By now, we should all be pretty well acquainted with phishing scams. They've been around for a very long time—nearly 30 years, in fact—and are the primary focus of most security awareness training programs and initiatives. Despite this, phishing remains remarkably effective, with over 90% of successful cyberattacks beginning with a phishing email. Why? Because these scams are constantly evolving.
To protect against the next wave of phishing scams, it's important to understand them. As Sun Tzu said, "Know your enemy". With this in mind, here's a rundown of the latest phishing scams to scourge the cyber seas and some advice on protecting against them.
QR Code Phishing
QR codes are an integral part of our online lives. Widely used for marketing, payments, authentication, or sharing information, they are a convenient way to facilitate access to websites, apps, or secure systems without manual input. However, they have played an increasingly significant role in the cyber threat landscape in the past couple of years.
Attackers launch QR code phishing—or "qishing"—attacks by embedding malicious URLs in QR codes and sending them to users as part of a phishing email. Essentially, the QR code replaces the malicious link or attachment of more traditional phishing emails. However, QR phishing is typically more effective than other techniques for two key reasons:
"Traditional URL and email scanning do not detect QR codes, which allows them to slip through firewalls and Secure Email Gateways. Also, a victim scanning a QR code will likely do so from their personal device, which is typically not protected by corporate security tools," Zachary Travis, Threat Hunter II at Fortra, told Enterprise Talk in a recent interview.
Attackers will typically impersonate legitimate, routine requests, such as those from HR and IT teams, to trick users into scanning the QR code. Once scanned, the code will send the victim to a phishing page that harvests credentials or infects devices.
Hybrid Vishing
Attackers are also beginning to merge traditional phishing and scam techniques to bypass human defenses. Hybrid vishing, a combination of phishing and voice-based social engineering (vishing), has become increasingly prevalent over the past few years.
This type of attack involves sending victims a phishing email notifying them that they have been charged for a subscription renewal and providing a customer service they can use to "cancel" the service. When the victim calls the number, they're connected to a scammer who will attempt to socially engineer them out of their bank account details or drain their bank account.
Deepfake Scams
Deepfake technology has matured at a startling rate. Less than a decade ago, deepfake audio and video were relatively easy to identify, but this is no longer the case. While deepfakes are perhaps best known for their role in political misinformation, they're also a highly effective phishing tool.
Deepfake scams involve the use of deepfake audio or video, such as fake voicemails from bosses or IT teams, to fool victims into handing over money or sensitive information. We've already seen the devastating impact these attacks can have – in early 2024, a finance worker paid out $25 million to scammers after a call with a deepfake chief financial officer.
AI-Generated Phishing Emails
By modern standards, the phishing emails of yesteryear were relatively easy to detect. Riddled with syntax, language, grammar, and formatting errors, anyone with a discerning eye could distinguish between legitimate and illegitimate communications. However, with the advent of generative AI, this is beginning to change.
In an interview with Expert Insights, John Wilson, Senior Fellow of Threat Research at Fortra, noted that AI enables "scammers to target victims in any language, without the spelling and grammatical errors that used to be the hallmark of an email scam."
As a result, phishing emails have become significantly more convincing, and as generative AI tools mature, they will only become more so in the years to come.
Personalized Scams Using Breached Data
The use of breached data to personalize scams is also making phishing attacks more convincing. Attackers often leverage private personal data – such as home addresses – to fool unsuspecting users. Again, AI plays a role in these attacks, allowing scammers to collate vast amounts of data from publicly available sources faster than ever before.
Cross-Channel Phishing
When used together, these techniques create highly sophisticated cross-channel phishing scams. John Wilson foresees this becoming a significant issue in 2025, with attackers crafting "highly personalized scenarios such as a deep-fake voicemail from your boss instructing you to be on the lookout for an email from the Help Desk related to an important security update for your home router. The email might contain your home address and a link you should click to install malware disguised as a router update."
But how can organizations protect against these attacks?
Protect Your Organization from Emerging Phishing Scams
Protecting against phishing scams in the modern era requires updating existing measures to reflect evolving techniques. For example, organizations should educate employees about these emerging threats, conduct tailored phishing simulations, and ensure email security tools include QR code detection.
How Fortra Can Help
Fortra's Agari Cloud Email Protection platform is invaluable for detecting and protecting against advanced phishing techniques. It leverages advanced machine learning to detect email impersonation - regardless of the attacker's phishing tactic. By analyzing the sending patterns of legitimate users and organizations, it identifies key indicators of impersonation typical of phishing scams and cross-references them with Fortra Threat Brain, our best-in-class threat intelligence solution, to confirm whether an email is linked to a known threat.
Request a demo today to learn how Fortra can protect your organization from emerging threats.
