Phishing is no longer a clumsy email from a Nigerian prince. Modern phishing attacks are AI-crafted, highly personalized, and delivered across multiple channels — email, SMS, voice calls, and even browser-based exploits. For businesses relying on managed IT services, understanding the current threat landscape is the first step toward building meaningful defenses.
This guide covers how phishing has evolved, how to recognize the latest attack patterns, and what organizational defenses actually move the needle.
How Phishing Has Evolved
The core phishing premise hasn’t changed: trick a human into revealing credentials, clicking a malicious link, or transferring funds. What has changed is the sophistication, personalization, and scale of attacks.
Smishing and Vishing
Email-based phishing now competes with SMS phishing (smishing) and voice call phishing (vishing). The FBI has documented widespread smishing campaigns using fake toll payment notifications, package delivery alerts, and IRS notices — all directing victims to credential-harvesting sites. Vishing campaigns impersonate IT support, bank fraud departments, and even internal executives.
AI-Generated Content
Generative AI has eliminated two of the most reliable phishing indicators: grammatical errors and generic tone. Attackers now use large language models to craft fluent, contextually accurate, and personalized phishing content at scale. A spear-phishing email targeting a CFO might reference the company’s recent acquisition, the CFO’s correct name and title, and a plausible internal process — all synthesized from public LinkedIn and news sources.
Deepfake Audio and Video
AI-generated deepfakes are increasingly used in social engineering. Attackers have successfully impersonated executives in voice calls, directing finance employees to wire funds or reveal credentials. One well-documented case: a company lost $25 million after employees joined a video call with what appeared to be senior colleagues — all deepfakes.
Browser-Based Phishing
A 140% increase in browser-based phishing attacks has been documented, including zero-day exploit delivery through malicious ad networks and browser extension hijacking. Attackers exploit browser vulnerabilities to inject credential-stealing scripts into legitimate-looking pages.
Recognizing Phishing in 2025
The traditional phishing tells — typos, mismatched sender addresses, generic greetings — are less reliable than ever. Modern red flags to train employees on:
Unexpected urgency. Phishing messages consistently manufacture urgency: “Your account will be suspended in 24 hours,” “Immediate action required,” “This is time-sensitive.” Legitimate organizations almost never demand immediate action via email.
Out-of-band credential requests. No legitimate IT department, bank, or software vendor will ask you to confirm your password via email, SMS, or a phone call you didn’t initiate. Full stop.
Mismatched URLs. Hover over links before clicking. Look for lookalike domains: facetmsp.com vs. facetmsp.co, facet-msp.com, or facetmsp.com.phishingsite.com. Pay attention to the full URL, not just the visible text.
Impersonation of internal systems. Modern attacks spoof Microsoft 365 login pages, DocuSign signature requests, and internal IT ticketing systems. If you receive an unexpected login request from an internal tool, navigate directly to it rather than clicking the link.
Requests that bypass normal process. “Can you handle this wire transfer directly? The CFO is traveling and needs this done today.” Any request that bypasses a normal approval process — especially involving money or credentials — should be verified through a separate, known communication channel.
Building Organizational Defenses That Work
Technical controls and policy alone aren’t enough. The most effective phishing defense combines technology, process, and continuous education.
Security Awareness Training with Simulations
Annual security training is insufficient. The most effective programs run phishing simulations monthly — sending test phishing emails to employees and measuring click rates, credential submission rates, and reporting rates over time. Employees who fail simulations get targeted micro-training immediately, in context. Over 12–18 months, organizations that run consistent simulations see phishing failure rates drop from 30–40% to under 5%.
Ask your MSP whether security awareness training with active phishing simulations is included in your service tier. At Facet MSP, it’s a core component of our cybersecurity program.
Email Filtering and Anti-Spoofing Controls
Layer your email defenses:
- SPF, DKIM, and DMARC: These DNS-level controls prevent spoofing of your domain. If your domain doesn’t have DMARC configured with a
rejectorquarantinepolicy, attackers can send email that appears to come from your domain. - Advanced email filtering: Tools like Microsoft Defender for Office 365 or third-party solutions analyze link reputation, attachment behavior, and sender patterns in real time — blocking threats before they reach inboxes.
- External email banners: Tag all external email with a visible warning banner so employees are reminded that messages from outside the organization deserve extra scrutiny.
Multi-Factor Authentication (MFA)
Even if an employee submits credentials to a phishing site, MFA prevents the attacker from using those credentials. Enable MFA on every account — Microsoft 365, Google Workspace, VPN, cloud apps, and any system accessible from the internet. Use authenticator apps (TOTP) rather than SMS-based codes, which are vulnerable to SIM swapping.
Incident Reporting Culture
The fastest way to contain a phishing attack is early detection. Build a culture where employees report suspected phishing immediately — without fear of embarrassment or punishment. Provide a simple one-click reporting mechanism (Microsoft Defender’s “Report Message” button, or a dedicated Outlook add-in). When employees report phishing, acknowledge it, investigate it, and follow up.
Advanced Threat Detection
AI-powered security tools can detect phishing at the network level — identifying anomalous login patterns, unusual data transfers, and command-and-control traffic that indicates a compromised endpoint. Tools in this category include Microsoft Sentinel, CrowdStrike Falcon, and similar EDR/SIEM platforms. Your MSP should be monitoring alerts from these systems around the clock.
What to Do If You Think You’ve Been Phished
Speed matters. If an employee suspects they’ve clicked a phishing link or submitted credentials:
- Don’t panic, act fast. Immediate response limits damage.
- Disconnect the device from the network if possible.
- Notify IT or your MSP immediately — not the next day, right now.
- Change the affected password immediately from a different, clean device.
- Report the phishing email to your email security platform.
Your MSP should have a documented phishing incident response playbook. If they don’t, that’s a gap worth addressing.
The Bottom Line
Phishing is the entry point for the majority of significant cyber incidents — ransomware, business email compromise, data breaches. No technical control eliminates the risk entirely, because phishing exploits human psychology, not just technical vulnerabilities. The organizations that defend best combine layered technical controls with a genuine security culture — where every employee knows what to look for and what to do.
If your team isn’t running regular phishing simulations or doesn’t have DMARC configured, those are two high-impact starting points. Book a free IT security assessment and we’ll identify your highest-priority exposure areas.