Despite decades of cybersecurity investment, phishing remains one of the most effective and persistent vectors of cyberattacks. As attackers evolve their tactics — increasingly leveraging AI, personalised social engineering, multi-channel delivery, and deepfake techniques — organisations continue to face meaningful risk across industries. This article examines why phishing endures, how it has developed over time, key trends in 2025, and the role that well-designed phishing simulation programs play in strengthening organisational resilience.
What Phishing Is and Why It Still Works
At its core, phishing is a form of social engineering in which attackers deceive individuals into disclosing sensitive information, credentials, or performing unsafe actions. Phishing remains effective because it exploits human psychology — trust, urgency, authority, and convenience — rather than technical vulnerabilities alone.
Evolution of Phishing: From Generic Emails to Multi-Channel Attacks
Phishing has evolved far beyond the poorly crafted mass emails of the past. Today's attacks are targeted, AI-enhanced, and delivered across multiple channels simultaneously.
Classic Email Phishing
Mass emails with obvious errors and generic subjects. Awareness of basic cues improved — so attackers adapted by making lures contextual and targeted.
Spear Phishing & Business Email Compromise
Highly targeted attacks leveraging social media and corporate data to build legitimacy. BEC now represents one of the most financially damaging attack classes.
AI-Enhanced & Multi-Channel Phishing
Generative AI enables rapid production of personalised, convincing messages. Modern phishing spans email, SMS, voice calls, collaboration tools, and deepfake media.
Modern phishing now extends to:
- SMS (smishing) and voice calls (vishing)
- Collaboration tools — phishing within chat platforms
- Fake web pages and deepfake media
- Multi-channel campaigns combining email, voice, and social networks
Phishing Trends in 2025
Organisations worldwide continue to face significant phishing volumes, with some analyses reporting tens of millions of attempts targeting Australia alone in 2024 and 2025.
Internal-themed phishing messages — HR or IT-related lures — dominated simulation failures in mid-2025, reflecting attackers' deliberate emphasis on familiarity and trust triggers.
The use of AI has enabled attackers to scale and personalise attacks faster than many traditional defences can keep up with. Phishing campaigns also increasingly use QR codes and redirection platforms to obfuscate malicious URLs and bypass MFA controls.
The Human Factor and Risk Exposure
Phishing remains widely successful because the people who are targeted still find it hard to distinguish malicious from legitimate communication. Even experienced digital users frequently cannot identify advanced phishing emails — particularly when attackers leverage AI-generated text and contextually accurate details.
Behavioural factors contributing to phishing success include:
- Convenience and complacency — employees prioritise speed over caution
- Trust in familiar brands or known sender names
- Lack of training, reinforcement, or threat visibility
Workforce
Real-World Impact of Phishing Attacks
Phishing is not just a theoretical risk — it directly contributes to data breaches, credential theft, ransomware, and BEC losses. Credential theft, often initiated via phishing, surged dramatically in 2025, accounting for a significant portion of breaches.
Economically, attacks initiated through phishing can result in:
- Loss of sensitive data and intellectual property
- Financial fraud or transfer theft
- Disruption of business operations
- Regulatory penalties and reputational damage
In some recent large-scale incidents, phishing served as the gateway to data compromise affecting millions of customer records — highlighting the pervasive reach of this threat vector.
Phishing Simulations and Organisational Resilience
A growing body of evidence shows that well-executed phishing simulation programs improve organisational resilience. Longitudinal research demonstrates that repeated simulated phishing exposures, combined with tailored training and behavioural reinforcement, can halve susceptibility rates within six months.
- Realistic scenarios that mimic current threat patterns
- Immediate feedback explaining why the lure was malicious
- Targeted training following simulation results
- Continuous measurement and refinement
Organisations that adopt an iterative approach — rather than one-off training — see measurable improvements in both detection and reporting behaviours, shifting cybersecurity culture from compliance-driven to behaviour-driven.
Outlook and Strategic Imperatives for 2026
As phishing tactics evolve, organisations must adopt layered, dynamic strategies:
- Integrating training beyond email to cover voice, SMS, and collaboration tools
- Using behavioural analytics to detect anomalies
- Ensuring phishing simulations reflect contemporary threat intelligence
- Supporting employees with constructive coaching rather than punitive approaches
In the coming years, the proliferation of AI-augmented phishing and multi-vector campaigns will likely accelerate — making human awareness and adaptive training even more critical to organisational defence.
What this means for your organisation
See how PeopleShield addresses the phishing challenge directly.
APEX is built on intelligence-driven simulations, human-led support for high-risk employees, and behaviour change that lasts beyond the training session. If this article resonated, the APEX program page is the right next step.
