By Chloé Maillet, Marketing Specialist at Indigita SA
Phishing attacks in 2025 are no longer clumsy scams filled with typos and broken logos. Fuelled by generative AI, modern phishing campaigns are harder to detect, more personalized, and disturbingly effective. With AI-generated phishing emails, deepfake videos, and voice spoofing on the rise, basic digital hygiene is not enough anymore.
Whether you are in IT, HR, Finance, or simply browsing your inbox, here are five advanced but practical ways to avoid phishing scams in today’s landscape:
1. Always Confirm Requests Through a Trusted, Separate Channel
Modern phishing attacks often rely on impersonation, not only suspicious links. Attackers now use social engineering, the psychological manipulation of people to trick you into clicking, sharing credentials, or transferring money. Thanks to generative AI, these messages are highly convincing: written in flawless English, mimicking your coworkers’ tone, and even referencing real company details.
Example: You get a message from your CFO, urgently requesting a wire transfer. The message is polished and the profile photo checks out.
What You Should Do:
- Never act on urgent financial or access requests within a single channel.
If you receive such a request, verify through a separate, trusted method, such as a phone call, SMS, or secure email. - Look beyond the interface. Just because a message or an email looks polished, does not mean it is legitimate. Attackers now spoof internal accounts or hijack inactive ones to bypass your guard.
- Double-check the sender’s email domain.
- Phishing emails often use lookalike domains. For example:
- ceo@yourcompany.co instead of ceo@yourcompany.com
- invoices@secure-microsoft365.com instead of invoices@microsoft.com
- Use domain verification tools (e.g., WHOIS lookup) if unsure.
2. Examine Links and Attachments Before You Click
Phishing emails often include malicious links or booby-trapped attachments that look completely harmless.
Example: An email claims to be from DocuSign, urging you to “sign immediately.” The button links to docusign-docs.net, a fake site designed to steal your credentials.
What You Should Do:
- Hover over links to preview the actual URL before clicking.
- On mobile, long-press to inspect the destination.
- Use tools like VirusTotal or browser plug-ins that scan links in real time.
Phishing sites now use realistic domains, secure HTTPS certificates, and AI-generated branding to fool even careful users.
3. Focus on Context, Not Just Spelling or Grammar
Gone are the days when poor grammar gave phishing emails away. In 2025, many are written by AI models and sound exactly like your colleagues.
Example: You receive a resume from a “candidate” applying to a job supposedly posted by your department. It seems legitimate, but the job was never listed, and the file contains malware.
What You Should Do:
- Ask yourself: Was I expecting this? Does it match the sender’s usual behaviour?
- Be cautious with emotionally charged messages that invoke urgency, secrecy, or panic.
- Verify unusual requests directly with the sender, especially if something feels “off.”
4. Use Multi-Factor Authentication to Block Stolen Credentials
Most phishing campaigns are designed to steal credentials. Multi-Factor Authentication (MFA) adds a critical layer of protection, even if your password is compromised.
Example: A junior employee enters their login details into a spoofed Microsoft 365 portal. MFA blocks access even though their credentials were stolen.
What You Should Do:
- Use app-based MFA (e.g., Microsoft Authenticator, Authy) or physical security keys (e.g., YubiKey).
- Avoid SMS-based MFA when possible, as it is still vulnerable to SIM swapping.
- Require MFA across all sensitive internal systems, not just email.
5. Invest in Ongoing Cybersecurity Awareness Training
Technology changes fast, and so do attack methods. Regular training helps build muscle memory and improves employee judgment.
Tip: Run phishing simulations every quarter. Offer incentives for staff members who report suspicious emails. Use training platforms that incorporate AI-generated phishing examples for realism.
Pro tip: Combine training with technical controls like anomaly detection, endpoint protection, and AI-driven email filtering.
To take your protection a step further, upgrade your organization’s awareness with Indigita’s “Cybersecurity and AI” SAQ certified course!
