Phishing has been a top cyber threat for decades. Relying as it does on duping employees into clicking links, opening attachments and/or sharing important information, it remains an evergreen tactic for threat actors.

One report from January 2024 found that 94% of cyber decision-makers had to deal with a phishing attack in 2023. In order to circumvent phishing filters and trick more savvy users, malicious actors are designing new sophisticated campaigns.

Phishing is a prime example of the arms race between defenders and attackers that characterizes the threat landscape. One side innovates and the other responds in kind.

The good news is that there are ways to mitigate the threat, if organizations focus on the basics of people, process and technology.

How Phishing Is Evolving

At its heart, phishing is a con trick. Attackers use classic social engineering tactics – such as impersonating trusted entities and brands coupled with creating a sense of urgency – to persuade the victim into doing their bidding.

The end goal is usually to install malware via a malicious link or attachment, or to trick the victim into entering personal/financial information or logins.

As such, phishing is a common method of initial compromise. Research has revealed it is the second-most popular ransomware attack vector after remote access compromise.

Tried-and-tested phishing tactics include hijacking sender email/social media accounts, spoofing sender domains or phone numbers, using official logos and lookalike websites, and conducting reconnaissance for highly targeted spear-phishing attempts.

Threat actors are innovating, according to Sophos X-Ops principal researcher, Andrew Brandt.

“The latest campaigns we’ve seen incorporate the design and styling of email from legitimate companies like Adobe or DocuSign – not just logos, but whole stylesheets mimicked. The phishing pages themselves are also increasingly difficult to identify as phishing sites,” he tells Infosecurity.

“For instance, the Tycoon Phishing-as-a-service (PhaaS) framework puts a real login dialog box inside of an iframe on a page the phisher controls. The dialog box looks identical to a Microsoft365 login screen because it is – but due to the way the phishing kit frames the dialog box, the attacker is able to immediately extract whatever text you enter into the login dialog box.”