With advancements in generative artificial intelligence (AI), cybercriminals are deploying increasingly sophisticated and personalized attacks that impact organizations of all sizes. Phishing attacks are being enhanced by generative AI tools, allowing attackers to create highly convincing fake communications. It’s increasingly becoming harder to distinguish legitimate messages from malicious ones, and this poses a significant challenge to traditional security defenses.
For example, a new phishing scam impersonating the CapCut video editing app is sending fake subscription emails to users. Victims are lured to a fraudulent Apple login page with the goal of stealing their Apple ID credentials and gaining access to personal data and/or unauthorized purchases.
Booking.com also recently found itself impersonated by Storm-1865, a group of phishing campaigns targeting the hospitality industry. This campaign, active since December 2024, uses fake error messages (“ClickFix”) to trick users into running commands that download credential-stealing malware like XWorm and Lumma Stealer to steal financial data and credentials.
It is imperative that organizations stay informed about evolving phishing scams and have the necessary tools to counter cybercriminals. Everyone within an organization, no matter the seniority level, should be educated on what to do when it comes to phishing scams so they can protect both their organization and themselves. This includes building a “human firewall.”
The core philosophy of a “human firewall” centers on employees serving as the primary line of defense against cyber threats. By cultivating a security-centric company culture, your workforce can uncover suspicious activities before they escalate into full-scale breaches.
An effective human firewall should adhere to these three principles:
- Mindset: Educate employees on the most common cyber threats.
- Skillset: Train employees on how to spot attacks and how to appropriately address a potential hack or breach.
- Toolset: Supply employees with the necessary software tools to prevent attacks and uncover suspicious activity.
How to Detect Phishing Scams
It’s crucial to cultivate a habit of vigilance and critical thinking when it comes to your company-wide users’ inboxes. Employees must learn to continually question every unexpected email, especially those that prompt immediate action, convey a sense of urgency, or seem “too good to be true.” Phishing attempts are becoming increasingly sophisticated, making it important for employees to recognize subtle details, such as:
- Generic greetings, suspicious sender email addresses, and deceptive attachments with urgent names that might carry malware
- Unsolicited “security alerts” prompting clicks on malicious links
- Fake form fields that auto-fill hidden sensitive data
- Unusual language, grammar, or misspellings
Employees must know that a legitimate organization will never ask for private information like passwords or PINs via email.
Strengthening Your Organization’s Phishing Defenses
To significantly reduce your organization’s vulnerability to phishing attacks, consider implementing the following key strategies. These measures not only build a more robust technical defense but also empower your employees to become a critical part of your security posture.
- Implement email authentication: Combat email spoofing by adopting Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Reporting and Conformance (DMARC). These protocols are crucial for verifying sender identity and preventing impersonation.
- Adopt an email and web browsing policy: Create a clear policy that outlines safe and responsible email and internet usage for employees. This policy establishes guidelines for handling sensitive information and adhering to security protocols, thereby addressing the human element of security.
- Embrace ongoing user awareness training: Since human error is a leading cause of data breaches, provide ongoing, simulation-based user awareness training. Tailor training to individual roles and emphasize reporting suspicious emails to empower employees as a line of defense.
- Enable multifactor authentication (MFA): Fortify security by requiring users to authenticate their identity through multiple methods. Prioritize Fast IDentity Online (FIDO) or Public Key Infrastructure (PKI)-based MFA for phishing resistance, or use app-based MFA. Short message service (SMS), or voice MFA, should be avoided whenever possible due to known issues such as SIM Swapping, Signaling System 7 (SS7) attacks, and audio deepfakes.
- Adopt and enforce strong password policies: Mitigate compromised accounts by requiring complex and unique passwords. Implement strict limits on incorrect login attempts and maintain a list of unacceptable passwords to deter weak or reused credentials.
- Adopt a third-party, integrated email security solution: Supplement native email platform features with an integrated email security solution. These solutions operate within your internal network, leveraging artificial intelligence (AI) to detect and neutralize both external and internal threats, offering advanced threat prevention, detection, and response capabilities.
Implementing these measures creates a more robust defense against evolving phishing threats. Remember, phishing is a social engineering scam; so, real power lies in prevention through awareness and vigilance.
“Everyone within an organization, no matter the seniority level, should be educated on what to do when it comes to phishing scams so they can protect both their organization and themselves.”
Ultimately, a strong defense against phishing hinges on a well-informed user base. Since these scams prey on human trust, education and knowledge are vital. By equipping your organization and employees with the ability to recognize phishing tactics, you will build the most crucial line of defense. This human vigilance, combined with strong technical solutions, is what truly protects an organization against the ever-evolving and increasingly sophisticated threat of phishing.
By Andy Syrewicze