Updating phishing defences

If one thing is certain in cyber-crime, it’s that attackers will continue to enhance their techniques.

 

For companies, each new headline can be anxiety inducing. In April, for example, a zero-day vulnerability affecting Microsoft SharePoint was found to be actively being exploited in the wild, with unauthenticated remote attackers performing spoofing attacks over networks.

 

Novel threats like this are emerging all the time, with malicious actors consistently expanding their arsenals. Yet despite all the growing complexity in cyber-crime, it is often those same age-old tactics that continue to catch most victims out.

 

According to the FBI, phishing remains responsible for more than a quarter (26%) of all cyber-crime complaints, with many modern threat actors focused on fine-tuning targeted social engineering campaigns.

 

Kaseya’s new 2026 INKY Email Security Report reveals just how quickly the landscape is evolving. Based on over 4.5 billion processed emails, it reveals that there has been a whopping 274% increase in phishing-related losses year over year, rising from $18.7 billion to $70 billion.

 

Why the continued focus on phishing?

It might seem strange that highly sophisticated criminal groups and state-backed actors are still so heavily reliant on a tactic that is best associated with typo-ridden emails. However, the fact is that today, phishing methods have become increasingly difficult for both individuals and the security tools they rely on to detect.

 

With cyber-security having improved exponentially in recent years, many threat actors have given up on trying to hack into systems and are now focused on exploiting trust and human decision-making.

 

Business emails are a primary target, with the average loss per business email compromise (BEC) incident being $129,193. In these campaigns, threat actors impersonate executives, vendors or partners, and generally attempt to manipulate or exploit those involved in financial workflows – from payroll changes to wire transfers and invoice payments.

 

The motivation for cyber-criminals is often financial gain, and so the focus on BEC makes sense: it’s a proven and cost-effective method that enables threat actors to go after financial targets directly.

 

Brand impersonation is a growing concern

BEC or otherwise, impersonation has become one of the most effective phishing delivery mechanisms, with threat actors regularly working to mimic well-known brands in an effort to trick their victims into believing that they’re receiving a legitimate email.

 

In our analysis of 4.5 billion emails, we found that 281 unique brands were impersonated, with Microsoft, Docusign, Amazon, Intuit, LinkedIn, Costco and Apple among the most common.

 

Brand impersonation works because it exploits trust. By using AI to craft emails that look legitimate, threat actors know they’ll be more likely to succeed in tricking their potential victims. When an email appears to be from a known brand or partner, it will naturally be subject to less scrutiny.

 

Impersonation becomes particularly dangerous when it’s used in combination with BEC. In these cases, the attacker isn’t introducing anything new. They simply step into an existing, trusted role and ask for something that looks routine. At that point, a payment request is much less likely to feel suspicious, which is exactly why it works.

 

AI is reshaping the phishing threat

The threat of impersonation is also being exacerbated by generative AI.

 

Historically, crafting highly convincing, precision phishing campaigns that emulate a brand’s or an individual’s communications was a time-consuming process. However, with AI, tailored invoice phishing, voicemail phishing and fraudulent payment requests can be crafted at speed and scale.

 

The traditional signs such as bad grammar, suspicious domains and obvious links are also disappearing, with threat actors able to use AI to craft their messaging and translate it into various languages.

 

In addition, threat actors are also expanding the delivery of phishing threats, moving away from suspicious attachments or links and towards fake ‘verification’ requests and QR codes. We’ve also seen instances of cyber-criminals abusing trusted services such as Microsoft Teams or calendar attachments to reach their victims.

 

Organisations must change with criminals

With strong financial motivations and ever-advancing, AI-backed phishing campaign toolkits on their side, modern phishing campaigns have become highly targeted, tailored and contextualised, can be generated quickly, and used at scale.

 

For organisations, it’s a real challenge. The chances of being caught out are increasing.

 

Therefore, it is vital that firms embrace the technologies capable of helping them to heighten their defences, from behavioural intent modelling to sender communication pattern analysis, computer vision-based rendering consistency, and multi-signal classification across message attributes.

 

Combatting modern phishing efforts depends not just on being able to identify anomalies, but also on determining whether messages align with expected behavioural patterns.

 

Where attackers use AI to generate variation, detection must model deviation. Where surface indicators disappear, analysis must shift toward intent. As phishing methods become ever more sophisticated, this in-depth form of threat identification and analysis will become increasingly important. 

 

---

 

Dave Baggett is SVP of Security Suite at Kaseya

 

Main image courtesy of iStockPhoto.com and Just_Super