Your phone vibrates. A message from what looks like your bank says a transaction has been flagged and your account will be locked in 30 minutes unless you verify it. The logo is right. The sender name is familiar. You have 30 seconds before your next meeting starts.
That is all a phishing attack needs.
Cyberattacks are often discussed as a business problem: breached systems, leaked databases, ransomware demands made to IT departments. But the most common form of cyberattack does not target a system first. It targets a person.
Phishing is how the majority of cyberattacks begin. It is a message designed to earn a moment of trust, just long enough for you to click a link, enter a password, or transfer money. And in 2025, it cost people and organizations an estimated $442 billion globally, according to the Global Anti-Scam Alliance's annual scam landscape report.
In our previous blog, we covered how AI has compressed the cost and effort of running a cyberattack. Phishing is where that shift is most visible at the individual level. The attacks are more convincing, more personalized, and arrive through more channels than most people are prepared for. This piece breaks down how, and what you can do about it.
How Big the Problem Actually Is
The Global Anti-Scam Alliance surveyed 46,000 adults across 42 countries and found that 57% were scammed in 2025. Of those, 23% lost money. Phishing sits at the center of most of those incidents. It is consistently the most common initial method attackers use, regardless of region, industry, or target.
Since AI became widely accessible, phishing message volume has increased by more than 1,200%. That figure reflects how cheap and fast it has become to generate convincing, targeted messages at scale. Researchers tracked 3.8 million phishing attacks globally in 2025, and that only covers monitored, reported incidents.
The Philippines sits firmly within this global trend. The country recorded 3,824 phishing websites in 2025, up 423% from the year before. A TransUnion report from May 2026 found that 72% of Filipino consumers were targeted by digital fraud in just five months, marking the sixth consecutive year the country's fraud rate exceeded the global average. Among those targeted, phishing was the most commonly reported scheme at 45%, followed by smishing (phishing via text message) at 38%.
What Phishing Looks Like Today
The mental image most people have of a phishing attempt (a badly written email, a suspicious link, an implausible story) reflects attacks from a decade ago. The standard has shifted considerably.
SMS and messaging apps. Smishing, or phishing delivered by text, has become one of the most effective attack channels globally. The messages are short and look entirely routine. A typical one might read:
GCash: Your account has been temporarily limited due to suspicious activity. Verify your identity within the next hour to restore access: [link]
In the United States alone, consumers reported $470 million in losses to text scams in 2024, five times the 2020 figure. Globally, smishing incidents spiked 328% in a single year. Messages impersonate banks, delivery services, government agencies, and payment platforms. They create urgency: a flagged transaction, a held delivery, an account about to be locked. And they work because the urgency overrides the pause that skepticism requires. In the Philippines, campaigns impersonating GCash, BDO, and Landbank have become persistent enough that the BSP issued a specific public advisory: legitimate financial institutions will never ask for your OTP or password through a text message or link.
Fake login pages. Modern phishing pages replicate the branding, layout, and even the security indicators of real platforms closely enough that careful users are still deceived. You might notice the URL looks slightly off, but the padlock icon is there and the page loads instantly. The credentials entered on it go directly to the attacker. These pages are available as ready-made kits and can be deployed in minutes, which is part of why phishing site volumes have grown so sharply.
Social media impersonation. Fake brand and executive profiles use AI-powered chatbots to maintain conversations, promote fraudulent investment opportunities, and direct people to malicious pages. They are often close enough to the real account to pass a quick visual check. The Global Anti-Scam Alliance identifies online communities (social media, dating platforms, forums) as one of the highest-fraud categories globally. In the Philippines, fake brand and executive profiles rose 37% in 2025, from 940 to 1,291 documented cases.
Deepfakes. AI-generated video and audio have made it possible to fabricate a convincing likeness of almost anyone: a public figure endorsing an investment, a company executive authorizing a transfer, a familiar face asking for trust. In Q1 2025 alone, deepfake-enabled fraud caused over $200 million in losses globally, with these attacks rising 1,633% versus the prior quarter. In the Philippines, documented cases include fabricated videos of public figures used to promote fraudulent investment schemes, with production quality high enough to clear the threshold of doubt for careful viewers. To be clear, deepfakes are not yet the dominant phishing tactic. Traditional smishing and fake login pages still account for the majority of successful attacks because they are cheaper to run and just as effective. But deepfakes represent the fastest-growing segment, and the cases that involve them tend to involve significantly larger losses.
Romance and trust scams. Not all phishing is fast. Some of the most damaging attacks are built over weeks: a profile, a relationship, a manufactured sense of trust, before any request is made. AI has made this approach significantly more scalable, enabling automated conversations across thousands of targets simultaneously. In the Philippines, AI-powered love scams led to over P20 million in recovered losses in 2025. Global losses to romance scams run into the billions annually.
Why the Old Signals No Longer Work
The conventional checklist for spotting phishing (look for typos, distrust urgency, check the sender address) was built for a different threat environment. It assumed that phishing was low-effort and therefore obviously imperfect.
As we discussed in our previous blog, AI has removed most of those imperfections. Messages are now grammatically clean, contextually relevant, and personalized using publicly available information. A text that references your actual bank, your region, and a transaction type you regularly make does not register the same alarm as "URGENT: Your account has been COMPROMISED." The signals that used to give phishing away have been engineered out.
The more useful question is not: does this look suspicious?
It is: was I expecting this?
What Reduces Your Risk
None of these require technical knowledge. They reflect how attackers actually operate, and where the weak points are.
Treat urgency as a signal, not a reason to act. Phishing consistently relies on compressing the time between receiving a message and responding to it. A message that tells you your account will be locked, your funds held, or your delivery cancelled unless you act now is worth slowing down for. Legitimate platforms do not rely on that kind of pressure.
Go to the source, not the link. If a message claims there is an issue with your account, open the app or navigate to the platform directly. Do not use the link in the message. Any real issue will be visible when you get there.
Turn on multi-factor authentication. When a login requires a second step beyond your password, like a code from an app or a biometric check, a stolen password alone cannot get an attacker in. The BSP, the National Privacy Commission, and the US Federal Trade Commission all identify this as one of the most effective individual protections available.
Apply more scrutiny where the stakes are higher. A video of a public figure endorsing an investment. A message from someone you only know online asking you to move money. A prize notification for something you did not enter. The threshold for verification should be proportional to what is being asked. For anything involving money or credentials, check through a separate channel before acting.
Report what you encounter. Reporting suspicious messages and accounts through platform tools matters. It accelerates takedowns of active campaigns and feeds into the databases law enforcement uses to track organized fraud operations. In the Philippines, the Anti-Financial Account Scamming Act (AFASA) now criminalizes phishing, smishing, and vishing, giving reports direct legal weight.
The Individual and the Larger System
The safest habit in 2026 is not spotting every scam. It is slowing down before you act on one.
Phishing does not begin and end with one person. Every set of credentials captured through a phishing attack is a potential entry point into something larger: a business, a platform, a system that other people depend on. The organizations and apps that handle your data have a responsibility in this too.
In our next blog, we look at the business side: what phishing means for companies handling customer data online, where their exposure lies, and what they need to do about it.
For more on how Secuna helps organizations protect the people who trust them, visit secuna.io.
Sources: Global Scam Landscape 2025, ScamWatchHQ · Phishing Statistics 2026, Axis Intelligence · Phishing Trends 2025–2026, CaptainDNS · Phishing Attacks Up 1,200%, World Economic Forum · Check Point Research: 423% Phishing Surge PH · TransUnion PH Digital Fraud Report, May 2026 · Phishing & Smishing Surge, Check Point PH · Deepfake Statistics 2025, DeepStrike · GMA News: Doctor Loses P93M to Deepfake Scam · AI-Powered Love Scams, PIA · AFASA Philippines