Phishing remains one of the most common and evolving cyber threats, targeting both individuals and organisations.
According to a recent government cyber security breaches survey, 56% of businesses and 62% of charities that experienced breaches or attacks in the past 12 months identified phishing specifically.
The survey also revealed an increase in the prevalence of phishing attacks. In 2023, 79% of businesses reported phishing incidents, up from 72% in 2017.
It’s a reliable, effective, pervasive tactic that’s not going anywhere soon.
So, what kinds of new phishing tactics do businesses need to be aware of? And perhaps most importantly, how do they implement anti-phishing tactics to reduce their risks of falling victim?
The Rise of AI-Powered Phishing Campaigns
One of the largest and most worrying phishing trends is the rise of AI-powered phishing campaigns.
In 2023, phishing attacks surged by 58%, with experts believing the proliferation of generative AI tools has enabled a new wave of successful attacks.
AI tools like ChatGPT, as many of you probably know already, can generate highly realistic text capable of deceiving virtually anyone. It allows attackers to automate and personalise phishing messages, making them more convincing and harder to detect.
No more poorly-written phishing messages that give them away at the first misspelling! This has lowered the barrier to entry into the phishing game, with research showing how even novice attackers can now launch sophisticated phishing attacks.
The Emergence of ‘Quishing’
QR code phishing, or “quishing,” is one of the more inventive phishing trends. In early 2024, QR code phishing accounted for 10.8% of phishing emails, a massive increase from 0.8% in 2021.
Quishing leverages the convenience and novelty of QR codes, often used in marketing and customer engagement, to trick users into scanning codes that lead to malicious websites.
It’s effective as many simply don’t expect QR codes to be used for nefarious purposes.
Multi-Channel Phishing Attacks
Phishing is no longer limited to emails. Attackers now use multiple communication channels to increase their chances of success. For example, Microsoft Teams was used for 30.8% of multi-channel phishing attacks in 2023, while Slack accounted for 19.2%.
By mixing and matching their attack vectors across platforms, phishers can bypass traditional email security measures and reach their targets through less monitored channels.
For example, an attacker might follow up an initial phishing email with a message on a collaboration tool like Slack.
Voice Phishing (Vishing) and Deep Fake Attacks
AI has also led to an explosion in “vishing” and deep fake phishing attacks. These methods use AI-generated voices and deepfake videos to deceive victims into revealing sensitive information.
For example, a deep fake video might impersonate a company executive to authorise fraudulent transactions or access confidential data.
This has already led to several high-profile incidents that cost businesses millions of dollars, including one in February 2024 that cost a Hong Kong company a reported $25 million.
Impersonation and Technical Evasion
Phishers frequently impersonate well-known brands and use technical measures to evade detection by security systems. Brands like Microsoft and DocuSign are commonly mimicked to gain trust that their correspondence is genuine.
For example, 77.2% of phishing emails impersonate well-known brands like DocuSign and Microsoft, and 20.2% use evasion techniques to bypass detection.
How to Stay Ahead of Modern Phishing Attacks
Given the evolving nature of phishing attacks, businesses must continually modernise and improve their defences. Here are some strategies to help stay ahead:
Implement Zero Trust Architecture
Adopting a Zero-Trust approach ensures that no entity inside or outside the network is trusted by default.
This involves continuous verification of users, devices, and applications, regardless of their location within the network.
Key components of Zero Trust networks:
- Continuous Verification: Regularly verify user identities, even within the network.
- Least Privilege Access: Limit user access to only what is necessary for their role.
- Micro-Segmentation: Divide the network into smaller segments to contain breaches.
Enhance Employee Training and Awareness
A business’s first defence against phishing is its people. Thus, continuous education and training for employees about the latest phishing techniques are essential.
Regular simulated phishing exercises can help identify vulnerabilities and improve the overall security posture.
Employees should be encouraged to report suspicious emails and messages to help track and mitigate phishing threats.
Training tips:
- Regular Simulations: Conduct phishing simulations to test employee awareness.
- Interactive Training: Use interactive modules and quizzes to engage employees.
- Clear Reporting Channels: Ensure employees know how to report suspicious activities.
Utilise Advanced Security Solutions
Deploying AI-powered email filtering and security tools can help detect and block phishing attempts before they reach users.
These tools analyse patterns and behaviours associated with phishing and provide real-time protection.
Recommended tools:
- AI-Powered Filters: Implement email filters that use AI to detect phishing.
- Behavioural Analysis: Use tools that monitor and analyse user behaviour.
- Threat Intelligence: Integrate threat intelligence feeds to stay updated on new threats.
Implement Multi-Factor Authentication (MFA)
Adding MFA provides an extra layer of security, making it harder for attackers to access accounts even if they obtain login credentials through phishing.
MFA requires users to provide multiple verification forms, significantly reducing the risk of successful attacks.
MFA best practices:
- Use Multiple Factors: Combine something you know (password) with something you have (phone) and something you are (biometrics).
- Educate Users: Ensure users understand the importance of MFA and how to use it.
- Regularly Update: Keep MFA methods up-to-date with the latest security standards.
Encourage Reporting and Monitor Threats
Encourage employees to report suspicious emails and messages.
Utilise tools like the Suspicious Email Reporting Service (SERS) to help authorities track and mitigate phishing threats.
Regularly monitor and analyse threat intelligence to stay informed about new phishing tactics and trends.
Reporting strategies:
- Easy Reporting Mechanisms: Provide simple ways for employees to report phishing attempts.
- Regular Feedback: Inform employees about the outcomes of reported phishing attempts.
- Threat Monitoring: Continuously monitor and analyse threats to stay ahead of attackers.
Summing Up
Phishing attacks are becoming increasingly sophisticated – especially with the advent of AI, which has unleashed a new breed of hyper-personalised attacks.
Assess whether your business is ready to repel these new threats and address any weaknesses or blind spots.
That might include double-checking tools to see if MFA is enabled, implementing new security technology or educating employees.
If you’re looking to bolster your IT security, consider partnering with Mustard IT.
Our expert team provides tailored security solutions and training programs designed to keep your business safe from evolving cyber threats.
We can help you strengthen your technologies, policies, and training to level up your security and prepare for this new era.
Contact Mustard IT today to learn how we can help you build a more secure and resilient IT environment.