October 08, 2025
Why phishing is still dangerous in 2025
You might think you can spot a phishing email from a mile away, but today’s scammers are using AI and sophisticated tactics that would fool even cybersecurity experts. Learn why phishing remains one of the biggest threats to your digital security and how to protect yourself.
Remember when phishing emails were easy to spot? They had terrible grammar, came from obviously fake email addresses, and made claims about princes or lottery winnings. Those days are long gone, but the good news is that awareness and vigilance can still protect you.
What is phishing?
At its core, phishing is a social engineering attack designed to trick you into giving up sensitive information or taking actions that compromise your security. The name comes from “fishing” – scammers cast out bait (fake emails, texts, or calls) hoping someone will bite.
But modern phishing isn’t about casting a wide net anymore. Today’s attackers use highly targeted approaches, leveraging personal information gathered from social media, data breaches, and other sources to create convincing, personalized attacks.
The goal is usually to:
- Steal login credentials for your email, banking, or other important accounts;
- Install malware on your device to monitor your activities or steal information;
- Trick you into making payments to fraudulent accounts;
- Gather personal information that can be used for identity theft; and
- Gain access to your workplace systems through your compromised personal accounts.
What makes phishing particularly dangerous is that it exploits human psychology rather than technical vulnerabilities. Even if you have the best security software in the world, a convincing phishing attack can still succeed if it tricks you into voluntarily handing over your information.
What are the different types of phishing?
Traditional email phishing
Email phishing is still the most common type, but it’s gotten way more sophisticated. Modern phishing emails often use AI to craft personalized, grammatically correct messages that are much harder to detect.
These emails might:
- Perfectly mimic legitimate companies with exact logos, formatting, and language;
- Reference real transactions or activities from your actual accounts;
- Use your real name and personal details gathered from data breaches or social media;
- Create believable urgency without seeming obviously fake; and
- Include links to websites that look identical to the real thing.
The key difference from old-school phishing is that these emails often pass the “gut check” test that used to protect people (for example, “I don’t know anyone in a South American prison”).
Spear phishing
Spear phishing takes personalization to the next level, targeting specific individuals or organizations with highly customized attacks. In 2024, spear phishing resulted in over $67 million in losses for Canadians.
These attacks might involve a criminal:
- Researching targets extensively through social media, company websites, and public records;
- Impersonating colleagues, vendors, or business partners with convincing detail;
- Timing attacks strategically around real events like conferences, product launches, or busy periods; and
- Using insider knowledge about company processes, relationships, or current projects.
Smishing (SMS phishing)
Text message phishing has seen a 22 per cent rise in prevalence, partly because people tend to trust text messages more than emails and often read them immediately.
Common smishing tactics include:
- Fake package delivery notifications claiming you need to pay a fee or update your address;
- Bank security alerts warning about suspicious activity and asking you to verify your account;
- Government impersonation claiming you owe taxes or are eligible for refunds; and
- Two-factor authentication bypass where scammers trick you into sharing verification codes.
The challenge with smishing is that text messages feel more immediate and personal, making people more likely to act quickly without thinking.
Vishing (Voice phishing)
Phone-based phishing attacks have become more sophisticated, with vishing being the most common type of phishing attack in some regions, accounting for over 60 per cent of all phishing engagements in Q1 2025.
Vishing attacks often involve:
- Caller ID spoofing to make calls appear to come from legitimate organizations
- AI-generated voices that can mimic real people or create convincing synthetic voices
- Detailed scripts that address common questions and objections
- Pressure tactics that create urgency and prevent victims from thinking clearly
The Canada Revenue Agency impersonation scam is a classic example. Callers claim you owe taxes and threaten immediate arrest if you don’t pay via gift cards or wire transfer.
Social media impersonation scams
Social media platforms have become hunting grounds for phishing attacks, with scammers creating fake profiles or compromising real accounts to target victims.
These might involve:
- Fake profiles that mimic real people or companies to build trust;
- Compromised accounts of friends or colleagues sending malicious links;
- Fake customer service accounts responding to complaints with “helpful” links;
- Romance scams that build relationships over time before requesting money or information; and
- LinkedIn recruiter scams offering fake job opportunities to steal personal information.
Quishing (QR Code phishing)
QR code phishing is rapidly growing, with 12 per cent of all phishing attacks containing a QR code in 2024. Microsoft reported blocking approximately 1.5 million daily quishing attempts in 2024.
Quishing works by:
- Embedding malicious QR codes in emails, posters, or even restaurant menus;
- Redirecting to fake websites that steal login credentials or install malware;
- Bypassing email security filters that might catch malicious links but miss QR codes; and
- Exploiting trust in QR codes which many people assume are safe to scan.
MFA fatigue attacks
Multi-factor authentication (MFA) fatigue attacks exploit the security measures designed to protect you. Attackers flood victims with authentication requests until they approve one just to make the notifications stop.
This type of attack:
- Overwhelms victims with dozens of authentication requests;
- Creates frustration that leads to poor decision-making;
- Exploits the assumption that MFA requests are always legitimate; and
- Can bypass one of the strongest security measures available.
Real-world examples of phishing attacks
Gmail & Google account phishing
Google accounts are prime targets because they often serve as the master key to other accounts. Attackers create fake Google login pages that look identical to the real thing, then use stolen credentials to access email, cloud storage, and other connected services.
Snapchat data breach (via spear phishing)
Social media platforms are frequently targeted through spear phishing attacks against employees. These attacks often start with research into company employees through LinkedIn and other platforms, they then use personalized emails to trick staff into revealing credentials.
Banking and financial institution impersonation
Bank impersonation remains one of the most financially damaging types of phishing. Scammers create fake websites and send convincing emails or texts claiming there’s suspicious activity on your account, then steal your login credentials when you try to “verify” your identity.
PayPal fraud attempts
PayPal phishing often involves fake payment notifications or requests for account verification. These can be particularly convincing because they often reference real transaction amounts or include partial account information.
CRA and government scams
Government impersonation scams exploit people’s fear of legal consequences. These attacks often target newcomers to Canada who may be less familiar with how government agencies actually communicate.
The Canada Revenue Agency will never:
- Threaten immediate arrest or deportation;
- Demand payment via gift cards or cryptocurrency;
- Ask for personal information via email or text; and
- Use aggressive or threatening language in communications.
How to protect yourself
Verify independently. If you receive an unexpected communication asking for information or action, contact the organization directly using contact information you find independently, not what’s provided in the suspicious message.
Be skeptical of urgency. Legitimate organizations rarely require immediate action. Take time to think and verify before responding to urgent requests.
Use multi-factor authentication on all important accounts, but be aware of MFA fatigue attacks. Don’t approve authentication requests unless you’re actively trying to log in.
Keep software updated. Security updates often include protections against new phishing techniques and malware.
Educate yourself about current tactics. Phishing techniques evolve rapidly, so staying informed about new threats helps you recognize them.
Trust your instincts. If something feels off about a communication, it probably is. It’s better to be overly cautious than to become a victim.
What to do if you’re targeted or breached
Don’t panic, but act quickly. Change passwords for any potentially compromised accounts, starting with the most sensitive ones.
Contact your financial institutions immediately if you’ve shared banking information or suspect fraudulent transactions.
Report the incident to the Canadian Anti-Fraud Centre at 1-888-495-8501, even if you didn’t lose money. This helps authorities track scammer tactics.
Monitor your accounts closely for the next few months and consider placing fraud alerts on your credit reports.
Document everything with screenshots and detailed notes about the phishing attempt and any actions you took.
Contact us if you suspect a scam using Sun Life’s brand
Sun Life will never ask for passwords, Social Insurance Numbers, or sensitive details through unsolicited communications. If you receive suspicious messages claiming to be from us, contact us directly at 1-877-SUN-LIFE (1-877-786-5433) to verify authenticity.
This article is meant to provide general information only. Sun Life Assurance Company of Canada does not provide legal, accounting, taxation, or other professional advice. Please seek advice from a qualified professional, including a thorough examination of your specific legal, accounting and tax situation.