to access accounts.
- Making fraudulent transfers.
- Launch other network attacks within the organization.
💡 Did you know? Artificial intelligence has become the formidable ally of cybercriminals. The latest techniques include voice cloning (replicating a CEO's voice over the phone) and deepfakes (creating fake videos of a trusted person). These technologies make attacks infinitely more convincing and difficult for security services to detect.
The most common types of phishing attack
Over the years, hackers have perfected their techniques to become ever more specific and effective.
But the principle remains the same. The hacker is a fisherman. Phishing is both bait and hook. And the target/victim is the fish. To avoid these traps, you need to understand how they work.
Here are the most commonly used phishing attack techniques and methods.
1. Phishing by e-mail - The timeless classic
E-mail phishing remains the preferred modus operandi of hackers. It's the easiest of the list to set up, and also the most widespread. Individuals are the easiest prey to phish. Basically, an organization with an IT manager will be able to avoid it without any problem.
How to recognize it?
Given the number of business emails a company can receive daily or weekly, it can be confusing. But there are a few warning signs.
Before clicking on an e-mail link or downloading a file, check for the following:
- Suspicious sender address (look beyond the name displayed).
- Subtle spelling mistakes (often in the sender's domain).
- Generic greetings ("Dear customer" instead of your name).
- Links whose URL reveals a different destination when hovered over.
- Attachments with dubious extensions (.zip, .exe, .bat).
Typical example : an e-mail imitating your bank asks you to "confirm your banking information following a security update".
2. Spear phishing - the tailor-made attack
Unlike mass phishing, spear phishing targets specific individuals with personalized messages. The hacker uses public or internal information (LinkedIn, company publications, organization charts) to create a message totally tailored to the target. This is yet another reminder of the importance of choosing the right information to disclose on a social network.
The success rate of these targeted attacks is 10 times higher than traditional phishing, because they are carefully crafted and extremely credible. Today, spear phishing is one of the main threats to sensitive corporate data.
In practice, this can take the form of :
- Extensive personalization (mention of colleagues, current projects).
- Reference to actual company events (perhaps adulteries).
- Precise targeting of those with access to sensitive data.
- Perfect imitation of the organization's communication style .
So, if someone sends: "Luke, I'm your father", it's a sign.
3. Whaling - The hunt for big fish
Why go for the little fish when you can go for the big white whale (Moby Dick)? Whaling specifically targets an organization's top executives.
These phishing attacks are meticulously prepared and extremely credible, often after weeks of studying the target's behavior and communication style. The bigger the fish, the better the preparation.
This just goes to show how advanced hacking has become.
Points to remember in understanding and identifying whaling are:
- Personalized messages evoking specific executive responsibilities.
- Exploitation of power relationships within the company.
- Significant but plausible financial demands.
- Use of urgency to short-circuit verification processes.
Example : a false e-mail from the CFO to the CEO requesting urgent validation of a transfer to "finalize the confidential acquisition" they had recently discussed.
4. Vishing - Voice phishing
Vishing (voice phishing) exploits telephone calls to manipulate victims. The attacker poses as a colleague, technical support or banking partner and uses urgency to get you to reveal sensitive information. With the recent arrival of AI (voice AI), this phishing technique is exploding among the new hacking trends.
Common techniques
- Spoofing to display a legitimate number .
- Creation of an emergency scenario requiring immediate action.
- Exploitation of authority (fake call from IT department or superior).
- Use of call center background noise to reinforce credibility.
Technology alert:
AI-based voice cloning tools made these attacks explode in 2024. A few seconds' recording of an executive's voice (available in interviews or webinars) is now enough to generate complete conversations perfectly imitating his tone and intonations.
What's most worrying about all this? At present, there is no ready-made, tailor-made solution for detecting this type of hacking. So it's important to remain vigilant and keep abreast of the latest advances in AI technology, which is constantly coming up with new trends every month (or even week).
5. Smishing - the SMS trap
Who says SMS is out of fashion? Not hackers, anyway! Smishing (SMS phishing) exploits text messages to trick you into clicking on malicious links. This technique takes advantage of the fact that SMS messages can be consulted almost immediately by their recipients, and their short format makes it easier to hide suspicious clues.
Telltale signs
- Unknown or alphanumeric sender numbers .
- Short messages creating a sense of urgency ("Delivery pending", "Payment refused").
- Shortened links masking the true destination URL .
- Subtle spelling or grammatical errors.
In 2024, the "Smishing Triad" group ran campaigns in over 121 countries, using around 200,000 domains for their operations, according to WIRED. These attacks are particularly effective because of their brevity and the sense of urgency they create.
Security tip of the day
Never click directly on a link received by SMS. If the message appears to come from a legitimate company (bank, postal service), there are two options. Open the official application yourself, or manually type their web address into a browser.
Example of SMS messages you may receive:
6. Clone phishing - Copy to deceive
For attackers, clone phishing involves duplicating legitimate e-mails from users. They modify the original messages by including malicious links or attachments. The e-mails are then sent from spoofed accounts to make them appear authentic. Here, attackers spoof the sender's e-mail address to send the cloned message.
The aim of clone phishing is generally to trick recipients into providing personal or banking information.
This technique relies mainly on the victims' inattention. There are no 36 ways to prevent it. Hover over the links before opening them.
7. Pharming - Invisible hacking
This type of fraud uses malicious code to redirect victims to spoofed websites. The hacker's aim is to steal the victim's credentials and confidential data.
Pharming attacks occur when cybercriminals manipulate the Domain Name System (DNS) or compromise a user's device to redirect them to a fraudulent website.
For your information, DNS is a system that translates domain names (www.example.com) into IP addresses so that browsers can load the correct website.
In a pharming attack, attackers corrupt this process to redirect users to malicious websites, imitating legitimate ones.
In principle, pharming begins with the installation of malicious code on a victim's server. Once the code is complete, the victim is redirected to a spoofed website. From there, he or she is likely to share sensitive data or login credentials.
To avoid pharming, we recommend the use of secure DNS (such as Cloudflare or Google DNS). You should also use SSL certificates and activate the DNSSEC protocol.
8. Phishing via social networks - disguised attacks
If you think scrolling through Tiktok and Instagram is safe, you've missed the point. Attacks on these platforms are multiplying, prompting you to divulge personal information.
First, you receive an e-mail notification telling you that you need to activate a new account, because the one you already have will disappear (the famous Zuckerberg messages, you know?). If you take the bait, you end up with your private data violated.
☝️Faites Beware of friend requests! Some fake accounts don't want your friendship, they want your data or your money.
9. QR code phishing - When a simple scan becomes a threat
QR codes are everywhere, from supermarkets to training sales websites. Hackers are finding it increasingly easy to attack you via these codes. The most common cases? They create malicious codes that redirect you to a fraudulent site.
A QR code stuck on a 'free WiFi' sign? It's like a poisoned candy... don't scan it!
In practice, QR code phishing aims to trick users into providing confidential information such as login credentials, bank details or even identity information.
🗣️Conseil: opt for scanners with built-in link preview (such as Google Lens), and never scan a QR code stuck on a public object.
10. Phishing via mobile applications - scams in your smartphone
Phishing via mobile applications involves tricking you into installing a fraudulent gadget that looks exactly like the legitimate application. Once installed, it will :
- display the connection interfaces used by the victim;
- collect all data entered;
- operate in the background to monitor user activity.
Certain factors favor this phishing attack: small screens (making it difficult to identify malicious URLs), quickly consulted notifications, automatic connections.
How can you avoid these pitfalls? Stop following any link that appears on your Facebook news feed!
How to recognize and prevent a phishing attack?
While phishing is an omnipresent threat in the digital world, the signs are also revealing. Sometimes, it's we who choose to be blind: spelling and grammatical errors, e-mail addresses that don't include domain names, emergencies that have nothing to do with urgency, and so on.
Suppose you receive an e-mail claiming to be from your bank, asking you to verify your personal details because of " suspicious activity". On the spot, you'd be tempted to reply! Result: you're trapped!
Now you've figured it out, but your employees keep clicking and replying to every e-mail! Once again, you're trapped!
What can you do? Staff training and awareness-raising ! No more opening infected attachments! No one gets stupidly redirected to a fraudulent website!
The implementation of two-factor authentication (2FA) also provides an additional barrier againstunauthorized access. Even if a password is compromised, 2FA requires a second verification, making it much more difficult for cybercriminals to access accounts.
Also consider advanced security solutions, such as e-mail filtering software. Here, you're the one using the net to catch the criminals. Let's reverse the role, shall we?
Phishing attack: in a nutshell!
In short, phishing remains one of the most formidable cyberthreats . As Netskope's data shows, the rate of phishing attacks rose considerably in 2024.
In terms of how it works, phishing involves sending messages that appear to come from a legitimate company or website. These messages generally contain a link redirecting the user to a fake website that looks like the real thing. The user will then be prompted to enter personal information such as login details or credit card number. This attack can take many forms, from the most classic (e-mail phishing) to the most sophisticated (whaling).
To protect yourself against cyberthreats, we recommend increased vigilance and, above all, regular training. Adopting the right tools (2FA, anti-phishing filters) is also an effective shield. That said, cybersecurity must remain a collective priority (companies and employees) in order to face up to the ingenuity of cybercriminals.
Phishing is evolving, but so is your vigilance. So, are you ready to become a fish too smart for hackers?
Article translated from French