“Gone Phishing”—Every Cyberattacker’s Favorite Phrase

Phishing—how old hat is that as a topic? Isn’t it solved for most of us by now? Can’t we speak about AI instead? That may be your response when you hear a security analyst talk about phishing and phishing prevention, but those assumptions couldn’t be further from the truth. Phishing continues to be one of the primary threat vectors any organization needs to protect itself from.

How Phishing Has Evolved

Phishing, sadly, remains a persistent threat, continually evolving and attacking more users across a broader array of channels. It is no longer relegated to email messages with suspect spelling and grammar. Instead, phishing will target anywhere a user communicates: email, collaboration platforms, messaging apps, code repositories, and mobile devices. It is also increasingly accurate, making malicious communication more difficult than ever to identify. Its more sophisticated messaging is not always focused on stealing credentials or deploying malicious software and instead seeks to encourage users to carry out malicious activity unknowingly.

This is where AI plays its part. AI is at the forefront of modern attacks, having increased the efficacy of phishing campaigns by enabling criminals to study a target’s online habits and craft more convincing phishing attempts. Modern attacks can recognize the usual communication patterns of organizations and users, and the language used in those communications, and are using this ability to great effect across new channels such as messaging apps, SMS messages, and even audio and video.

Packing the Defense

Many organizations have, of course, invested in anti-phishing tools and have done so for a prolonged period. However, with an attack methodology that evolves so quickly, organizations must continue to evaluate their defenses. This does not mean they must rip out what they currently have, but it certainly means they should evaluate existing tools to ensure they remain effective and look at how to address gaps if discovered.

What should you consider when evaluating your current approaches?

  • Understand the attack surface: If your phishing protection is only focused on email, how are you protecting your users from other threats? Can you protect users from phishing attempts in Teams or Slack? When they access third-party sites and SaaS apps? When they are accessing code in code repositories? When they scan a QR code on their mobile? All of these are potential attack vectors. Are you covered?
  • AI defense: AI is rapidly accelerating the efficacy of phishing-based attacks. Its ability to build effective and hard-to-identify phishing attacks at scale presents a serious threat to traditional methods of spotting attacks. The most effective tool to reduce this threat is defensive AI. Understand how your tools are currently protecting your business from AI-based attacks and decide if the methods are effective.
  • Multilayered protection: Phishing attacks are broad, so defenses must be equally broad and layered. Modern tools should be able to stop basic attacks in a way that reduces the impact of false positives, which impact workflows and user efficiency. Solutions must ensure that phishing detection is accurate, but should also properly evaluate threats they don’t know using tools like link protection and sandboxing.
  • User education in phishing prevention: User education is a key component of phishing prevention. Organizations must determine the type of education that best serves their needs, whether it’s formal awareness training, phishing education exercises, or subtle “nudge” training to improve usage habits. Are your current tools as effective as you need them to be?
  • Catch you later: Increasingly, phishing threats are retrospectively activated. They are not triggered or malicious on delivery but are weaponized later in attempts to evade security tools. Ensure your solutions are capable of addressing this and can remove threats from communications channels when they become weaponized after delivery.

Don’t Let Them Phish in Your Lake

Phishing remains the most likely attack vector for cybercriminals. The impact of a successful phishing attempt can be significant, causing loss of business, reputation, financial impact and potential legal action.

Phishing is not a static threat; it continues to evolve rapidly. Organizations must continue to evaluate their phishing protection stance to ensure they remain effective against new and evolving threats.

Fortunately, cybersecurity vendors continue to evolve too. So, ensure you continue to monitor your defenses and don’t let a cyberattacker catch you hook, line, and sinker.

Next Steps

To learn more, take a look at GigaOm’s anti-phishing Key Criteria and Radar reports. These reports provide a comprehensive overview of the market, outline the criteria you’ll want to consider in a purchase decision, and evaluate how a number of vendors perform against those decision criteria.

If you’re not yet a GigaOm subscriber, sign up here.