Phishing is one of the simplest attack methods, but it is also among the most effective. Email addresses are easily stolen in cyber attacks, then used to target employees to persuade them to hand over data or download malware.
A recent attack on greater Manchester councils is a prime example. It led to thousands of users being sent a phishing email asking them to “activate your tenancy options” and hand over personal data.
While phishing is often performed via email, threat actors are evolving tactics to more effectively compromise victims. Adversaries have been observed using voice cloning technologies to fake voice messages and SMS messages in so-called TOAD attacks to further campaigns. Attackers combine these technological leaps with social engineering, tricking victims into divulging information so they can better target them with phishing attacks.
Matters are set to worsen as AI, and generative AI specifically, enables attackers to launch more personalized phishing attacks and lowers the barrier to entry for would-be attackers.
Taking this into account, what do you need to know about today’s phishing tactics and what can your business do to stay safe?
Cost-effective and efficient defense
One of the reasons phishing is used by attackers is because it’s so easy to access. Phishing is cost-effective and efficient for attackers, as it simply requires the mass distribution of emails to compromise multiple accounts, says Muhammad Yahya Patel, lead security engineer at Check Point Software.
Phishing attacks are often successful because they can evade technical defenses such as firewalls and antivirus software – particularly when the communication appears authentic, he says.
The migration to cloud email presents another opportunity for attackers. “Adversaries know existing security tooling has reduced efficacy to protect cloud email users,” Yahya Patel warns.
Phishing is increasingly used in combination with other attacks to access a company’s entire network. For example, ransomware attackers often use phishing as a means to gain initial access, says Hannah Baumgaertner, head of research at Silobreaker. “Once there, they can pivot across the network, steal information and ultimately deploy their ransomware payload to encrypt data.”
The resulting data breaches can expose sensitive customer and employee information. These breaches often result in “significant financial loss” through fraudulent transactions or the costs associated with ransomware, Yahya Patel warns.
Legal consequences are also a risk, he says. “Companies that experience data breaches due to phishing may face fines and regulatory penalties, especially if privacy laws such as the EU update to General Data Protection Regulation (GDPR) or the US Health Insurance Portability and Accountability Act (HIPAA) are violated.”
New phishing tactics and techniques
Evolving tactics and techniques add to the list of demands for any CISO or security team.
Phishing techniques are now “very sophisticated and realistic”, and typical telltale signs have “fundamentally changed,” says Mark Raeburn, Accenture’s cyber resilience lead in the UK. Spelling errors or grammar mistakes are less prevalent with AI-powered content creation, he points out.
Indeed, deepfake technology and advanced AI to impersonate individuals through voice and video has developed at “an astonishing rate,” he says. “We are also seeing the variety of platforms being used for phishing evolve beyond the standard email, to social media or collaborative work platforms, where people are likely to be more trusting and less alert.”
AI tools can scan social media profiles, email accounts, or publicly available information to craft highly targeted phishing emails that appear legitimate, says Yahya Patel. “We have also seen a rise in voice and deepfake phishing. Attackers use AI-generated voice or video deepfakes to impersonate executives or trusted individuals.”
For instance, attackers may send a deepfake audio message of a CEO requesting sensitive information or financial transfers, he says. This type of phishing attack, which sees a business tricked into paying a false transaction, is known as business email compromise.
Phishing as a Service (PhaaS) platforms and pre-made phishing kits have emerged, allowing even non-technical attackers to launch phishing campaigns, says Yahya Patel. “These kits often include templates for fake login pages, scripts to automate email distribution and tools for managing stolen credentials. This lowers the barrier to entry and enables widespread attacks.”
Attackers also use malicious QR codes to trick users into visiting fake websites or downloading malware, says Yahya Patel. “These QR codes are distributed in emails, physical posters, or even fake advertisements. Once scanned, they redirect users to phishing sites designed to capture login details or sensitive information.”
Adding to this, phishing websites are increasingly implementing HTTPS to appear credible, combined with SEO to boost search rankings, says Shobhit Gautam, staff solutions architect, EMEA at HackerOne.
In the future, phishing attacks will increasingly target non-traditional channels, such as messaging apps, online gaming platforms, augmented and virtual reality platforms, and even metaverse tech, says Gautam.
What to do to protect your business
It’s clear phishing is becoming more sophisticated, making it important to keep up to date with the latest threats. To secure themselves against phishing attacks, firms must prioritize a multi-layered approach that addresses technological defenses and human vulnerabilities, says Tom Vazdar, area chair for cyber security at the Open Institute of Technology.
One of the most effective steps is to implement regular employee training, says Vazdar. “Training programs should teach staff how to recognize common signs of phishing, such as suspicious links and unexpected requests for sensitive information. Firms should also conduct phishing simulations to keep employees on their toes.”
Alongside training, companies should adopt multi-factor authentication (MFA) to ensure that even if credentials are compromised, attackers cannot easily gain access to sensitive systems, says Vazdar.
Technology such as advanced email filtering tools can detect and block phishing attempts before they reach users’ inboxes, he adds.
Additionally, adopting a zero trust architecture ensures that every user, device, and application is continuously authenticated and authorized, says Vazdar.
Incident response planning is “crucial” for minimizing the impact of phishing attacks when they do occur, says Yahya Patel. “Businesses should develop and regularly update a comprehensive incident response plan that outlines the steps required if a phishing attack leads to a data breach or other security incident.”
This plan should include clear roles and responsibilities, communication protocols and procedures for containing the attack and recovering systems, he says. “Regular testing of the incident response plan through tabletop exercises or simulated attacks will help ensure your business is prepared to respond swiftly and effectively.”