{"id":2472,"date":"2025-03-25T06:00:00","date_gmt":"2025-03-25T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2472"},"modified":"2025-03-25T06:00:00","modified_gmt":"2025-03-25T06:00:00","slug":"11-ways-cybercriminals-are-making-phishing-more-potent-than-ever","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2472","title":{"rendered":"11 ways cybercriminals are making phishing more potent than ever"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Phishing has long been a primary source for security breaches \u2014 a major issue that, despite years of security awareness training<\/a>, remains a top cybersecurity concern today<\/a>.<\/p>\n

But thanks to refinements of tactics alongside malign repurposing of AI technologies, the longstanding social engineering technique continues to evolve, and cybercriminals are finding new ways to try to trick users into clicking on bad links. The game\u2019s (essentially) the same; it just got more fierce.<\/p>\n

Attackers no longer just copy logos and spoof domains; they hijack legitimate email threads, embed malicious links in ongoing conversations, and even use compromised business emails to make their phishing<\/a> attempts look more authentic.<\/p>\n

AI technologies enable phishing campaigns to be deployed more quickly and easily than ever before, while facilitating perfect spelling and grammar along with a range of manipulation tactics, such as implied urgency or exploiting information already shared online to increase relevance.<\/p>\n

CSO polled experts to pick out key tactical changes cybercriminals are employing to evolve their phishing techniques \u2014 and how these techniques help make phishing more targeted and effective. CISOs and cyber teams would be wise to incorporate this knowledge, and test scenarios where possible, in their training programs.<\/p>\n

They\u2019re getting clever with generative AI<\/h2>\n

Attackers are increasingly using generative AI to mimic writing styles, avoid traditional phishing red flags, and even personalize fraudulent emails based on publicly available data.<\/p>\n

\u201cGen AI is now being used to write more \u2018compelling\u2019 and lucrative phishing emails,\u201d says Kevin Curran, IEEE senior member and professor of cybersecurity at the UK\u2019s Ulster University. \u201cWith one of its key features being the ability to generate responses in real-time based on a user\u2019s input, it is now being deployed in scam situations where people are tricked into thinking they are communicating with an actual person.\u201d<\/p>\n

For example, WormGPT has the power of a large language model (LLM) behind it, enabling emails to be sent without the mistakes so long associated with phishing scams.<\/p>\n

GhostGPT<\/a> \u2014 another cybercrime-orientated AI chatbot \u2014 has been used to create polished spearphishing emails, including fake DocuSign requests, with near-perfect mimicry of legitimate brand communications.<\/p>\n

Recently, LLMs have also been used to auto-generate fake landing pages.<\/p>\n

\u201cGenerative AI is most frequently used to quickly generate thousands of unique, native-language lures,\u201d says Allan Liska, a threat intelligence analyst at Recorded Future. \u201cIn this way, the sophisticated tech is exploited to create huge volumes of scam emails that seem legitimate, because the language appears more authentic and less suspicious.\u201d<\/p>\n

Liska adds: \u201cIt can make phishing emails harder to detect and CSOs may want to look at educating employees and building resilience by safely simulating these types of attacks.\u201d<\/p>\n

They\u2019re luring with voice and video<\/h2>\n

Bad actors are also exploiting AI\u2019s ability to clone voices and likenesses from audio and video clips or images found online.<\/p>\n

Combined with tools that mimic caller ID, cybercriminals can fool targets by calling them and purporting to be a family member, friend, or work colleague seeking urgent assistance. Such calls can convincingly impersonate a trusted person\u2019s voice and mannerisms.<\/p>\n

\u201cThese technologies are already being widely used by attackers \u2014 coupled with cybercriminals becoming better educated and more comfortable with using AI, we can expect to see more innovative uses of AI to power cyberattacks in the near future,\u201d says Niall McConachie, regional director for UK & Ireland at authentication vendor Yubico.<\/p>\n

AI is also allowing cybercriminals to create increasingly sophisticated voice and video deepfakes that can facilitate phishing attempts. For example, the Hong Kong subsidiary of engineering firm Arup was defrauded of $25.6 million after a finance worker was tricked into transferring forms following a video conference call starring a deepfaked \u201cchief finance officer.\u201d<\/a><\/p>\n

They\u2019re resurrecting fake \u2018threads\u2019 and reply chains<\/h2>\n

\u201cZombie\u201d email threads \u2014 chains resurrected by cybercriminals after hijacking a victim\u2019s inbox \u2014 are nothing new, but they are likely to become increasingly believable with the support of generative AI.<\/p>\n

\u201cPreviously, these types of emails would be more recognizable as the tone of voice or context would seem \u2018off\u2019 in comparison to an authentic email from the sender they\u2019re imitating,\u201d says Lucy Finlay, director of secure behaviour and analytics at security awareness firm ThinkCyber Security. \u201cGen AI would make it much easier to skim the previous chain and generate the phishing email using the right tone of voice, making it a much more believable lure.\u201d<\/p>\n

They\u2019re running ClickFix attacks to dupe the PowerShell naive<\/h2>\n

ClickFix attacks involve send emails with links to malicious websites, which when visited, prompt the victim to open to the Run Dialogue box, and copy-paste in a line of SQL to execute on their machine, often under the guise of fixing the problem that the original email was based on.<\/p>\n

\u201cIn the past six months, the new so-called ClickFix social engineering technique has been increasingly used by threat actors as part of their phishing campaigns,\u201d says Hannah Baumgaertner, head of research at threat intel vendor Silobreaker.<\/p>\n

The technique involves various lures to convince a user to paste a PowerShell script into the Run command<\/a>, resulting in a malware infection. Malware observed being delivered using this technique includes Lumma Stealer, StealC, NetSupport, and others.<\/p>\n

While the technique itself is relatively new, the lures themselves are quite commonplace, including phishing emails about invoices, documents to be signed, or fake CAPTCHAs.<\/p>\n

They\u2019re impersonating trusted brands more convincingly<\/h2>\n

Brand impersonation continues to be a favored method to trick users into opening a malicious file or entering their details on a phishing site. Threat actors typically impersonate major brands, including document sharing platforms such as Microsoft\u2019s OneDrive and SharePoint, and, increasingly frequently, DocuSign.<\/p>\n

Attackers exploit employees\u2019 inherent trust in commonly used applications by spoofing their branding before tricking recipients into entering credentials or approving fraudulent document requests.<\/p>\n

For example, email security firm Abnormal Security reports an ongoing phishing campaign that targets organizations that rely on federated authentication systems<\/a>, using spoofed Microsoft Active Directory Federation Services (ADFS) login pages to harvest credentials and bypass multi-factor authentication.<\/p>\n

\u201cIn this campaign, attackers exploit the trusted environment and familiar design of ADFS sign-in pages to trick users into submitting their credentials and second-factor authentication details,\u201d says Piotr Wojtyla, head of threat intelligence at Abnormal Security. \u201cThe success of these attacks is driven by highly convincing phishing techniques, including spoofed sender addresses, legitimate branding, and URL obfuscation.\u201d<\/p>\n

Victims are often deceived into viewing, downloading, or signing fake documents, such as invoices, and are prompted to enter personal information, which is then stolen by the attackers.<\/p>\n

Richard LaTulip, field CISO at Recorded Future, adds: \u201cThese types of attacks are evolving with more sophisticated domain impersonations, including lookalike domains and homoglyph attacks that evade traditional email filters.\u201d<\/p>\n

They\u2019re abusing trusted services<\/h2>\n

Another significant phishing evolution involves abusing trusted services and content delivery platforms.<\/p>\n

Attackers are increasingly using legitimate document-signing and file-hosting services to distribute phishing lures. They first upload malicious content to a reputable provider, then craft phishing emails or messages that reference these trusted services and content delivery platforms.<\/p>\n

\u201cSince these services host the attacker\u2019s content, vigilant users who check URLs before clicking may still be misled, as the links appear to belong to legitimate and well-known platforms,\u201d warns Greg Linares, principal threat intelligence analyst at managed detection and response vendor Huntress. \u201cBy leveraging these trusted providers, attackers ensure that victims unknowingly download malicious files while also bypassing allowlist and reputation-based security systems that would otherwise block their phishing attempts.\u201d<\/p>\n

They\u2019re cuing up QR codes<\/h2>\n

An increasing number of cybercriminals are leveraging the popularity of QR codes to carry out QR code-based phishing attacks.<\/p>\n

The rise of \u201cquishing\u201d (QR code phishing)<\/a> is a direct response to improved email security. Attackers know that traditional phishing links get flagged by filters, so they\u2019ve shifted to pushing malicious QR codes, as a way to bypass email security filters.<\/p>\n

Attackers can embed malicious QR codes in emails and disguise them as multi-factor authentication (MFA) prompts, delivery notifications, or corporate login requests. These codes can often lead to credential-harvesting sites that closely mimic legitimate portals.<\/p>\n

\u201cWith QR codes becoming more and more common for marketing, authentication, and business transactions, users are more likely to trust them,\u201d says Abnormal Security\u2019s Wojtyla. \u201cWe found that 17% of all attacks that bypass native spam filters now use QR codes, with credential phishing making up 89% of these cases.\u201d<\/p>\n

Richard Bullock, head of cybersecurity at managed services firm razorblue, adds, \u201cWe\u2019ve also seen QR codes being used in \u2018multi-stage phishing\u2019, where the first scan directs users to what looks like a legitimate page, but after a delay \u2014 or after verifying a user\u2019s device type \u2014 they get redirected to a credential-harvesting site. Since mobile devices often lack the same security oversight as corporate desktops, this method is proving highly effective.\u201d<\/p>\n

Chester Wisniewski, director and global field CISO at cybersecurity vendor Sophos, predicted that quishing may only be a temporary trend as security services get wise to the trick, potentially forcing cybercriminals to switch up their tactics.<\/p>\n

\u201cMany email services were not inspecting QR codes that were embedded in PDF or Office documents, but now that they are the efficacy of this method to bypass URI filtering should have diminished its effectiveness,\u201d Wisniewski tells CSO. \u201cWe have also started seeing abuse of SVG [Scalable Vector Graphics] files, another oft-neglected format, so SVG could be the new QR if there is a shift.\u201d<\/p>\n

Attackers have also been seen using QR codes sneakily crafted in ASCII<\/a> in phishing emails.<\/p>\n

They\u2019re leaning on images to bypass security filters<\/h2>\n

Image-based phishing is becoming more complex. For example, fraudsters are crafting images to look like a text-based emails to improve their apparent authenticity, while still bypassing conventional email filters.<\/p>\n

Recorded Future\u2019s LaTulip comments: \u201cThis type of attack is an evolution of the more traditional, text-based phishing and is the criminals\u2019 response to advances in email security filters. Embedded images are used to bypass the email filters, with the image used to disguise malicious content or links.\u201d<\/p>\n

Following these images will lead unsuspecting employees to either credential-harvesting or exploit-loaded websites.<\/p>\n

\u201cCriminals may also continually edit and adapt images by changing colors or size,\u201d LaTulip says. \u201cThis is often done to keep an image fresh, so that it increases its chances of avoiding detection.\u201d<\/p>\n

They\u2019re using Russian fronts<\/h2>\n

KnowBe4 reports a surge in phishing campaigns leveraging Russian (.ru) top-level domains<\/a> from December 2024 to January 2025.<\/p>\n

The KnowBe4 Threat Research team noted a 98% rise in these phishing campaigns, which are primarily aimed at credential harvesting.<\/p>\n

Some Russian .ru domains are run by so-called \u201cbullet-proof\u201d hosting providers, outfits known to keep malicious domains running and ignore abuse reports against sites run by their cybercriminal customers.<\/p>\n

They\u2019re supercharging intel gathering<\/h2>\n

On the dark web and hacker forums, AI-assisted toolsets have become increasingly common.<\/p>\n

\u201cThese tools can scrape social media posts and even identify a user\u2019s exact geolocation through images and posts \u2014 an increasingly prevalent tactic,\u201d Huntress\u2019 Linares says.<\/p>\n

Other intelligence-gathering tools focus on organizations rather than individuals. These can scrape LinkedIn, recruitment sites, DNS records, web hosting services, and third-party service providers to uncover valuable insights about a company\u2019s infrastructure, software stacks, internal tools, employees, office locations, and other potential targets for social engineering or cyberattacks.<\/p>\n

Sophisticated attackers are also repurposing legitimate marketing tools and platforms to identify prime opportunities for SEO hijacking and phishing attacks, maximizing the reach and effectiveness of scams.<\/p>\n

They\u2019re professionalizing with PhaaS<\/h2>\n

Phishing-as-a-service (PhaaS) kits are expected to account for half (50%) of credential theft attacks in 2025, up from 30% in 2024<\/a>, according to cybersecurity vendor Barracuda.<\/p>\n

Barracuda predicts these platforms are evolving to include features that allow cybercriminals to steal multi-factor authentication (MFA) codes and employ more advanced evasion techniques, such as the use of QR-based payloads.<\/p>\n

PhaaS platforms offer a subscription-based suite of tools and services, including dashboards and stolen credential storage, that facilitate phishing attacks. These cybercrime-enabling toolkits are sold through Telegram, dark web forums, and underground marketplaces. Subscriptions cost from $350 per month<\/a>, according to cyber threat management firm Adarma.<\/p>\n

The most widely-used such platform \u2014 Tycoon 2FA \u2014 blamed by Barracuda for 89% of observed PhaaS incidents harnesses encrypted scripts and invisible Unicode characters to evade detection, steal credentials, and exfiltrate data via Telegram.<\/p>\n

Built for adversary-in-the-middle attacks, Sneaky 2FA abuses Microsoft 365\u2019s \u2018autograb\u2019 feature to pre-populate fake login pages, filtering out non-targets and bypassing 2FA, as explained in a recent technical blog post<\/a> by Barracuda.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Phishing has long been a primary source for security breaches \u2014 a major issue that, despite years of security awareness training, remains a top cybersecurity concern today. But thanks to refinements of tactics alongside malign repurposing of AI technologies, the longstanding social engineering technique continues to evolve, and cybercriminals are finding new ways to try […]<\/p>\n","protected":false},"author":0,"featured_media":2473,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2472","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2472"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2472"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2472\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2473"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}