Phishing has been around for years, but in late 2025 it’s becoming something far more dangerous. Back in the day, most scams were easy to detect.
Bad spelling, clunky logos or an email address that clearly wasn’t legitimate were easy red flags to spot.
That’s no longer the case.
Commercial Director of Topsec Cloud Solutions.
Today, criminals have AI on their side. They can send flawless, personalized emails, clone a manager’s voice, spin up deep fake video calls, and build fake websites that look identical to the real thing. And all of this takes mere minutes.
Malicious actors have also woken up to the easy pickings SMEs represent. They’re no longer going after global corporations. Small and mid-sized businesses are often their preferred targets, precisely because they tend to have fewer defenses in place.
For business leaders, the risk is higher than it’s ever been. One wrong click can drain accounts, damage reputations and even attract regulators’ attention. In short: staying “fit for business” in 2025 and beyond means staying a step ahead of phishing tactics that are evolving faster than ever.
Beyond email: today’s phishing arsenal
The number one way scams land in your organization is via email. In fact, Deloitte says 91% of attacks start there. That said, criminals aren’t stopping at email anymore. They’ve developed new strategies and tactics, and the new tricks are catching businesses off guard.
SIM-swap fraud: The thought of losing control of your phone is enough to send shivers down your spine. Yet this nightmare is exactly what happens when attackers convince a mobile provider to move your number onto their SIM card.
Now, all of your calls and text codes are going to them. Yes, even the security codes to keep your bank accounts and emails secure. SIM-swap fraud is a fast-growing problem. According to CIFAS, hacks of this kind increased by more than 1,000% last year.
Voice and video deepfakes: Dodgy emails now look like the very first chapter of the cyber hacks playbook. Fake phone calls and fake video meetings are the newer chapters. Criminals are using AI to clone voices and even generate entire “teams” of colleagues.
One finance worker at engineering giant Arup was tricked into wiring $25 million after joining what looked like a routine video call. Every participant was an AI fake.
Smishing (SMS phishing): Those short, urgent texts claiming to be from your bank, a courier or even IT support are still on the rise. Because texts feel quick and familiar, people are more likely to click before thinking.
Quishing (QR phishing): QR codes are everywhere since the pandemic; on posters, invoices and even business cards. Attackers exploit this by hiding malicious links behind codes that take you to fake login pages. Many security filters don’t catch them. Furthermore, some scams now use CAPTCHAs or redirect chains to make detection even harder.
Business Email Compromise (BEC): These scams have moved way beyond fake invoices. Attackers now break into collaboration tools like Teams or Slack, posing as colleagues to request payroll changes, sensitive data, or even gift cards. When the request comes from a “trusted” internal account, it’s much harder to spot.
MFA fatigue: Multi-factor authentication should keep you safe, but attackers are gaming the system. They spam you with approval prompts until, out of annoyance or distraction, you hit “approve.”
Phishing-as-a-Service (PhaaS): You no longer need to be a coding genius to run a scam. On the dark web, ready-made phishing kits and AI tools are sold like subscription software, giving even low-level criminals access to sophisticated attacks.
What ties all of these tactics together? In a nutshell, human psychology. All of these scam tactics prey on the same weakness: human trust. Tech is the enabler, but psychology is what makes the scam work.
Why SMEs are especially vulnerable
Large organizations invest heavily in cyber defenses. Even then, they are not immune. But SMEs face a double disadvantage: limited budgets and overstretched IT staff. Attackers know this, and they actively seek out easier targets.
Remote and hybrid work has widened the attack surface further. Staff log in from personal devices and unsecured home networks, often while juggling competing demands. Add the pressure of rapid decision-making, and the conditions are ripe for mistakes.
The financial and operational consequences are severe:
- Direct theft of money or data.
- Prolonged downtime and lost productivity.
- Regulatory fines for data breaches.
- Long-term damage to brand trust and customer loyalty.
For smaller firms, even a single successful attack could prove existential.
Building resilience: how leaders can respond
Generic annual awareness training or “hover over the link before clicking” advice is no longer enough. Organizations need layered defenses across people, processes and technology.
1. Technical fortifications
– Move beyond SMS-based MFA: Authenticator apps, hardware tokens, or biometrics are more secure than one-time passcodes sent by text.
– Advanced email filtering: Use machine learning-powered filters that detect suspicious sender behavior, not just keywords.
– Endpoint detection and response (EDR): Spot and contain unusual activity on devices before attackers spread.
– DNS and URL filtering: Block access to known malicious sites even if a link is clicked.
– SIM-swap protections: Monitor for recent SIM changes, alert users when phone numbers are updated, and mask account numbers to reduce reconnaissance.
2. Human firewall
– Targeted, realistic training: Teach staff to spot the latest scams, from AI-deepfakes to Quishing. Use phishing simulations to reinforce habits.
– Recognize SIM-swap warning signs: Sudden loss of mobile signal, inability to send texts or calls, and unexpected account lockouts.
– Safe reporting culture: Make it easy to report suspicious messages without blame.
3. Process discipline
– Dual approval for payments: No single employee should authorize large transfers.
– Verify via trusted channels: Call suppliers back on published numbers before acting on unusual requests.
– Tested incident response plans: Be prepared to act quickly if a SIM-swap, account takeover or phishing breach is suspected.
Fit for business in 2025
The truth is phishing has never been “just” an IT issue. It’s very much a boardroom issue. AI-driven fraud, deepfake video calls, SIM-swap fraud and phishing-as-a-service mean that the old “common sense” advice is no longer sufficient.
Resilience depends on combining smart technology, disciplined processes and well-prepared people. Cybercriminals are evolving fast. The only response is for you and your business to evolve even faster.
We’ve featured the best secure email provider.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
https://cdn.mos.cms.futurecdn.net/pNvZnS4EQCoYBG2inqCq5L-970-80.jpg
Source link
