The evolution of phishing: vishing & quishing

A digital representation of a lock
(Image credit: Altalex)

In its early stages, phishing attacks were often very simplistic and relied on impersonating reputable sources via written communication, i.e. emails and letters, to gain access to sensitive data, now adversaries have adapted their techniques in the wake of the AI evolution. With the growing popularity of GenAI tools, voice-based phishing attacks - also known as ‘vishing’ - have become the new norm and organizations have to combat this evolution by modernizing their IT security.

Phishing as the reconnaissance phase of a bigger attack

We have to look at the anatomy of an attack to understand the role that phishing is playing in the malware industry. While ransomware typically gets all the headlines once intruders are able to monetize their efforts after successfully delivering the payload at the end of an infection cycle, there is less coverage on the overall infection cycle, which often starts with something as simple as phishing. The reconnaissance phase at the beginning of an attack plays an even more important role in the defense strategy. 

When attackers are figuring out what an organization's attack surface looks like, they use phishing as a mechanism to harvest confidential personal information, such as credentials, or attempt to download a zero-day malware to gain access to a particular machine. As adversaries are using the latest trends like AI to trick users, organizations should put more focus on reducing their attack surface and applying advanced behavioral analysis mechanisms.

Tony Fergusson

CISO EMEA at Zscaler.

Phishing attacks are becoming more personalized

The bait for the user has evolved from simple email scams to much more personalized attacks that use the latest technologies like AI tools. Due to growing user awareness for traditional phishing campaigns, different channels and techniques are invented by the adversaries. More recently, fake phone calls or ‘vishing’ have gained popularity. This is where a legitimate voice of a senior executive is imitated with the help of a voice cloning tool. These tools define the characteristics of a human voice first and then apply AI to train the system to imitate the voice when reciting different messages. Used in conjunction with traditional phishing techniques, vishing becomes increasingly challenging for users to discern its legitimacy.

But it isn’t just voice cloning - the latest evolution of phishing which will impact 2024 is ‘Quishing’. This is where a QR-code is sent via email with a malicious link hidden behind the image. This makes it difficult to verify and is often missed by security tools. This especially raises the risk for employees who use their own personal smartphone devices as most are not adequately protected. To counteract the evolution of phishing techniques it is vital to make Zero Trust the standard security solution of choice. But a Zero Trust mentality isn’t just something that should be implemented at a technology level only, but also on a human level.

Never trust, always verify

Organizations have to adapt their cybersecurity strategies to effectively combat the rising threat of sophisticated phishing and protect sensitive information with the help of a zero trust mentality. Employees nowadays trust the available security solutions too much and don’t exercise enough caution when receiving suspicious communications. A phone call from a person you think you know, but with a request that seems unusual or unexpected, should always be verified. Before acting, the employee should look to authenticate that person. 

In today’s hybrid working environment where face-to-face interaction is not always feasible it is strongly advised to use another channel to verify the initial information. For example, if a potential vishing call takes place via WhatsApp, the target should pick up the phone, send a slack message or use email to verify the colleague on the phone is who they should be. Additionally, to ensure account security and avoid further compromises, employees should make sure to never share any personal data or passwords over the phone or email, if requested. No one internally should need to use another staff member’s password to access data or assets in the system, so there is no need to share these types of details with anyone else.

As phishing is often just the beginning of the chain of compromise it should get more attention. Businesses should be worried about the new capabilities of AI to uplevel phishing attacks. By acknowledging and addressing these challenges head-on, organizations can encourage a more resilient cybersecurity culture and safeguard sensitive data effectively. The credo should be to bring a Zero Trust mentality to the human level, which means staff needs to be trained to not implicitly trust one source of information, but rather always verify via another medium. This will become even more important as AI will play a major role in misinformation and disinformation campaigns in the future.

We've listed the best identity management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

TOPICS

Tony Fergusson, CISO EMEA at Zscaler.

Read more
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Everything you need to know about phishing
Phishing
Corporate executives are being increasingly targeted by AI phishing scams
Hands typing on a keyboard surrounded by security icons
The psychology of scams: how cybercriminals are exploiting the human brain
Concept art representing cybersecurity principles
Cybercriminals cashing in on holiday sales rush
A padlock resting on a keyboard.
AI-powered cyber threats demand enhanced security awareness for SMEs and supply chains
Security padlock in circuit board, digital encryption concept
MFA alone won’t protect you in 2025: the new cybersecurity imperative
Latest in Pro
A person holding out their hand with a digital AI symbol.
AI is booming — but are businesses seeing real impact?
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
A business woman looking at AI on a transparent screen
Most businesses are now fully embracing AI - but aren't always protected against the risks
Hands on a laptop with overlaid logos representing network security
Winning the war on ransomware with multi-layer security
Latest in News
An image of the Nintendo Switch 2
Nintendo Switch 2 pre-orders will start on April 2 according to Best Buy Canada
Person printing
Microsoft’s latest Windows 11 update exorcises possessed printers that spewed out pages of random characters
Pro-Ject A1.2 in black, playing a vinyl record in a hi-fi listening room
Pro-Ject's new fully-automatic turntable could be the buy of Record Store Day 2025
Intergalactic: The Heretic Prophet
Intergalactic: The Heretic Prophet reportedly won't release until after 2026, as Neil Druckmann says that staff 'are playing it at the office' right now - but I don't think I can wait that long
Screenshot from action RPG soulslike Lies of P
Lies of P Overture won't elaborate on the game's eyebrow-raising post-credits twist, and I think that's good news
Nintendo Switch 2
The Switch 2 launching with a Mario Kart game 'is very unlike Nintendo' compared to the original Switch releasing with Breath of the Wild, says former marketing leads: 'That's what's gonna make you want to buy the new hardware'