The Layers of Phishing Attack Prevention

Phishing is an act whereby a threat actor attempts to steal your personal and security data information by pretending to be someone you trust, such as a co-worker, boss, or well-known, recognized institution, by luring you to take a regrettable action through either fear, guilt or sense of duty. Most phishing scams are related to email but have branched out to social media, text messaging and phone calls. These attacks prey on human error, manipulating individuals into harming themselves or the organizations they work for. But why does phishing continue to grow unabated with employee training, education and other vulnerability detection platforms as the primary defences against this burgeoning industry? A closer look at the layers of protections organizations are deploying to combat the latest tactics can offer valuable insights into current affairs.


It is important to first review the different phishing scams currently being used to fully understand their complexity.


Spear Fishing - highly targeted email sent from a threat actor posing as a trusted sender to extract sensitive information. Extensive research by the threat actor is conducted before such an attack.
Whaling - a campaign launched by threat actors that target C-Suite executives with sophisticated personalized messages that may lead them to mistakenly act.
Vishing - voice-activated campaigns, usually via phone or voice messaging, create a sense of urgency by referencing a significant deadline or customer need.
Smishing - SMS phishing via text messages to extract sensitive information.
Pharming - installing malicious code onto your computer that connects the impacted individual to a fake website.
Quishing is a newer form of phishing in which threat actors embed a QR code in their message, redirecting impacted individuals to a fake website or downloading malicious content that allows sensitive information to be extracted. According to a recent report, 89% of Quishing attacks are launched via email, with C-Suite executives receiving 42 times more QR-coded attacks than the average employee (SC Media, 2024).


Phishing has been further expanded through the availability of highly targeted AI tools, which generate new messages that are free of spelling errors and other noticeable mistakes. What previously took 16 hours on average to craft can now be completed in less than five minutes (IBM, 2024). New sophisticated campaigns involving Business Email Compromise (BEC) and Email Account Compromise (EAC) both exploit human trust which makes them much more difficult to detect. AI can continuously learn and help to detect new patterns of novel attacks before they permeate your entire organization through quicker response time allowing for minimal damage but falls short on detecting human engagements. 


How are organizations combating the current dilemma? There are layers of preventative practices that make phishing attacks less likely. 


These layers include:


  1. Create an Acceptable Use Policy (AUP) that lays out your organization’s expectations regarding safe communication practices, such as strong passwords, avoidance of unauthorized software, and the specifics of phishing and social engineering awareness. These policies should be acknowledged and signed by all employees, vendors, and suppliers.

  2. Continuous monitoring of suspicious activities 

  3. Phishing alert buttons in the browser extension create greater convenience for reporting suspicious activities.

  4. Engagement of VPN for some or all communications activities.

  5. Anti-virus software programs which scan emails and create alerts for malicious activities of endpoint vulnerabilities.

  6. Securing both website and email gateways to help filter undesirable software & malware from user-initiated activities.

  7. URL and website verification, avoiding malicious links.

  8. Ensuring all software is up to date with the most recent security patches.

  9. Updated passwords and multi factor authentications (MFA). Organizations should be aware of MFA fatigue as it relates to productivity. Hardware security keys (RSA SecureID or YubiKey) can be a better alternative. 

  10. Conducting organization-wide phishing simulations, including QR code attacks.

  11. Continuous employee training may be different for various groups within your organization. A broader education, including regular updates and seasonal awareness of campaigns (Christmas, tax season, and others), may apply to all employees, whereas a specific campaign highlighting types of scams such as BEC and tighter verification before any financial transactions are commenced would be directed to your C-suite and finance team.  


While maintaining these protective layers is essential, phishing attacks continue to grow. In IBM’s 2024 Cost of Data Breach report, they identified the annual cost of a data breach at USD $4.88 million, with phishing being the most common vector. According to the Forbes/Egress 2024 Email Risk Security Report, 35% of malware was delivered via email, and 94% of organizations reported email security incidents. The existing layers are not a full-stop solution, which begs the question of what other measures can be taken.


In August of 2024, PhishFlagger launched a revolutionary protocol that identifies and verifies communications between two parties through a numeric registry https://www.phishflagger.com/press-release. Both parties can keep track of emails, SMS and more through verification of the PhishCounter, which establishes a secret starting number between two parties and is always shown at the beginning of an email’s subject line. Once enrolled, participants can easily recognize safe communications with other parties and any questionable email that is not in numerical sequence can be flagged and quickly disposed. Two-step verification can also be deployed for more sensitive information like banks and insurance companies. 


AI has undoubtedly played a role in cybersecurity pattern recognition, data analytics, and ML improvements in breach detection. The ability to identify attack patterns and automated responses within the current security infrastructure will auger more significant advances in detection and protection. Still, there is widespread belief that AI has created a more sophisticated and less detectable barrage of phishing attacks that will continuously outpace security improvements. Human error will continue to be the leading cause of exposing vulnerabilities and cybercrime attacks. There is very little proof that this action and corresponding statistics are about to change anytime soon. But perhaps the recently announced protocols by PhishFlagger, which have garnered significant industry interest, are another important, if not the most important, layer of sophistication in combating phishing attacks yet.


Mike Boland
President, PhishFlagger