Cybercriminals Cast Wide Nets—Don’t Be the Catch

You might enjoy fishing on a quiet lake, but phishing in your inbox is a different catch. One uses bait to reel in trout—the other baits you into handing over your login credentials. While fishing might cost you a weekend, phishing could possibly cost you your identity, your money and your peace of mind.

Phishing is a cyberattack that uses fraudulent emails, text messages, phone calls or websites to trick people into sharing sensitive information, downloading malware or exposing themselves to cybercriminals. It’s the digital version of bait-and-switch, and unfortunately, the bait keeps getting better.

Below are a few phishing trends for 2025:

• Email remains the most common and effective method for phishing. It’s responsible for an estimated $6.7 billion loss globally to business email compromises in 2025.
• AI has stepped into the phishing game, and it’s not playing fair.
  • Generative AI can mimic the visuals and formats of popular brands while crafting text with flawless grammar and a polished tone.
  • It’s also speeding up malware development for malicious attachments and being engineered to slip past the usual email filters.
• Microsoft continues to be the most impersonated brand, followed by Google and Apple.
• Malicious .html attachments have overtaken .pdf files as the top file type in phishing emails.
  • These .html files redirect users to websites that automatically download and execute malicious code. They’re harder for filters to catch thanks to tricks like encoding and excessive redirects.

So, what should you do when a suspicious email lands in your inbox? Start with a quick check:

• Do you recognize the sender?
• Does the subject line pressure you to act fast or tug at your emotions?
• Is the greeting oddly generic?
• Skim the body of the message. Are there spelling or grammar mistakes?
• Hover over links to preview the destination—never click if it looks suspicious.
• Think twice before opening attachments and never open one from an unknown source.

If you’re confident it’s a phishing attempt, hit the “Report Phishing” button in Outlook and delete the email.

Now, I know you didn’t think bad actors would stop at email. Smishing and vishing are two more ways they try to reel you in.

Smishing is phishing via text message. It’s a social engineering attack that uses fake mobile texts to trick you. If you get a suspicious message, review it and verify the sender. If you still can’t confirm it’s legit, block and report it. Need help? Check out instructions for Apple and Android users.

Vishing stands for voice phishing. It involves fraudulent phone calls or voice messages designed to con you into handing over personal information. Attackers often pose as reps from banks, government agencies or delivery services. Here’s how to stay sharp:

• Never give personal information over the phone unless you can verify the caller.
• Contact the organization directly to confirm credentials.
• Be wary of unsolicited calls asking for sensitive details.

Remember, fishing gets you dinner. Phishing gets you trouble.