The evolution of phishing: vishing & quishing

A digital representation of a lock
(Image credit: Altalex)

In its early stages, phishing attacks were often very simplistic and relied on impersonating reputable sources via written communication, i.e. emails and letters, to gain access to sensitive data, now adversaries have adapted their techniques in the wake of the AI evolution. With the growing popularity of GenAI tools, voice-based phishing attacks - also known as ‘vishing’ - have become the new norm and organizations have to combat this evolution by modernizing their IT security.

Phishing as the reconnaissance phase of a bigger attack

We have to look at the anatomy of an attack to understand the role that phishing is playing in the malware industry. While ransomware typically gets all the headlines once intruders are able to monetize their efforts after successfully delivering the payload at the end of an infection cycle, there is less coverage on the overall infection cycle, which often starts with something as simple as phishing. The reconnaissance phase at the beginning of an attack plays an even more important role in the defense strategy. 

When attackers are figuring out what an organization's attack surface looks like, they use phishing as a mechanism to harvest confidential personal information, such as credentials, or attempt to download a zero-day malware to gain access to a particular machine. As adversaries are using the latest trends like AI to trick users, organizations should put more focus on reducing their attack surface and applying advanced behavioral analysis mechanisms.

Tony Fergusson

CISO EMEA at Zscaler.

Phishing attacks are becoming more personalized

The bait for the user has evolved from simple email scams to much more personalized attacks that use the latest technologies like AI tools. Due to growing user awareness for traditional phishing campaigns, different channels and techniques are invented by the adversaries. More recently, fake phone calls or ‘vishing’ have gained popularity. This is where a legitimate voice of a senior executive is imitated with the help of a voice cloning tool. These tools define the characteristics of a human voice first and then apply AI to train the system to imitate the voice when reciting different messages. Used in conjunction with traditional phishing techniques, vishing becomes increasingly challenging for users to discern its legitimacy.

But it isn’t just voice cloning - the latest evolution of phishing which will impact 2024 is ‘Quishing’. This is where a QR-code is sent via email with a malicious link hidden behind the image. This makes it difficult to verify and is often missed by security tools. This especially raises the risk for employees who use their own personal smartphone devices as most are not adequately protected. To counteract the evolution of phishing techniques it is vital to make Zero Trust the standard security solution of choice. But a Zero Trust mentality isn’t just something that should be implemented at a technology level only, but also on a human level.

Never trust, always verify

Organizations have to adapt their cybersecurity strategies to effectively combat the rising threat of sophisticated phishing and protect sensitive information with the help of a zero trust mentality. Employees nowadays trust the available security solutions too much and don’t exercise enough caution when receiving suspicious communications. A phone call from a person you think you know, but with a request that seems unusual or unexpected, should always be verified. Before acting, the employee should look to authenticate that person. 

In today’s hybrid working environment where face-to-face interaction is not always feasible it is strongly advised to use another channel to verify the initial information. For example, if a potential vishing call takes place via WhatsApp, the target should pick up the phone, send a slack message or use email to verify the colleague on the phone is who they should be. Additionally, to ensure account security and avoid further compromises, employees should make sure to never share any personal data or passwords over the phone or email, if requested. No one internally should need to use another staff member’s password to access data or assets in the system, so there is no need to share these types of details with anyone else.

As phishing is often just the beginning of the chain of compromise it should get more attention. Businesses should be worried about the new capabilities of AI to uplevel phishing attacks. By acknowledging and addressing these challenges head-on, organizations can encourage a more resilient cybersecurity culture and safeguard sensitive data effectively. The credo should be to bring a Zero Trust mentality to the human level, which means staff needs to be trained to not implicitly trust one source of information, but rather always verify via another medium. This will become even more important as AI will play a major role in misinformation and disinformation campaigns in the future.

We've listed the best identity management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

Tony Fergusson, CISO EMEA at Zscaler.