With numerous emails flooding in from all sorts of sources every day, it’s a tiring job to scrutinise each one and treat it as guilty until proven innocent. Unfortunately, not doing so is why phishing remains such a lucrative hacking technique.
Phishing is an attack method most commonly delivered through emails that try to trick the victim into believing that a trusted source needs something from you, whether that’s money, identifiable data, or login credentials.
Opening malicious email attachments are a simple method of attack, but it keeps proving to be one of the most efficient. This backs up the conclusion that many organisations are reaching - that the human element of cyber security is the weakest link.
Here's what you need to know about some of the types of phishing attacks you may come across and the motivations of the attackers.
The first phishing attacks
While a theoretical phishing technique was first described in 1987, this type of attack only really started to gain popularity in the 1990s, with the advent of the consumer internet.
One of the earliest examples of phishing was known as AOHell and was a customer service ruse. This hacking tool targeted AOL users and allowed the attacker to masquerade as a customer service representative. The target user would be encouraged to hand over their password if they did, then the attacker would be able to use their account for nefarious purposes.
This element of using underhand tactics remains the defining feature of phishing, although the number of types and techniques has expanded significantly.
How to spot a phishing attack
Most users will encounter phishing attacks in the form of malicious emails. As is shown in the image above, many of these will be caught by the service provider's built-in filters, which will alert the user to suspicious content or recent attacks associated with the sender's address. However, some malicious emails will slip through the net, so it's important to always be suspicious of any unexpected email, especially from those purporting to be from companies that you have had no dealings with.
Unusual sender address
An email from a legitimate company will normally use a fairly standard address - something that is representative of the brand. Although sophisticated attacks will try to masquerade as the company they're imitating, such as using PayPal.net instead of PayPal.com, many will forgo this effort and use clearly suspicious email addresses with the hope the victim won't notice. As you can see in the image above, this particular email claims to be from DHL Express, but the message has been sent from an entirely unrecognisable address.
Spelling mistakes, grammatical errors, strange phrasing
Legitimate emails will normally have been put through many layers of proofing and checks prior to being sent, especially if they are automated. This means that spelling and grammatical errors, or sentences that just don't sound quite right, should be an instant red flag. Occasional spellings mistakes are understandable, especially if the email does not appear to be automated, but you should be suspicious of glaring errors nonetheless.
As you can see in the image above, the email comes with an official-sounding sign-off that just doesn't sound right.
Vague information or requests
Companies will typically try to personalise their customer correspondence, usually by addressing the email to a specific first name taken from account information, or by using very specific information from a recent order. Another red flag, then, is the lack of this personalised information, especially when the email is addressed to a 'Sir/Madam' or 'Recipient', or if the email mentions vague references to a recent order. Malicious emails will use this lack of specific information to encourage a secondary action, whether that's clicking on a link or opening an attachment.
Mitigating against phishing
As cyber criminals continue to target businesses with sophisticated phishing campaigns, employers must educate staff on how to spot and report suspicious emails and messages. Employees need be well-trained in both spotting the common signs of a phishing attempt and following the prescribed process for alerting their security teams.
Of course, even with training, there will be times when employees fail to identify phishing scams and fall victim to them. With this in mind, it's critical that robust cyber security controls are in place to stop potentially malicious emails from reaching staff, while also maintaining incident response plans in the event the worst does happen.
Shelby Flora, managing director for security at the UK and Ireland arm of professional services firm Accenture, says businesses must take a “multi-faceted approach” to tackling advanced phishing attacks. This should include cyber security awareness training and technical safeguards like multi-factor authentication, spam filtering solutions, and continuous monitoring programs.
"Additionally, encouraging a policy of verification before responding to unexpected requests for information or access can serve as a critical barrier against social engineering tactics," she adds.
The cost of phishing
Phishing remains the single biggest cyber security threat faced by businesses (84%) and charities (83%), according to the UK Government’s 2024 Cyber Security Breaches Survey.
Despite the serious risk posed by phishing emails, a recent Proofpoint survey found that 67% of British employees are aware that their actions are harming their organization’s cyber security posture.
Geographically, the US remains by far and way the most-targeted country for phishing, with 1.13 billion attacks recorded between 2023 and 2024, according to Zscaler research, This was followed by India (79.1 million), Canada (58.6 million), Germany (57 million), and the UK (12.9 million).
From an industry perspective, Zscaler found that attacks against finance and insurance companies make up around 28% of all phishing attempts — followed by manufacturing (21%), the services industry (15.8%), technology (11%), retail and wholesale (6.2%), government (5.2%), healthcare (4.6%) and education (4.4%).
There has also been a 109% growth in the number of phishing attacks using malicious links disguised as legitimate Salesforce URLs, according to the CRM giant.
Phishing subtypes
Under the umbrella of "phishing", security researchers have identified a number of sub-groups that are even more targeted in their approach, with the two most common being spear-phishing and whaling.
Spear phishing
Spear phishing is a phishing campaign that targets a specific individual or company. This technique requires a bit more effort on the part of the cyber criminal, as they need to do more background research in order to create a personalised phishing email. According to research, 88% of organisations worldwide reported spear-phishing attacks in 2019.
Whaling
Whaling is like spear-phishing, but it's even more targeted, focusing on the likes of CEOs and CFOs within a business. These emails are crafted to look like an urgent item a senior person within a business must look at, such as a customer complaint or a court subpoena. The scams often then demand the transfer of a large sum of money.
The Symantec report said that "these scams can be damaging as they require little technical expertise but can reap huge financial rewards for the criminals and significant losses for the companies involved. For example, early in 2016, an Austrian aerospace company fired its CEO after it lost almost (USD) $50 million to BEC scammers".
The use of AI in phishing campaigns
Artificial intelligence tools are making it even easier for cybercriminals to design and disseminate highly convincing phishing campaigns.
According to research from Zscaler, such attacks have increased by almost 60%. Meanwhile, Harvard University found that 60% of people have experienced AI-driven phishing attacks.
Hackers are turning to AI software like ChatGPT, Stable Diffusion and Midjourney to increase the volume of phishing attacks and make them more believable, according to Jess Burn, principal analyst at market research firm Forrester.
In particular, she says generative AI is aiding the creation of “compelling text and images” that “improve the quality of phishing emails and websites”. Hackers can then use this technology to “compose their attacks on a greater scale,” she warns.
Burn notes, however, that hackers still spread most of these attacks using “spoofed accounts or domains”. She adds: “We’re expecting cyber attacks to increase in number but the threats themselves are not novel. Security analysts and incident responders already know how to identify, resolve, and mitigate them.
Martin Borrett, UK & Ireland technical director at IBM Security, explains that cyber criminals can leverage AI tools to “analyze user behavior, preferences, and patterns”. This information helps them design “highly personalized and targeted phishing emails and social engineering campaigns that are more likely to succeed”.
He adds: “Additionally, AI can help automate the process of crafting and sending these messages, enabling attackers to carry out large-scale and coordinated attacks more efficiently."
Jon France, chief information security officer at the non-profit cyber security certification body ISC2, suggests that cyber criminals are no longer focusing on email phishing scams due to to the rise of AI. He says they can now use deep fakes, AI-generated fake videos of real people, to trick victims into handing over their passwords, payment information, and cash.
This technology is also resulting in “multi-stage campaigns” that see cyber criminals “increase their chances of success by narrowing their focus and refining their tactics based on the information gathered at each stage”. He adds: “The information obtained can be used to carry out more targeted and convincing attacks later down the line.”
Other key phishing trends: Spam, BEC, vishing
As well as a sharp rise in AI-based phishing campaigns, many other notable phishing trends have emerged in 2024 so far.
One key development is the growing sophistication of unwanted emails, according to Borrett. He says people are finding it harder to “distinguish legitimate business emails from phishing emails”.
To avoid this, he advises the following: “Verify the sender, decide if an email is valid before clicking links or attachments, and verify the email without forwarding it to others.”
Burns says cyber criminals are spending greater amounts of time trying to understand their victims, in the hopes of designing and conducting more advanced phishing and business email compromise (BEC) attacks.
“Yes, there are some that still take a “spray and pray” approach but many know that a well-crafted phishing message will allow them to get that desired foothold in their target organization," she explains.
Jack Peters, customer solutions architect at cloud and connectivity provider M247, notes a growth in cross-channel and voice-based phishing attacks (also known as vishing). He explains that cyber criminals are using a range of voice calls, emails, and text messages as part of advanced phishing campaigns that “manipulate victims into revealing sensitive information".
“It takes many forms, including prompting the recipient to take action on a fake receipt sent to them by email, or to reply to an IT support issue, or impersonating authorities or legal entities.”
