One almost feels a little nostalgic for the days of old-school phishing attacks, those poorly worded, spray-and-pray emails that most people could spot a mile off. While they were still a danger, it was fairly simple to create countermeasures. But things have changed. Today’s phishing campaigns harness artificial intelligence (AI), deepfakes and adversarial techniques to bypass even state‐of‐the‐art defences.
Even adaptive AI-powered security isn’t necessarily equipped to deal with the sophistication of modern phishing, as hackers are utilising cutting-edge technology to exploit technical gaps and find new human vulnerabilities.
The first step in countering modern phishing is to understand the attackers’ tactics and how they can overcome your cyber security measures. Once you’re equipped with that knowledge, we’ll break down the strategies, technology and protocols you can use to stay ahead of the evolving phishing menace.
Phishing attacks have evolved
Phishing attacks have dramatically shifted from indiscriminate bulk email blasts to highly targeted, personalised schemes. The days when a mass email riddled with typos would be enough to lure a victim are over (fun fact: those typos were deliberate to help weed out people less susceptible to manipulation). Instead, attackers are now using hyper-personalised, tailored messages, enabled by AI and advanced analysis of their targets, that can fool even the most vigilant.
Phishing has also evolved beyond just email. Vishing (voice phishing), smishing (SMS phishing) and quishing (QR code phishing) broaden the attack surface significantly in insidious ways. Some attackers even hijack ongoing email threads, sometimes known as zombie phishing, to take advantage of an already established conversation, further lowering a target’s guard.
These new avenues allow phishing attackers to exploit the rapid expansion of the digital attack surface. The proliferation of apps, communication platforms and internet of things (IoT) devices provides more opportunities for attackers to find a weak link. As organisations embrace digital transformation, securing every endpoint becomes increasingly challenging.
The same AI technologies that are enabling advances in cyber security are also a core component of modern phishing attacks. While cyber security is the main focus for most AI investments in tech budgets, the increased accessibility of AI tools means cyber criminals can run advanced, sophisticated phishing campaigns at scale.
The same AI technologies that are enabling advances in cyber security are also a core component of modern phishing attacks
One key development is AI-powered social engineering. AI’s pattern recognition ability, which plays such a crucial role in threat analysis, can also be used to identify prospective targets and how to exploit them. Combined with advanced language models, attackers can craft messages that read like genuine, conversational correspondence. These messages are free of glaring errors and are tailored to the recipient, significantly increasing their believability.
This social engineering can also be combined with another AI-enabled technique: deepfake technology. Deepfake audio and video allow hackers to impersonate high-level executives or trusted figures. For example, an AI-generated voice clone might call an employee, issuing urgent instructions to transfer funds.
Adversarial AI techniques are being used to specifically target and bypass machine learning models deployed in cyber security defences. Attackers study how these models identify phishing content and then subtly alter their messages, often by tweaking text or URL features, so that they evade detection. This ongoing “arms race” between attackers and defenders means no single tool or approach remains effective for long.
The result of these advanced techniques? More than 50% of people can be regularly fooled by modern phishing. And when all it takes is one mistake to potentially give cyber criminals access to your entire network and database, that’s a serious problem that needs addressing.
Bypassing multifactor authentication
You might think multifactor authentication (MFA) is a viable solution to countering modern phishing, with the belief that the more you have to query a phishing attack, the more likely you’ll be able to spot warning signs or present barriers they can’t overcome. But attackers are finding ways to circumvent traditional MFA methods, such as SMS-based one-time passwords (OTPs).
A common tactic is a brute force approach, which involves overwhelming users with MFA push notifications – known as MFA fatigue – until they inadvertently approve a fraudulent login attempt. Slightly more sophisticated is the use of social engineering to trick users into disclosing their MFA codes by directing them to counterfeit websites or fraudulent phone calls.
But the most devious, sophisticated approaches use man-in-the-middle (MITM) or adversary-in-the-middle (AITM). These attacks use a reverse proxy to capture session tokens and credentials in real time. Once a victim enters their MFA code, the proxy relays it to the legitimate service while secretly intercepting the authentication tokens, effectively granting the attacker full access.
Why traditional security policies often fall short
No matter how much you’ve invested in the most sophisticated, AI-driven cyber security and policies, there are weaknesses modern phishing can exploit. It’s only by understanding these weaknesses that you can develop countermeasures to mitigate those vulnerabilities.
Your security tools are outdated
Outdated security tools also contribute to the problem. Many organisations still rely on perimeter-based defences, firewalls, antivirus software and static spam filters. These reactive defences are ill-equipped to deal with the dynamic nature of modern phishing. They’re designed to detect known threats, but when attackers leverage AI to continuously change their tactics, these defences quickly become outdated.
Furthermore, by focusing your security efforts on perimeter defence, you might have little in place to counter threats once they’re already in your network.
The visual and auditory realism of deepfakes makes them especially dangerous, as both humans and automated systems can struggle to differentiate between real and fabricated communications
Your people make mistakes
Even with strong policies in place, human error remains a critical vulnerability. New hires, for instance, may be unaware of the latest phishing tactics, and even experienced employees can be duped by a well-crafted, personalised scam.
Spotting AI-generated and deepfake content isn’t just a challenge for humans, it’s also an issue for computerised systems. Conventional security measures often focus on signature-based detection, which is not effective against synthetic media that can mimic legitimate content with high accuracy. The visual and auditory realism of deepfakes makes them especially dangerous, as both humans and automated systems can struggle to differentiate between real and fabricated communications.
Staying ahead of the curve: Defence strategies
So, the challenge in countering modern phishing seems pretty high, but we can’t just throw in the towel. With the right, multi-layered security approaches, you can reduce your vulnerabilities to phishing and mitigate their potential impact when they do occur.
Phishing-resistant authentication
One of the most promising strategies is the adoption of phishing-resistant authentication methods. Modern protocols like FIDO2/WebAuthn offer passwordless authentication that binds credentials to specific websites and devices, making it significantly harder for attackers to spoof login processes. This public-key cryptography eliminates the vulnerabilities associated with traditional passwords and SMS-based OTPs.
Counter AI with AI
While AI might be enabling modern phishing’s sophistication, AI also plays a crucial role in countering its threat. AI-powered threat intelligence systems can analyse network behaviour in real time and detect subtle anomalies that indicate a phishing attack in progress. Endpoint detection and response (EDR) solutions that incorporate machine learning can rapidly identify and isolate compromised devices before they cause widespread damage.
Adopt zero-trust security
Zero-trust architecture is another critical step in countering modern phishing. In a zero-trust model, no user or device is automatically trusted, even if it’s inside the corporate network. Every access request is verified, and lateral movement within the network is strictly controlled. This “never trust, always verify” approach minimises the damage that can be done if an attacker does manage to bypass initial defences.
Train your people
Continual security awareness training is also vital. As phishing tactics become more sophisticated, regular training sessions and phishing simulations can help employees recognise the latest scams. Tailored training that includes examples of deepfake impersonations and multi-channel phishing attempts will ensure your employees remain vigilant and know how to react appropriately.
Holistic approach required
As the battle against phishing continues, the key takeaway is clear: no single solution will suffice. Instead, a holistic approach that combines advanced technology with proactive training and robust policies is essential to outmanoeuvre cyber criminals in this new era of AI-enhanced attacks.
