While phishing attacks have plagued businesses for years, today, they are far more sophisticated, with attackers using AI-generated voices, chatbot impersonation and advanced personalisation to trick recipients. In this post, we explore the emerging phishing tactics being used by cybercriminals and explain how to recognise and defend against them.
Contents
A growing problem for businesses
Phishing has become one of the most pernicious cyber threats facing businesses today. According to Astra Security, 3.4 billion phishing emails are sent every day. In terms of impact, they are involved in 92% of data breaches, 45% of ransomware attacks and 94% of malware infections.
While we primarily associate phishing with email, cybercriminals are now using a wider range of channels, from voice calls and text messages to live chat and app login popups. Many are also using AI, with some so realistic they can fool even experienced users.
Phishing tactics now include:
- Deepfake voice phishing – where scammers clone voices to impersonate CEOs or suppliers
- AI chatbot phishing – bots pose as customer support to steal credentials
- Consent phishing – users are tricked into giving malicious apps access to their accounts (e.g., when they ask you to log in via Google or Facebook)
- AI-personalised emails – convincing messages crafted using scraped social data
- Phishing-as-a-Service – kits make these tools widely available to criminals
Deepfake voice phishing
One of the most dangerous new trends is the use of cloned voices in phone scams. Simply by finding a short clip from a podcast or social media video, attackers can use AI to convincingly recreate someone’s voice.
Scammers will search for and clone the voices of company executives and use them to send urgent calls or voice messages to internal staff, authorising payments or asking recipients to share access credentials.
The accuracy of the cloned voices means protocols need to be put in place to verify unusual requests. Employees also need to be trained to spot them.
AI chatbots used in phishing attacks
AI chatbots, a common feature of many websites, are now being deployed on fake sites where they pose as customer support. Able to engage users in realistic conversations, they craftily collect usernames, password or payment details from unsuspecting users.
Employees should be trained to spot signs of malicious chatbots, such as redirecting to third-party sites or requesting sensitive data without context.
Are you taking advantage of chatbots? Read: Human vs AI Chatbot for Website Support: Which Is Best?
Consent phishing via authorisation abuse
Consent phishing involves tricking users into granting third-party apps access to their data via OAuth (Open Authorisation protocol). This usually occurs when users click on a ‘Login with Google’ or ‘Connect your Microsoft account’ button from a phishing page.
As many legitimate apps use OAuth, victims think they are just logging in. However, with content phishing, they are authorising a rogue app to access emails, files or cloud storage, and enabling permissions that can remain even after a password reset.
To protect against this, businesses should limit the types of apps that can be connected to corporate accounts, audit OAuth permissions, and train staff to verify login screens before authorising access.
How secure is your website? Read: Defending Your Website: A Security Checklist for Site Owners
AI-enhanced phishing emails
With employees getting better at spotting phishing emails, cybercriminals have begun to use generative AI tools, like ChatGPT, to create messages that are fluent, persuasive and highly targeted and which don’t have spelling mistakes, poor formatting or badly spoofed visuals. Moreover, they feed existing messaging from brands into the AI so that it accurately recreates brand voice and communication style guides.
When targeting businesses, attackers will also scrape social media and company websites to add personal details, such as job titles, managers’ names or project information – all of which increases the success rate.
Staff should be wary of messages that create urgency, use personal details unexpectedly or which contain unusual links or attachments.
Defending against sophisticated phishing
Protecting your business from phishing requires a layered approach that combines smart tools with staff training and clear processes.
Given that credential theft is a major goal for phishing attacks, multi-factor authentication (MFA) is essential to prevent cybercriminals from getting access, even if a user’s password is compromised. This should be enforced across all accounts.
Regular training and simulated phishing tests are valuable in helping employees recognise suspicious messages and reacting to them appropriately. Importantly, training should include emerging phishing tactics, so users know how to spot new methods of attack.
Businesses should also control third-party app access, particularly those that use OAuth. As part of this, admins should monitor which apps have been authorised and block access where appropriate.
To protect recipients of your outgoing emails, you should also configure your domain with SPF, DKIM and DMARC records. These protocols verify that the emails are genuinely from your business and thus reduce the chance of spoofed emails reaching customer inboxes.
For more information, read: How to Implement DMARC for Google and Yahoo Compliance
Protection from your hosting provider
A reliable hosting provider can help protect you and your customers against phishing attacks and lessen the impact of malware and data breaches if an attack is successful. These protections include:
- Real-time spam filters, like SpamExperts, that identify and block the vast majority of email-based phishing attempts from reaching users’ email accounts.
- Email SSL certificates that verify your domain’s authenticity for email recipients while encrypting communications.
- Tools like Imunify360 that scan for malicious code that may be deployed through phishing sites or compromised plugins.
- cPanel or Plesk – control panels that make it easy for admins to configure domain-level protection, set up SPF and DKIM records, and manage access to email accounts.
- Cloud-based, automated, off-site backups that enable businesses to restore data and systems quickly in the event that a phishing attack results in ransomware, infection or data theft.
Conclusion
Smarter and more convincing, today’s emerging phishing tactics now include AI-crafted emails, cloned voice calls, fake chatbots and spoof app logins. Moreover, with Phishing as a Service kits widely available, even amateur cybercriminals are able to launch sophisticated attacks. However, by educating staff, tightening access controls and login security, and choosing secure hosting, you can keep your business protected from the scammers.
At Webhosting UK, our hosting plans are built with security in mind. From spam protection and SSLs to automated backups and malware detection, we provide the infrastructure to keep your site and your staff better protected. For more information about our hosting solutions, visit our homepage.
