19 Nov Phishing in 2024: Evolving Tactics and How to Stay One Step Ahead
Phishing, a form of cyberattack that uses disguised email as a weapon, is not a new threat. However, its evolution continues to outpace the defenses of many organizations. Phishing attacks are designed to trick individuals into giving out personal information such as passwords, credit card numbers, and other sensitive data. This malicious form of cyberattack has even spawned sub-variants like spear-phishing, whaling, and smishing, each tailored to deceive specific targets more effectively.
Whatever its form, phishing poses a real danger to modern organizations. A survey from email security platform Egress found that over half of their respondents had experienced some form of account takeover attack, with 79% of those attacks originating from a phishing email.
The Evolution of Phishing Tactics: AI and Deepfakes
The landscape of phishing is undergoing a significant transformation, driven by advancements in artificial intelligence (AI), automation, and machine learning. These technologies have lowered the barrier to entry for executing sophisticated phishing attacks, enabling even small teams with limited skills to pose a serious threat. AI’s role in phishing has a number of implications. For one, AI is making it harder to spot attacks. That’s because AI can reduce or eliminate one of the most glaring signifiers of a phishing attack: obvious spelling and grammatical errors.
AI can also enable more detailed, and thus more effective, attacks: “Leveraging large language models (LLMs) enables these perpetrators to analyze vast data from thousands of devices, gaining insights into personal communication styles and preferences. It results in highly personalized and realistic-sounding phishing messages,” writes Cybersecurity Magazine.
Another concerning development is the rise of deepfake phishing.
According to a survey from VMware, 66% of survey respondents have encountered deepfake attacks in the wild, with instances of such fraud skyrocketing by 3,000% in 2023. Deepfake technology, which creates hyper-realistic audio and video impersonations, has expanded the phishing threat beyond traditional emails and texts. Phone calls and even video can now convincingly tempt people into handing over money or valuable information to phishers.
Staying One Step Ahead
In response to these evolving threats, organizations must adopt a multifaceted approach to bolster their defenses and educate their employees. Here are some practical strategies:
Offer Continuous Education and Training:
Regularly update training programs to include the latest phishing tactics, emphasizing the sophistication of AI-driven and deepfake techniques. Simulated phishing exercises can help reinforce awareness and preparedness among employees. Training really helps in this area! Research from security awareness training vendor KnowBe4 has found that, even after training, 17.6% of employees are still vulnerable to phishing attacks (“phish-prone”), but ongoing training reduces that percentage to just 5%.
Employ Multi-Factor Authentication (MFA):
Enforce MFA wherever possible to add an additional layer of security. There is evidence that “MFA stops 96% of bulk phishing attempts and 76% of targeted attacks.”
That’s because, even if credentials are compromised, MFA can still prevent unauthorized access. In other words, even if a phishing can successfully glean account credentials or key information from a target, they may still not have enough to complete their attack. Just note that not all forms of MFA are equal; SMS-based MFA is the most vulnerable, app-based MFA is stronger, and hardware-based is the strongest of all.
Get professional help:
A knowledgeable and well-equipped cybersecurity vendor can deploy all of the defenses that have been proven to work against phishing attacks. With outside help, organizations can leverage the subject matter expertise of a team that does nothing but protect against cyberattacks like phishing.
About PSL
PSL is a global outsource provider whose mission is to provide solutions that facilitate the movement of business-critical information between and among government agencies, business enterprises, and their partners. For more information, please visit or email info@penielsolutions.com.
