The evolution of phishing attacks and how to protect against them Par :Kiana Seitz December 10, 2024 Estimated reading time: 7 minutes. As more people and businesses continue to move to the digital world as their main form of communication, conducting business, and meeting others, phishing attacks will continue to be prevalent. Data from a recent survey found that 45 million high-risk email threats alone were detected by Microsoft 365 and Google Workplace security in 2023. Malicious and phishing URLs accounted for more than 26.5 million of them. According to Proofpoint’s 2024 State of the Phish, successful phishing attacks have slightly declined in 2024 (66% of surveyed organizations in Canada experienced at least one successful attack in 2023 versus 82% the previous year). Still, the negative consequences have soared, with a 326% increase in reports of financial penalties, such as regulatory fines. Phishing attacks are one of the largest reported security breaches globally, making them a persistent and evolving threat. They provide an opportunity for bad actors to capture sensitive data with the simple click of a link or response to an email. Phishing attacks are a core component of modern cyberattacks that every business must understand. This article will dive into the evolution of phishing attacks, the types of phishing scams that put your personal and business data at risk, and, most importantly, what you can do about it. What is phishing? Understanding the basics Phishing is a type of cyberattack in which attackers impersonate legitimate entities to steal sensitive information. These attacks commonly seek sensitive information including passwords, personal identification information, and financial data. Phishing is complex because it occurs in a wide range of forms, creating multiple attack opportunities and making it difficult for victims to determine what is happening. Common types of phishing scams include: Email phishing: Perhaps the most common type, attackers send emails that seem to be from reputable sources and contain links to capture data. The email may look like it's coming from a bank or other reliable sources. Smishing (SMS phishing): This type of action occurs through text messages, often aiming to represent an authentic company. Vishing (voice phishing): This type of cyberattack occurs when a caller leaves an often threatening message to urge a response immediately, impersonating a dire need, such as a requirement to make payments. Whale phishing: This attack typically targets senior executives or other high-value targets. Angler phishing: In this type of cyberattack, the attacker uses direct messaging on social media to attack victims for sensitive information, typically disguising themselves as a customer service agent. Clone phishing: An attacker clones an email from a trusted company, resends it with updated links, and captures sensitive information. Social media phishing: Any type of phishing activity conducted on social media, including direct messages, comments, and blatantly false pages, falls into this category. Phishing is prevalent because it works. Because technology is so advanced, attackers can create very authentic, threatening, and effective phishing attacks more easily than ever. The only way around this is through education as a foundation for defence. The evolution of phishing attacks Where did this start, and how has it progressed? Let’s take a look at the evolution of phishing attacks over the last few decades. Early phishing tactics Phishing emerged in the mid-1990s when dial-up internet connections were the only option. Cyberhackers posed as ISP admins, using fake screen names to capture personal log-in data. They were then able to exploit victims' accounts, sending emails to others on the contact list and expanding their access. In May of 2000, Love Bug hit, perhaps the most notorious of all viruses that impacted 45 million Windows PC users. A simple email with the subject “ILOVEYOU” requested the following in the body of an email: “Kindly check the attached LOVELETTER coming from me.” Victims who opened it, with its attractive message, experienced a worm that overwrites user files, reinfecting systems over and over again. This opened the eyes of would-be hackers, creating a new way to infiltrate the connections of unknowing consumers. Initially, emails came from “banks” or “online services” and seemed to have very simplistic or generic messaging. The scams were simple, then anti-virus software defended against them, and then they grew. Spearphishing and targeted attacks More advanced phishing techniques emerged in the coming months and years, unleashing new types of personalized attacks. These attacks were targeted because they were not generic messages but sent to specific organizations and individuals. In 2013, for example, a breach occurred at the retailer, Target, exposing millions of shoppers who lost personal information, including banking data. Malware infestations gained access to accounts. That same year, 350 million MySpace users saw their sensitive information stolen. Social engineering and psychological manipulation Consumers learned, and companies incorporated new strategies to prevent such risks, but as cybercriminals always do, they morphed again, becoming more complex and aggressive in their techniques. Social engineering and psychological manipulation were some of the most intense of advanced threats. They leverage human emotions, including a sense of urgency, fear, and trust, to get the desired response. Often, these threats involve impersonating legitimate entities so well that a person is willing to provide their personal information or click on a link. These threats often included fake emails from CEOs demanding immediate payment transfers that were worrisome enough that victims bought into them. With fear and trust, cybercriminals managed to exploit an even larger group of people. The role of technology in modern phishing Phishing continues to evolve, and today’s extensive threats have incorporated more forms of technology than ever. Each evolution of phishing brings with it new risks and threats. Modern threats include: AI-generated phishing emails use natural language technology to create very realistic messages that sound like a human wrote them (and perhaps even capture a specific person’s nuances). Fake websites with nearly identical URLs and SSL certificates, make it nearly impossible to detect the authentic site from the fake website. SMS phishing has advanced so well that consumers readily interact with it. These messages are often highly descriptive and authentic or vague, and in either case, they get clicks. Voice phishing that’s more realistic sounding and can be sent to thousands of people in seconds. Phishing attacks adapt. As they do, they move through new platforms, including social media, messaging apps, websites, blogs, and more, finding victims. How phishing attacks are impacting individuals and organizations Back in the day, a virus could cause a computer to stop working, but anti-virus software could right the world. Today, the implications of cyber threats are robust and ever-worsening. Consider how individuals and organizations are continuously impacted by these scams and their long-term implications. Financial losses: Data from IBM's Cost of a Data Breach survey found that the global average cost of a data breach is $4.88 million in 2024, up 10% from 2023 and the highest total ever. The average breach in healthcare costs organizations about $9.8 million. In the US alone, consumers (not businesses) lost $12.5 billion in cybercrime threats, up 22% in 2023 over the previous year, according to FBI data. Data breaches and reputational damage: Data breaches put your company’s sensitive information at risk nearly instantly, whether that’s company proprietary data or personnel records. Phishing leads to stolen credentials from your team and ransomware attacks that take over your business’s systems, holding them hostage and leading to leaked sensitive data. This makes it hard for customers and partners to trust victim organizations. Emotional and psychological toll: Like a thief breaking into a home, it’s hard to overlook the psychological impact such intrusions have on people. They cause stress and lead to a loss of trust. Proactive strategies to protect against phishing Learn how to prevent phishing attacks. There is no way to wipe them out for good, and there’s no opportunity to stay ahead of every threat. The only true weapon individuals and businesses have, then, is education and technological defences. Education and awareness By far, the most important and effective strategy for protecting your business and personal use is learning to recognize a phishing attempt. Recognition of them can help minimize the risk of falling for them. Provide employees and other associates with ongoing training to recognize phishing attempts as they are occurring so they can be prevented. One of the best ways to teach these critical skills is through simulations of phishing attacks in workplace environments to show people what could happen and how to react. Interested in off-the-shelf or tailored cybersecurity training solutions for your organization? Check our Lighthouse Labs internal talent development solutions. Technological defence The next strategy for defending against phishing attacks is to implement technology to mitigate some of the risks. It’s critical to stress that technology is both necessary and not perfect. Education is still the most important starting point. However, using the following phishing protection strategies can minimize threats considerably: Email filters that weed out high-risk emails Multi-factor authentication (MFA) which requires the accessing person to need two sets of credentials Password managers that safeguard data Advanced AI-based solutions are also growing in popularity. They allow companies and individuals to detect suspicious patterns in communications quickly and easily, preventing risk. Members of your cybersecurity team can implement these tools in all facets of your business. If you are ready to grow your cybersecurity team, Lighthouse Labs provides the job-ready cybersecurity talent you need. Connect with our External Talent Acquisition team to solidify your team defending your company’s data. Hire job-ready cybersecurity talent Hire now Best practices for individuals and organizations Consider these cybersecurity tips for phishing that can be implemented right away: Verify email senders before clicking on links or downloading any attachments. Update and maintain software and system cybersecurity protections, including patching vulnerabilities as needed. Always utilize strong, unique passwords. Utilize MFA whenever possible. Educate and support your team throughout this process as well. Phishing protection strategies like these work only when your team uses them because they understand the threats. The role of training in combating phishing Formal cybersecurity training empowers individuals and organizations to stay one step ahead of cybercriminals. It allows for aggressive defence and minimizes the need for clean-up efforts. Your organization can upskill your team in cybersecurity, teaching every worker how to avoid such risks. Lighthouse Labs' internet talent development solutions are designed for this purpose. Connect with our team to learn more. Train your team to defend against cyber threats Learn more If you’re an individual looking to protect yourself and your company against cyber threats, we recommend looking into Lighthouse Labs’ Cybersecurity Bootcamp. It is the most effective and streamlined way to improve practical skills that directly combat the ever-changing landscape of cyber threats. Become a job-ready cybersecurity professional Classes start soon and there's room for you. Learn more Staying ahead in the fight against phishing There is an incredible need to remain vigilant in this battle. As the evolution of phishing continues, organizations with ample training and ongoing adoption of robust cybersecurity practices are most likely to remain protected. Take steps now to safeguard against these risks and avoid business-ending financial loss. Explore Lighthouse Labs’ cybersecurity training programs for teams and individuals now. Let us teach you how to build the ideal cybersecurity team to combat your biggest threats.