Phishing: A Persistent Threat in the Age of AI

1. The Role of Social Engineering

Phishing attacks often rely on social engineering tactics that exploit human emotions. Cybercriminals will create a false sense of urgency or fear, prompting employees to act quickly without considering the legitimacy of the request. For example, phishing emails may
appear to be from a senior executive making it more likely that an employee will
act quickly without questioning the email’s authenticity.
By educating employees about the tactics cybercriminals use, organizations can
help reduce the risk of successful phishing attempts. Resources like the
Hurricane Labs blog explain the differences between phishing and other types of
email threats, helping employees better recognize suspicious communications.

2. Cognitive Bias and Impulsivity

Humans are wired to take shortcuts in decision-
making, which is often referred to as cognitive bias. Phishing attacks exploit
these shortcuts by presenting information that appears legitimate at first glance.
For example, a phishing email might ask an employee to update their login
credentials by clicking on a link, which seems like a standard procedure.
Furthermore, technologies like deepfakes, vishing (voice phishing), and face-
swapping are increasingly used to create realistic deceptive interactions. These
tools are cheap and easily accessible to cybercriminals. Training programs
should emphasize the importance of scrutinizing all unsolicited requests for
sensitive information. Employees should be encouraged to verify requests using
alternate communication methods. For instance, they could navigate to a
company website to log in directly rather than clicking on a link in an email, or
use messaging platforms to confirm an unusual request, such as buying gift
cards.

3. Building Stronger Security Training Programs

To effectively combat phishing, organizations must develop robust security training programs. Training should go beyond the basics of identifying phishing emails and instead focus on building a security-conscious culture. Employees should be trained to recognize various
social engineering tactics such as pretexting and baiting in addition to traditional phishing techniques.

Simulated phishing attacks are a practical way for employees to practice
identifying phishing attempts in a controlled environment. These simulations
should be updated regularly to reflect evolving attack methods as cybercriminals
are increasingly using more sophisticated techniques. Relying on outdated
tactics like looking for poor grammar or spelling errors is no longer sufficient.

4. Encouraging Reporting

Creating a culture where employees feel comfortable
reporting phishing attempts is essential. Employees should know exactly who to
contact and how to report suspicious emails or activities. By fostering a culture of
open communication where security is enabling the business, organizations can
identify phishing attacks more quickly and act before significant damage occurs.

5. Implement Multi-Factor Authentication (MFA)

While training is vital, technical controls are also necessary to minimize the impact of successful phishing
attacks. One of the most effective ways to protect against unauthorized access,
even if credentials are compromised, is multi-factor authentication (MFA).
Implementing MFA can add an additional layer of security making it more difficult
for attackers to gain access to an account even if they manage to deceive an
employee into divulging their credentials.

Phishing attacks continue to evolve but with the right combination of employee
education, culture, and technical defenses, organizations can significantly reduce the risk to their business. Humans are the weak link in phishing attacks so understanding the psychology behind what makes these attacks successful can allow you to proactively protect against phishing in the age of AI.

Thomas Sheehan is the Director of Cybersecurity Consulting and Compliance for