Phishing Scams Becoming More Common and More Difficult to Spot

Successful phishing scams targeting businesses are on the rise. This fact may be difficult to believe, as sensational messages generally can’t bypass email filters. Most 21st-century employees can consistently spot and report those that manage to land in their inboxes — therein lies the problem.

Real phishing attacks are no longer overreliant on sensationalization. Cybercriminals constantly evolve and explore new approaches to steal from enterprises. Social engineers are slyer than ever, and the ball is in the court of small business owners to outsmart these tech-savvy thieves.

Phishers Are Leveraging Diverse Technologies

Email remains the bread and butter of social engineers. The vast majority of phishing campaigns center on credential theft.

Fraudsters build fake login pages to fool employees into sharing their usernames and passwords on cloud platforms, like Google Workspace or Microsoft 365. Many employees don’t give modern phishing sites a second look because most feature HTTPS to avoid triggering browsers to display security warnings.

Business email compromise (BEC) attacks are still lucrative. In 2023, the Internet Crime Complaint Center received 21,489 BEC reports linked to losses exceeding $2.9 billion. On average, an organization loses $134,953 per incident. These figures prove that threat actors have mastered deceit to execute these targeted attacks fruitfully.

While email services are the primary hunting ground for tricksters, they’ve been branching out into other channels. More malicious characters are exploiting collaboration apps — such as Microsoft Teams and Slack — and social media networks.

More online con artists have nailed impersonation. Recently, tens of thousands of reported phishing attacks use Facebook’s name and brand elements to earn user trust. Scammers love impersonating Microsoft and Amazon, too. They also pretend to be government bodies, like the Internal Revenue Service, to dupe targets into paying bogus fines and overdue taxes.

Voice phishing attacks are becoming more prevalent. Cybercriminals combine fake phone numbers, text-to-speech systems and voice-altering software to impersonate company executives to obtain login details, credit card numbers and personal data.

QR code phishing is becoming a thing. Social engineers now use physical spaces and tangible tools like phony business cards and seemingly benign posters to electronically steal sensitive information.

Experts Are Seeing Artificial Intelligence (AI) as a Double-Edged Sword

Reports say that the rise in phishing attacks coincided with the rollout of ChatGPT. However, there’s no evidence of a correlation between the two events. AI wrote only a tiny fraction of the malicious emails that circumvented filters in 2024.

This finding doesn’t necessarily substantiate that cybercriminals deliberately chose not to use black-hat generative AI to bolster phishing campaigns. The tech is too powerful to ignore, so fraudsters passing up on AI is unfathomable. Email filters adapting fast enough to AI-based campaigns sounds more plausible.

AI-fueled phishing threats may not be a concern today, but they could be tomorrow. It feels like it’s only a matter of time before a dramatic increase in successful AI attacks makes headlines. The faster AI-based phishing kits become accessible and popular, the sooner it happens.

Training employees to be on high alert when reading emails and chatting with teammates requires time and effort. However, judging email fraudulence based on poor visual design and determining nonsensical messages should feel more effortless once employees develop the right habits.

On the bright side, this emerging technology can help create a virtuous cycle to shape acceptable cyberbehavior among employees.

AI powers adaptive phishing training by customizing scenarios based on employee role, skill level and background. Automation can drive up employee engagement, which yields more data points and, in turn, more data-driven insights.

Ultimately, AI is nothing but a tool. The small businesses that put a premium on adaptive phishing training and gamify the process see better simulated threat reporting, lower failure rates, higher real threat detection and faster dwell time. These metrics translate into fewer incidents and earlier detection of breaches.

Investing in human threat intelligence is more important than ever. Organizations can’t solely rely on technical layers because they’re becoming fewer and less effective.