Introduction
The urgency of the evolving phishing threats cannot be overstated. These threats are becoming increasingly sophisticated, and many organisations struggle to keep up.
As a Chartered Cyber Security Professional (ChCSP) specialising in Cyber Incident Response, I have had a front-row seat to the rapid evolution of these threats and the too-often lukewarm responses of even the most well-intentioned companies.
The reality is harsh: traditional security paradigms do not address the nuances of modern phishing attacks.
Gone are the days of Nigerian princes or overt scams. Attacks today are sophisticated in their design, often impossible to distinguish from actual correspondence and exploit human factors under which our organisations operate. To protect against these, a comprehensive, broad approach is not just a recommendation, but a necessity.
You’ve got mail: The new face of phishing
One of the most concerning trends is the emergence of multi-channel phishing.
Cyber attackers now use sophisticated campaigns that use various communication methods, including emails, text messages, phone calls, and direct messages on collaboration platforms such as Microsoft Teams or Google Meet.
This multi-faceted approach significantly increases the likelihood of success, as it takes advantage of human tendencies to lower one’s guard when encountering repeated messages across multiple channels and the possibility that they place inherited trust in the system they use for interactive communication with colleagues.
Our Cyber Incident Response Team recently assisted a financial services company that was the victim of a spear-phishing attack targeting its finance director.
The initial email, which appeared to originate from a key supplier, addressed an overdue payment that they were indeed expecting.
After receiving the initial email, a direct message was sent via Microsoft Teams, and a meeting invitation highlighting the subject to be discussed was sent.
Despite having undergone regular security training, the finance director inadvertently attempted to join the meeting using the “Join” button in Microsoft Teams Calendar.
This led to the familiar Microsoft 365 login experience combined with completing MFA.
After joining the meeting, the director was informed that the meeting creator was having trouble with their webcam and requested to reschedule.
Before the meeting concluded, the attacker successfully gained control of the email account and accessed numerous internal financial applications via single sign-on.
This incident underscores a fundamental vulnerability in many organisations’ defence strategies: an overreliance on perimeter and email security alone.
While these elements are essential, they are insufficient to counter the sophistication observed in contemporary cyber-attacks.
The Human Element: Your Greatest Vulnerability and Strongest Asset
Viewing employees as the weakest layer in your security chain can be tempting. After all, a human click or decision often leads to a breach. However, when adequately trained and empowered, your workforce can be your most effective defence against this new world of hybrid phishing.
Organisations can notably decrease their susceptibility to modern tactics by adopting several essential strategies:
- Continuous and Contextual Security Awareness Training: The days of relying solely on an annual simulated phishing campaign and token webinar are over. The most resilient organisations I work with have developed training plans that adapt to the latest threats. These plans teach employees to recognise suspicious behaviours and provide context on why they are dangerous and how they relate to broader attack strategies.
- Encouragement of a No-Blame Reporting Culture: Fear of punishment often leads employees to hide mistakes, giving attackers more time to exploit a breach. I always advise clients to create easy, anonymous reporting channels and recognise employees who report suspicious activity, even if it turns out benign. This approach fosters vigilance without breeding anxiety.
- Integration of Security into Daily Workflows: The most effective security measures are those that become second nature. I’ve helped companies implement second chances and checkpoints within their regular processes. For instance, when an employee is about to click a link, a quick prompt asks, “Are you sure?” This small friction point can make a world of difference.
Advanced Strategies for Phishing Resistance
While a strong human firewall is crucial, it must be complemented by technical controls through a defence-in-depth approach. Here are some strategies I’ve seen yield significant reductions in risk and the number of incidents needing advanced forensics or investigations:
- AI-Driven Email Detection and Web Filtering: Machine learning algorithms can analyse message patterns, sender behaviour, and content at a scale and speeds humans can’t match. These systems can spot anomalies and behaviours that might indicate a phishing attempt, even if the message comes from a trusted partner or customer. As we all know, AI, Large Language Models (LLM), and Machine Learning (ML) are still prone to mistakes and false positives, so alerts must be triaged by a specialist team that will tune and filter out the noise for your staff.
- Multi-Factor Authentication (MFA): Basic MFA is no longer enough. Sophisticated attackers have found ways to bypass traditional two-factor authentication, such as those used in Microsoft Security Defaults. We recommend adaptive MFA systems that consider context – like device, location, and behaviour patterns – before granting access to company resources.
- Zero-Trust Architecture: This approach assumes no user or device is inherently trusted, regardless of location or network. Often, this approach results in a much simpler user experience as it can integrate with SSO, making it easy for staff to work from anywhere while ensuring that network communication is thoroughly assessed, significantly reducing the damage a compromised account can inflict.
- Threat Intelligence Integration: By tapping into global threat feeds and sharing data across industries, organisations can avoid emerging phishing tactics and quickly adapt their defences.
- Provide staff with access to specialist threat hunters: While AI tools are practical, nothing compares to a seasoned SOC analyst with the tools and experience to triage and remediate a sophisticated threat.
Measuring Success: Beyond Click-Through Rates
One common mistake I see is organisations relying solely on phishing simulation click-through rates to measure the effectiveness of their anti-phishing programs.
While phishing simulation click-through rates have their place, they don’t tell the whole story. I advise clients to consider a more holistic set of metrics that provide a comprehensive evaluation of their anti-phishing programs:
- Time-to-Report (TTR): How quickly do employees report suspicious emails? A decreasing TTR indicates growing awareness and vigilance.
- Incident Escalation and Response Times: How swiftly does your IT or security team react to reported threats? Rapid response can mean distinguishing between a close call and calling in a specialist Cyber Incident Response Team.
- Impact of Potential Compromise: How far can the attacker move within your network if an account is compromised? This compromise could happen through a session token, as seen in cloud applications, or by gaining access to a work laptop. This tabletop exercise will determine the effectiveness of your internal segmentation and access controls.
- User Engagement with Security Tools: Are employees actively using the reporting tools and resources you’ve provided? High engagement often correlates with increased resilience.
The Road Ahead: Emerging Threats and Preparedness
As we look to the future, several emerging attack patterns demand our attention:
- AI-Driven Impersonation: We already see deepfake audio and video integrated into phishing attacks. Imagine receiving a voicemail from your “CEO” requesting an urgent wire transfer. The technology to make this convincing is already here.
- Supply Chain and Third-Party Exploits: Attackers are increasingly targeting smaller vendors or partners to gain access to larger enterprises. Your security is only as strong as your weakest link – which might not even be within your organisation.
- Collaboration Platform Attacks: As more work shifts to tools like Slack and Microsoft Teams, expect to see more sophisticated phishing attempts leveraging these platforms.
Organisations need to think beyond traditional security boundaries to prepare for these threats, including:
- Implement additional identity verification steps for high-value requests, such as quick video calls or using code words.
- Conduct third-party security assessments and require industry standard certifications from vendors and suppliers.
- Extending security controls and anomaly detection to collaboration platforms, not just email.
The Human Touch in a Digital Battle
With the evolution and advancement in A.I technologies, and as we deploy increasingly sophisticated technical defences, it’s crucial not to lose sight of the human element. The most resilient organisations I’ve worked with have created a culture where security is everyone’s responsibility—not in a burdensome way but as a shared mission.
They achieve this through:
- Leadership by Example: When executives and managers demonstrate good security habits, this sets a powerful precedent.
- Reward and Recognition Programs: Small tokens of appreciation for employees who consistently identify suspicious activity can go a long way in maintaining vigilance.
- Regular “Ask Me Anything” Sessions: These are open forums where employees can raise security concerns or questions to help demystify cybersecurity and keep it in mind.
The fight against phishing and modern threats involves more than just technology; it centres around people. Fostering an environment where employees feel empowered to question, verify, and report suspicious activities without fear is essential. Security should be viewed not as a hindrance but as a shared responsibility protecting the company and each individual’s professional and personal life.
Final Thoughts: A Call to Action
As we face an increasingly complex threat landscape, the organisations that will thrive are those that can adapt quickly, foster a security-conscious culture, and leverage both human insight and technological innovation.
The path forward isn’t about solving all your phishing problems. It’s about creating a multi-layered defence that’s as agile and innovative as the threats it faces. It’s about empowering people, refining processes, and leveraging technology creatively.
About the Author: David Pitre
David co-founded CSIQ, where he spearheads product development, technical innovation, integration, and automation—ensuring every engagement exceeds the highest standards.
As a Chartered Cyber Security Consultant (ChCSP) and NCSC Assured Cyber Advisor, he brings a deep passion for all things cyber, underpinned by extensive public and private experience.
Leveraging his IT engineering and cyber security background, David has successfully consulted, supported, and implemented technological solutions that empower businesses to thrive.
Beyond his professional endeavours, he relishes time with family, travelling, participating in charity walks, and savouring the great outdoors—particularly through his interest in viticulture.
