Phishing has been around for decades, yet it remains one of the most persistent and successful forms of cybercrime. In fact, industry research estimates that more than 3.4 billion phishing emails are sent every single day, and some reports indicate the success rate of these attacks tripled in 2024 compared to 2023. Far from fading, phishing is evolving, becoming more sophisticated and harder to detect.

One of the biggest accelerants of this trend is generative AI (genAI). The rise of this innovative technology has dramatically changed the cyberthreat landscape, increasing the speed and believability of phishing campaigns while dramatically expanding the pool of attackers capable of launching them.

GenAI: A Phishing Accelerant 

GenAI has lowered the barrier to entry for cybercriminals. Attackers no longer need deep technical expertise or advanced language skills to launch convincing campaigns. With just a few prompts, even individuals with limited cybersecurity knowledge can spin up highly polished phishing attempts.

This technology is also making malicious emails more convincing than ever. Non-native English speakers, for example, can now produce messages with perfect spelling, grammar, and natural phrasing. Beyond language, genAI can replicate the tone, style, and vocabulary of legitimate organizations or even specific individuals, giving phishing attempts a level of authenticity that makes them nearly indistinguishable from genuine correspondence.

For recipients, this means the challenge of spotting a phishing email has become significantly more difficult. What once might have been dismissed due to obvious typos or awkward phrasing is now arriving in inboxes as seamlessly professional, trustworthy-looking messages.

Against this backdrop, it’s no surprise that “recognizing and reporting scams” has been spotlighted as one of the “Core 4” actions in Cybersecurity Awareness Month’s Stay Safe Online campaign.

10 Considerations to Defend Against Phishing Attacks

Cybersecurity Awareness Month encourages everyone to take an active role in protecting themselves and their organizations. When it comes to phishing, staying alert, practicing good cyber hygiene, and using the right tools are essential to reducing risk.

Here are 10 considerations that provide practical ways to put this guidance into practice — not just in October, but every day.

1. Scrutinize the sender address. If the email comes from an unfamiliar sender — or even from someone you know but the address looks slightly off — pause before engaging. A quick check of the sender’s details can prevent a costly mistake.
2. Verify the domain. Phishing emails often rely on subtle misspellings or lookalike domains. If the “@domain.com” part of the email doesn’t match the official corporate website exactly, treat the message as suspicious.
3. Beware of language meant to urge immediate action. Phrases like “Verify your account now” or “Your account has been compromised” are designed to trigger panic and impulsive clicks. Take a moment to assess before responding to any message that pressures immediate action.
4. Be cautious with attachments. Unsolicited attachments are a common phishing tactic. Never open files you weren’t expecting, especially from senders you don’t fully trust.
5. Inspect links carefully. Hover over hyperlinks before clicking. Make sure they begin with “https” and display a lock icon in the browser’s address bar. Be extra cautious with shortened URLs, which can conceal malicious destinations.
6. Keep your browser updated. Software updates often contain critical security patches. Enabling automatic updates ensures you’re protected against newly discovered vulnerabilities.
7. Do some recon. If a link looks suspicious, paste it into a trusted community anti-phishing or malware research database site such as PhishTank or Scumware to determine whether it’s a known phishing link. Additionally, use a URL expander to reveal the true destination of shortened links.
8. Commit to ongoing training. Cybersecurity awareness is not a one-time exercise. Regular training and phishing simulations help employees recognize evolving threats and respond safely.
9. Report potential phishing emails to IT. When in doubt, report — don’t click. Notify your IT or security team about questionable messages. If the email claims to be from someone you know, reach out to them directly through another channel to confirm.
10. Trust your instincts. If something feels “off” about an email — whether it’s the tone, timing, or request — err on the side of caution. Your intuition, combined with careful inspection, is a powerful first line of defense.

Bonus Tip: Cybersecurity Starts at Home

The information we post on social media (not just LinkedIn and company websites) is where threat actors get the best intelligence to develop strategic phishing emails. Personal details, vacation plans, job titles, and even casual updates can be leveraged to craft highly targeted and believable attacks. Staying vigilant about what you share online is a critical first step in defending against phishing, both at work and at home.

Staying Ahead of the Threat

Phishing thrives on distraction, urgency, and misplaced trust. But with awareness and proactive habits, these attacks can be stopped before they succeed. By combining individual vigilance with organizational training and reporting, we can create a layered defense that makes it harder for threat actors to succeed, even in the era of genAI.

Cybersecurity Awareness Month reminds organizations to make recognizing and reporting phishing a priority, but it’s not a once-a-year effort. Building resilience against phishing requires attention day in and day out, ensuring that security remains an ongoing priority rather than a seasonal campaign.