.jpeg)
2024 saw a massive boost in phishing attacks. According to the 2024 Phishing Intelligence Report by SlashNext, credential phishing increased by 703% and overall email attack volumes rose by 202%. This surge in scams coincides with the growing use of AI in phishing strategies. The phishing boom is going full force into 2025. We're only two months into 2025, and we've already seen some devastating phishing attacks. For example, the FoxWhoops Phishing Campaign, sent out emails posing as Delta Airlines offering discounts on tickets if the victims filled out a survey. Upon completing the 'survey,' victims were prompted to enter their credit card information to claim their reward. Subsequently, the attackers harvested the credit card information. The success of this phishing campaign can be attributed to the believability of the phishing email and site, as well as scripts embedded in the URL that allowed it to avoid detection by automated systems, like search engines’ user-agent (e.g., Googlebot). With an avalanche of phishing attacks descending on internet users all over the globe, it is necessary to understand what they are and how we can prevent ourselves from falling victim to them.
Current Trends and Tactics
Phishing attacks today are far more sophisticated compared to those in the past, which were much more primitive. They were mainly done through email. These phishing emails contained poor grammar, generic messages such as “urgent bank alert”, and very limited personalization. Back then, though, the public’s security awareness was much lower, so people fell for these basic phishing schemes. As our security awareness has evolved, the magnitude and complexity of phishing attacks have evolved alongside it, perhaps even surpassing it. In 2025, these cyber attacks are more powerful than ever, and this is largely thanks to AI.
Spear phishing is different from the original version. This style targets specific people, often using personal information in the email or electronic message to appear as a trusted source, so that the victim reveals sensitive information or gives the attacker access to their device. The attacker will perform reconnaissance on their victims, collecting information from their social media or from their company website. With the advent of AI, attackers can now perform spear phishing attacks with greater believability and efficiency. This was demonstrated in a 2021 report from a group of security researchers representing Singapore’s Government Technology Agency. The researchers sent out mock spear phishing emails to internal users in their organization. Some of the emails were composed by humans, and others by ChatGPT-3. The results of the experiment were unsettling and confirm our worst fears about the dark side of AI. They found that internal users clicked the links of the ChatGPT-3 generated emails significantly more than they did the human ones.
Vishing, also known as voice phishing, is like phishing but instead of emails or text messages it uses phone calls, voice messages, and voicemails to try to get victims to reveal sensitive information. Traditionally, the attacker would find out information about the victim and make a phone call impersonating someone the victim knows, then creating a sense of urgency in the victim by referring to an emergency or issue that requires them to pay money or provide sensitive information. My own grandmother experienced vishing a few years ago. One evening she received a call from an unknown number. The caller claimed to be me and told my grandma that I was in jail and needed money to get bailed out. The attacker knew personal information, like my grandma’s name and my name, and used social engineering to create a believable scenario. Fortunately, my grandmother was suspicious and hung up the phone, then proceeded to call my personal number to see whether or not this was true. I luckily picked up and explained to her that this was a scam. Now, it is becoming easier to integrate AI into a vishing operation. Deepfaking allows attackers to create a highly realistic AI-generated voice that can replicate a person’s real voice. Now, in 2025, vishing also includes video calls. One of last year’s most notable vishing attacks used a deepfake video call to impersonate the CFO of a multinational company and tricked an employee into giving the attackers $25.6 million. The employee had originally received a phishing email and was suspicious, but after the deepfake video call his suspicions went away and he believed it was a genuine request from his superior. This illustrates the power of vishing in 2025. Most of us have decent security awareness and can distinguish a genuine email from a fake one, but when it comes to deepfake audio and video we still lack good awareness.
How to Protect Yourself
With the heightened prevalence of AI in phishing attacks and their increase in number, internet users must improve their security awareness. The enhanced social engineering and deepfake technology that AI provides make phishing difficult to distinguish from reality. It is not all so doom and gloom, though. As phishing attacks have become more advanced, so has the security technology to defend against them.
MFA is one of the easiest and best ways to minimize the damage to your personal data and information in the event that a phishing attack successfully deceives you into clicking a malicious link or giving the attacker sensitive information. MFA (Multi Factor Authentication) acts as another layer of defense. I’m sure you already have an MFA on one of your accounts or devices, or at the very least you have heard about it. After you log into your account, entering your username and password, you are asked to verify your identity with a one-time code sent to your phone or from an authenticator app or submit biometric data (like a face or fingerprint scan). If an attacker does acquire your username and password, thanks to MFA, it will make it far more difficult for them to access your sensitive information or data. Be sure to enable MFA on all your accounts and devices, particularly for email, banking, and social media. It’s a simple step that adds a crucial layer of protection.
Look for indicators and verify requests for sensitive information. Whenever you receive an email or any other kind of electronic message or call, there is a chance it is an instance of phishing. There are many indicators to watch for. One indicator is the tone of the message. For example, perhaps it is an email from your bank and you notice the tone of the email is too casual. Another indicator is emotional manipulation. If the offer from the email sounds too good to be true it most likely is, or if the request from the message sounds extremely urgent and produces anxiety in you, then you should begin to doubt the legitimacy of the message. The third indicator to be aware of is if the message is asking you to provide sensitive information. You should only share sensitive information if it's from a trusted source and done through secure channels. If someone is asking you to send it via email or over the phone, then it is most likely a phishing attack. The other indicator is suspicious attachments. If there is a file attached to an email that you are unfamiliar with don’t download it, it could very likely be malware. Only download a file if it is from a trusted source, you are expecting the attachment, and none of the other indicators are present. The last indicator is inconsistencies in email addresses or links. Oftentimes attackers will disguise their email or link as a legitimate one. You can verify the true address by hovering your cursor over it and seeing if the address that comes up matches the legitimate address. If you see any indicators of a phishing attack, then you should definitely report the message or email to the provider of the service you are using.
Anti-phishing software is one of the best modern innovations that detect and prevent phishing attacks. It works by scanning emails and filtering them based on certain indicators such as suspicious links and attachments, urgent language, or fake email addresses. Pretty much all modern email services, like Gmail or Proton Mail, have anti phishing capabilities. Also, most of the popular messaging apps, like WhatsApp, have spam detection features that will alert users about suspicious links or senders. Antivirus software such as Avast or Bitdefender have this as well. You can even get anti-phishing browser extensions, like Kaspersky Safe Screen or Microsoft Defender SmartScreen. Though this software is widely available and can be effective at detecting and preventing phishing attacks, it is not perfect, and some phishing emails and messages will still go undetected. So that’s why it is important to keep yourself educated about phishing and remain cautious.
The Future of Phishing
Phishing attacks are not going to stop anytime soon. In fact, they will most likely continue to grow in frequency and in their sophistication. That is why it is crucial to have basic knowledge about phishing, while also staying up to date on the latest phishing trends so you are able to defend yourself against these attacks. Knowing about the different kinds of attacks, such as spear phishing or vishing, will heighten your awareness. In addition, utilizing MFA, being able to recognize the phishing indicators, and having anti-phishing software will help harden your security defenses. AI will play a major role in the future of phishing, making attacks harder to defend against. Fortunately, AI can also be used to combat these threats. So, if you know anyone who could be at risk of a phishing attack you can send them this article. Be sure to stay aware and stay safe. See you next time!
No comments:
Post a Comment