When an Email Costs $4 Million
Remember those funny emails from Nigerian princes? Times have changed. In 2025, phishing has evolved from primitive fraud into a full-fledged industry whose level of organization rivals that of legitimate businesses.
The Cost of Phishing
According to official data, among American companies the average cost of a single successful phishing breach is now $4.88 million per company. Meanwhile, such an attack costs criminals only about $500.
Where Do These Numbers Come From?
It all starts with identifying the problem.
Companies spend an average of $1.47 million just to understand what happened. This includes digital forensics, security audits, hiring external experts, and crisis management.
Then come business losses totaling $1.38 million. These include system downtime, customers moving to competitors, and reputational damage.
Finally, another $1.2 million is spent dealing with the aftermath and recovery.
Phishing as an Entry Point for Ransomware
Phishing has also become the main gateway for ransomware. 54% of all ransomware infections start with a phishing email.
An employee opens an attachment or clicks a link, giving hackers access to the system, who then escalate their attack. Soon the company’s data is encrypted, and a ransom demand follows.
In 2025, ransomware is present in 44% of all breaches, up from 32% the previous year. 94% of all malware is delivered via email attachments, making it the most popular attack vector.
---
How Phishing Works in 2025
Not Just Emails
Fraudsters no longer rely solely on emails. About 40% of phishing campaigns now use multiple platforms simultaneously. An attack may start via email, continue on Slack or Microsoft Teams, and end with a phone call.
Vishing (voice phishing) has become a serious problem. 30% of organizations reported vishing attempts in the past year, a 15% increase. Deepfake technology allows attackers to clone anyone’s voice using just a few seconds of recording. Imagine receiving a call from your CEO (or at least their voice) asking you to urgently resolve an issue. According to Cisco Talos, in Q1 2025, vishing became the most common type of phishing, accounting for over 60% of all incident reports.
Quishing (phishing via QR codes) grew 331% year-over-year according to Cofense. People tend to trust QR codes and scan them without thinking. Attackers exploit this by redirecting victims to fake login pages, installing malware on smartphones, or initiating fraudulent payments.
Smishing (phishing via SMS) remains popular. People generally trust text messages more than emails. When an SMS supposedly from a bank or delivery service arrives, many click the link without verifying the sender.
---
Who Gets Attacked Most Often
Data from multiple sources shows that some industries are targeted much more frequently than others.
Finance and Insurance are at the top, with the highest number of attacks and the greatest employee vulnerability.
Manufacturing ranks second, largely due to traditionally lower cybersecurity awareness among staff.
Oil, gas, and mining attract attackers because of the value of data and the critical nature of infrastructure. A successful attack can not only leak sensitive information but also disrupt production processes.
Healthcare remains a constant target. Medical data is highly valuable on the black market, and hospitals often cannot afford prolonged downtime, making them more likely to pay a ransom.
Retail is targeted due to large volumes of payment data. One successful attack on a major retail chain can compromise millions of credit cards.
Within companies, there are differences as well. Lawyers, finance professionals, and IT staff are better protected against phishing. They undergo regular training and are generally more cautious.
On the other hand, communications, sales, and business development teams fail phishing tests 40% more often. These employees constantly interact with external contacts, receive many emails from unknown senders, and are more likely to miss warning signs.
How Phishing Is Disguised
Have you ever experienced something like this: on Steam, a very friendly stranger — often appearing to be from China — adds you as a friend. A few days later, they send you a link to a “gift” that was supposedly left there by accident.
Something very similar happened to me recently. Let’s look at how a typical phishing attack can be disguised for an ordinary user.
Domain Spoofing
Many phishing domains use something called punycode to register domains that visually imitate legitimate ones. This means attackers use characters from other alphabets (for example, Cyrillic) that look almost identical to Latin characters. When displayed in a browser, the link appears legitimate even though it actually points to a fake domain.
For example:
telegram.org → telegrаm.org
In this case, the “a” is replaced with the Cyrillic “а”, which looks identical but represents a different character.
Another common trick is replacing characters with visually similar ones. For example, a lowercase “l” can be replaced with an uppercase “I”:
telegram.org → teIegram.org
Here, l → I.
This technique is often used with less popular domains because they are easier and cheaper to register.
Browser-in-the-Browser
In the scenario described above, the link often leads to a page that opens what appears to be a legitimate login window. When you click the login button, a pop‑up OAuth-style window appears asking you to enter your credentials.
The trick is that this window is not a real browser authentication window. It is simply a carefully designed HTML interface that mimics a real login popup. Since it is rendered inside the web page itself, attackers can fully control it and capture any credentials entered by the user.
This is where the trap lies — most likely, this window is fake. Yes, attackers literally embed a “browser emulator” inside the page, which is essentially just an HTML element designed to look like a real browser window.
In other words, the user believes they are interacting with a legitimate authentication popup, while in reality they are simply entering their credentials into a form controlled entirely by the attacker.
Other Domain Disguising Techniques
Domains are also often disguised as names of other products belonging to the same company. For example, instead of vk.com/calls, attackers might send a link such as vkcalls.me, and similar variations.
At first glance, such links may appear legitimate, especially if the user is not paying close attention to the exact domain name. This is exactly what attackers rely on — a quick glance instead of careful verification.
Here’s the English translation of your text:
---
AI in Phishing
The biggest change in the past two years happened when hackers gained access to ChatGPT and other large language models. Now, AI can generate the email, the text, and even format it beautifully — all on its own.
Five Minutes to Generate a Phishing Email
IBM recently conducted a study showing an impressive difference in efficiency. A team of security experts spent 16 hours creating a single phishing campaign. AI accomplished the same task in just 5 minutes, using only 5 text prompts.
Fraudsters can easily use AI to generate a phishing website, create a convincing story, and even disguise their writing style in the email.
Interesting fact: according to KnowBe4, 82.6% of all phishing emails now contain text generated by AI.
But there’s a nuance. This statistic shows how many malicious emails are created. Most of this spam is still filtered out by corporate defenses. An analysis of 386,000 emails that successfully bypassed protections and reached users’ inboxes found that only 0.7% to 4.7% were definitively written by AI.
¯_(ツ)_/¯
---
When AI Surpassed Humans
The company Hoxhunt conducted an experiment where an AI agent competed against a professional team of hackers in creating phishing emails. In 2023, AI was 31% less effective than humans. By March 2025, the situation had completely reversed. AI became 24% more effective at deceiving users than experienced experts.
Defenses are trained on yesterday’s attacks, while tomorrow’s threats will be far more sophisticated. The most dangerous part: the barrier to entry for cybercriminals has dropped almost to zero. Previously, technical skills and language knowledge were required. Now, all that’s needed is the ability to craft effective prompts for ChatGPT.
---
Supply-Chain Attacks via Phishing
A separate concern is phishing targeting a company’s supply chain and its users.
From an Email to Access in Dozens of Companies
Imagine this scenario: an IT employee receives a convincing email supposedly from a cloud provider. They click the link and enter their credentials on a fake page. Now, hackers have access to the administrative panel, where they can create new accounts, modify access rights, and install backdoors.
These attacks are especially dangerous for service providers and software developers. Once a company that provides services to other organizations is compromised, the effect spreads down the chain.
A notable example is the compromise of a developer from XZ-Utils, which recently led to a backdoor in OpenSSH.
How to Protect Yourself
The best defense against these attacks is to limit potential damage. The principle of least privilege ensures that even if an account is compromised, the attacker only gains access to the minimum necessary for that employee’s work.
Yes, it’s obvious: don’t give everyone administrator rights. A single account should never have access to all critical systems simultaneously.
Network segmentation, separate accounts for different access levels, and mandatory verification of critical actions through a separate channel all make life harder for hackers and provide time to detect an attack before it escalates into a full-scale infrastructure compromise.
---
Technical Perimeter
On the technical side, SPF, DKIM, and DMARC with strict policies are mandatory. Statistics show that 99% of organizations that properly configure DMARC block 90% of spoofing attempts. Modern AI-powered email filters can detect anomalies and identify zero-day attacks that aren’t yet in signature databases.
All attachments and links should be checked in a sandbox environment before reaching the user. This creates an isolated space where a suspicious file can be safely opened and analyzed.
Endpoints also require EDR systems with AI analysis. These monitor application behavior in real time and can stop an attack even after malware has entered the system.
---
Training
Now let’s talk about the main source of problems: humans.
Without training, the statistics are alarming:
Only 7% of employees report suspicious emails.
20% click on malicious links.
11% open all attachments in emails.
With monthly training, the situation changes dramatically.
According to Foxhunt, after adaptive training, employees successfully recognize threats 60–74% of the time.
In the financial sector, this figure is the highest. The frequency of clicks on malicious links drops to 2–3%, a 5.5× decrease. Most importantly, 64% of employees begin reporting real phishing attacks, not just training simulations.
---
This highlights that combining technical defenses with regular employee training is the most effective way to mitigate phishing risks in 2025 and beyond.
For the same organization with 1,000 employees, the number of malicious actions drops from 466 to 74.6 per year — a reduction of 86%.
---
Key Points in Training
The most important thing is that training must be adaptive. The difficulty of simulations should increase as the user’s skills grow.
Personalization is also crucial — by department, region, and role. A finance professional and a sales manager receive different simulated emails, because real attacks targeting them would also differ.
The most critical factor is realism. Simulations should be based on actual attacks happening right now. The best approach is to hire an outsourced Red Team of pentesters to create realistic scenarios.
And the most important factor is frequency. Annual training does not create lasting skills. Regular checks and exercises are necessary to keep employees alert.
Employees should also be trained to verify domains, including performing WHOIS checks and examining when a domain was registered.
---
Why Protections Don’t Always Work
Fraudsters evolve every day. Attacks now involve not only spoofed phone numbers or emails but also voice impersonation.
And of course, deepfake technology makes this even more dangerous. You could receive a link to a virtual meeting where you end up talking one-on-one with what sounds like a real colleague — but it’s actually a sophisticated fake.
---
Key Takeaways
The data from 2025 is clear: phishing is no longer just an IT problem for tech teams to handle — it is a business risk that directly affects a company’s financial stability and reputation.
Organizations that implement multi-layered defenses, combining technological barriers with behavioral training for personnel, reduce successful attacks by 86%. The rest remain at risk.
Remember those funny emails from Nigerian princes? Times have changed. In 2025, phishing has evolved from primitive fraud into a full-fledged industry whose level of organization rivals that of legitimate businesses.
The Cost of Phishing
According to official data, among American companies the average cost of a single successful phishing breach is now $4.88 million per company. Meanwhile, such an attack costs criminals only about $500.
Where Do These Numbers Come From?
It all starts with identifying the problem.
Companies spend an average of $1.47 million just to understand what happened. This includes digital forensics, security audits, hiring external experts, and crisis management.
Then come business losses totaling $1.38 million. These include system downtime, customers moving to competitors, and reputational damage.
Finally, another $1.2 million is spent dealing with the aftermath and recovery.
Phishing as an Entry Point for Ransomware
Phishing has also become the main gateway for ransomware. 54% of all ransomware infections start with a phishing email.
An employee opens an attachment or clicks a link, giving hackers access to the system, who then escalate their attack. Soon the company’s data is encrypted, and a ransom demand follows.
In 2025, ransomware is present in 44% of all breaches, up from 32% the previous year. 94% of all malware is delivered via email attachments, making it the most popular attack vector.
---
How Phishing Works in 2025
Not Just Emails
Fraudsters no longer rely solely on emails. About 40% of phishing campaigns now use multiple platforms simultaneously. An attack may start via email, continue on Slack or Microsoft Teams, and end with a phone call.
Vishing (voice phishing) has become a serious problem. 30% of organizations reported vishing attempts in the past year, a 15% increase. Deepfake technology allows attackers to clone anyone’s voice using just a few seconds of recording. Imagine receiving a call from your CEO (or at least their voice) asking you to urgently resolve an issue. According to Cisco Talos, in Q1 2025, vishing became the most common type of phishing, accounting for over 60% of all incident reports.
Quishing (phishing via QR codes) grew 331% year-over-year according to Cofense. People tend to trust QR codes and scan them without thinking. Attackers exploit this by redirecting victims to fake login pages, installing malware on smartphones, or initiating fraudulent payments.
Smishing (phishing via SMS) remains popular. People generally trust text messages more than emails. When an SMS supposedly from a bank or delivery service arrives, many click the link without verifying the sender.
---
Who Gets Attacked Most Often
Data from multiple sources shows that some industries are targeted much more frequently than others.
Finance and Insurance are at the top, with the highest number of attacks and the greatest employee vulnerability.
Manufacturing ranks second, largely due to traditionally lower cybersecurity awareness among staff.
Oil, gas, and mining attract attackers because of the value of data and the critical nature of infrastructure. A successful attack can not only leak sensitive information but also disrupt production processes.
Healthcare remains a constant target. Medical data is highly valuable on the black market, and hospitals often cannot afford prolonged downtime, making them more likely to pay a ransom.
Retail is targeted due to large volumes of payment data. One successful attack on a major retail chain can compromise millions of credit cards.
Within companies, there are differences as well. Lawyers, finance professionals, and IT staff are better protected against phishing. They undergo regular training and are generally more cautious.
On the other hand, communications, sales, and business development teams fail phishing tests 40% more often. These employees constantly interact with external contacts, receive many emails from unknown senders, and are more likely to miss warning signs.
How Phishing Is Disguised
Have you ever experienced something like this: on Steam, a very friendly stranger — often appearing to be from China — adds you as a friend. A few days later, they send you a link to a “gift” that was supposedly left there by accident.
Something very similar happened to me recently. Let’s look at how a typical phishing attack can be disguised for an ordinary user.
Domain Spoofing
Many phishing domains use something called punycode to register domains that visually imitate legitimate ones. This means attackers use characters from other alphabets (for example, Cyrillic) that look almost identical to Latin characters. When displayed in a browser, the link appears legitimate even though it actually points to a fake domain.
For example:
telegram.org → telegrаm.org
In this case, the “a” is replaced with the Cyrillic “а”, which looks identical but represents a different character.
Another common trick is replacing characters with visually similar ones. For example, a lowercase “l” can be replaced with an uppercase “I”:
telegram.org → teIegram.org
Here, l → I.
This technique is often used with less popular domains because they are easier and cheaper to register.
Browser-in-the-Browser
In the scenario described above, the link often leads to a page that opens what appears to be a legitimate login window. When you click the login button, a pop‑up OAuth-style window appears asking you to enter your credentials.
The trick is that this window is not a real browser authentication window. It is simply a carefully designed HTML interface that mimics a real login popup. Since it is rendered inside the web page itself, attackers can fully control it and capture any credentials entered by the user.
This is where the trap lies — most likely, this window is fake. Yes, attackers literally embed a “browser emulator” inside the page, which is essentially just an HTML element designed to look like a real browser window.
In other words, the user believes they are interacting with a legitimate authentication popup, while in reality they are simply entering their credentials into a form controlled entirely by the attacker.
Other Domain Disguising Techniques
Domains are also often disguised as names of other products belonging to the same company. For example, instead of vk.com/calls, attackers might send a link such as vkcalls.me, and similar variations.
At first glance, such links may appear legitimate, especially if the user is not paying close attention to the exact domain name. This is exactly what attackers rely on — a quick glance instead of careful verification.
Here’s the English translation of your text:
---
AI in Phishing
The biggest change in the past two years happened when hackers gained access to ChatGPT and other large language models. Now, AI can generate the email, the text, and even format it beautifully — all on its own.
Five Minutes to Generate a Phishing Email
IBM recently conducted a study showing an impressive difference in efficiency. A team of security experts spent 16 hours creating a single phishing campaign. AI accomplished the same task in just 5 minutes, using only 5 text prompts.
Fraudsters can easily use AI to generate a phishing website, create a convincing story, and even disguise their writing style in the email.
Interesting fact: according to KnowBe4, 82.6% of all phishing emails now contain text generated by AI.
But there’s a nuance. This statistic shows how many malicious emails are created. Most of this spam is still filtered out by corporate defenses. An analysis of 386,000 emails that successfully bypassed protections and reached users’ inboxes found that only 0.7% to 4.7% were definitively written by AI.
¯_(ツ)_/¯
---
When AI Surpassed Humans
The company Hoxhunt conducted an experiment where an AI agent competed against a professional team of hackers in creating phishing emails. In 2023, AI was 31% less effective than humans. By March 2025, the situation had completely reversed. AI became 24% more effective at deceiving users than experienced experts.
Defenses are trained on yesterday’s attacks, while tomorrow’s threats will be far more sophisticated. The most dangerous part: the barrier to entry for cybercriminals has dropped almost to zero. Previously, technical skills and language knowledge were required. Now, all that’s needed is the ability to craft effective prompts for ChatGPT.
---
Supply-Chain Attacks via Phishing
A separate concern is phishing targeting a company’s supply chain and its users.
From an Email to Access in Dozens of Companies
Imagine this scenario: an IT employee receives a convincing email supposedly from a cloud provider. They click the link and enter their credentials on a fake page. Now, hackers have access to the administrative panel, where they can create new accounts, modify access rights, and install backdoors.
These attacks are especially dangerous for service providers and software developers. Once a company that provides services to other organizations is compromised, the effect spreads down the chain.
A notable example is the compromise of a developer from XZ-Utils, which recently led to a backdoor in OpenSSH.
How to Protect Yourself
The best defense against these attacks is to limit potential damage. The principle of least privilege ensures that even if an account is compromised, the attacker only gains access to the minimum necessary for that employee’s work.
Yes, it’s obvious: don’t give everyone administrator rights. A single account should never have access to all critical systems simultaneously.
Network segmentation, separate accounts for different access levels, and mandatory verification of critical actions through a separate channel all make life harder for hackers and provide time to detect an attack before it escalates into a full-scale infrastructure compromise.
---
Technical Perimeter
On the technical side, SPF, DKIM, and DMARC with strict policies are mandatory. Statistics show that 99% of organizations that properly configure DMARC block 90% of spoofing attempts. Modern AI-powered email filters can detect anomalies and identify zero-day attacks that aren’t yet in signature databases.
All attachments and links should be checked in a sandbox environment before reaching the user. This creates an isolated space where a suspicious file can be safely opened and analyzed.
Endpoints also require EDR systems with AI analysis. These monitor application behavior in real time and can stop an attack even after malware has entered the system.
---
Training
Now let’s talk about the main source of problems: humans.
Without training, the statistics are alarming:
Only 7% of employees report suspicious emails.
20% click on malicious links.
11% open all attachments in emails.
With monthly training, the situation changes dramatically.
According to Foxhunt, after adaptive training, employees successfully recognize threats 60–74% of the time.
In the financial sector, this figure is the highest. The frequency of clicks on malicious links drops to 2–3%, a 5.5× decrease. Most importantly, 64% of employees begin reporting real phishing attacks, not just training simulations.
---
This highlights that combining technical defenses with regular employee training is the most effective way to mitigate phishing risks in 2025 and beyond.
For the same organization with 1,000 employees, the number of malicious actions drops from 466 to 74.6 per year — a reduction of 86%.
---
Key Points in Training
The most important thing is that training must be adaptive. The difficulty of simulations should increase as the user’s skills grow.
Personalization is also crucial — by department, region, and role. A finance professional and a sales manager receive different simulated emails, because real attacks targeting them would also differ.
The most critical factor is realism. Simulations should be based on actual attacks happening right now. The best approach is to hire an outsourced Red Team of pentesters to create realistic scenarios.
And the most important factor is frequency. Annual training does not create lasting skills. Regular checks and exercises are necessary to keep employees alert.
Employees should also be trained to verify domains, including performing WHOIS checks and examining when a domain was registered.
---
Why Protections Don’t Always Work
Fraudsters evolve every day. Attacks now involve not only spoofed phone numbers or emails but also voice impersonation.
And of course, deepfake technology makes this even more dangerous. You could receive a link to a virtual meeting where you end up talking one-on-one with what sounds like a real colleague — but it’s actually a sophisticated fake.
---
Key Takeaways
The data from 2025 is clear: phishing is no longer just an IT problem for tech teams to handle — it is a business risk that directly affects a company’s financial stability and reputation.
Organizations that implement multi-layered defenses, combining technological barriers with behavioral training for personnel, reduce successful attacks by 86%. The rest remain at risk.
