Attackers go phishing in new ponds
Multi-channel attacks demand new thinking, fresh strategies
CISOs need a new playbook, stat. Although they’ve often been lighthouses for digital security in their organizations, shining their lamps bravely and brilliantly on new and emerging threats, they developed many of their favorite strategies in a bygone era defined by cloud migrations and digital services. That era is over. As a result, the tools in many a CISO’s toolbox are beginning to tarnish and rust.
Nowhere is this more evident than in the fight against phishing, which costs companies around the world more than $50 billion per year.
The first modern-day phishing attack took place in the 1990s, when dial-up Internet users were discovering the marvel of email for the first time. Decades later, email continues to be cyber criminals’ favorite method of attack. In fact, more than 90% of successful cyber attacks start with a phishing email, according to the Cybersecurity & Infrastructure Security Agency (CISA).
But today’s phishing emails are not the same as yesterday’s phishing emails. They’re not only more numerous — it’s estimated that cyber criminals send billions of phishing emails every day — but also, are more persuasive. Artificial intelligence is a major reason why, according to researchers at Columbia University. In July 2025, they published a landmark study showing that over 51% of spam emails are now generated using AI.
“Our results show that attackers are primarily using AI to improve email quality — reducing typos and grammatical errors — rather than altering attack strategies,” the study’s lead author, Wei Hao, said in a press release. “This makes spam harder to detect and potentially more convincing to recipients.”
For CISOs who are using old tactics to fight new iterations of phishing, it’s like showing up to a five-alarm fire with a garden hose.
And AI isn’t the only problem. To grow both their reach and their returns, cyber criminals increasingly are turning to new and diverse communication channels to execute their phishing attacks, including text messages, voice calls, QR codes, and social media. Stopping phishing on all those fronts requires CISOs to invest more in modern security practices like automation, real-time threat analysis, and training.
How phishing tactics are evolving
It’s no longer enough to set up spam filters to catch phishing emails. Attackers today are using a variety of other methods to catch their prey. On the rise as attack vectors, for example, are smishing, vishing, quishing, enterprise communication platforms, and social media — all of which bypass many of the usual detection and mitigation methods that CISOs and their teams have traditionally used to stop phishing attacks.
The arrival of “multi-channel” phishing attacks marks a new era in cyber crime. Understanding how cyber criminals are operating in this new era is essential for CISOs who want to keep pace with evolving threats. There are three aspects of modern phishing, in particular, that the most effective CISOs recognize: AI, social engineering, and information harvesting.
AI phishing
Phishing attacks have become harder to recognize thanks to AI, which — as the researchers from Columbia University rightly pointed out — has cleaned up the misspellings and poor grammar that once were telltale signs of phishing.
AI isn’t just making scammers better writers, though. It’s also making them better salespeople. With the help of generative and agentic AI tools, attackers can craft phishing messages that are tailored to specific groups and individuals. AI deepfakes and voice cloning, for example, are key parts of the modern attacker’s arsenal, allowing them to create images and videos that are so realistic that even experts struggle to tell the difference between real and fake.
Imagine what kind of damage could be inflicted on a company by an attacker who sends employees a malware-laden PDF attachment from the spoofed email address of the company’s CEO, followed up by a voice-cloned phone call. That kind of phishing attack is already happening today.
As AI becomes more mainstream, anyone can put together a successful phishing campaign. Cyber criminals can use AI to increase the scale of a phishing attack across multiple vectors. On the other end of the spectrum, a low-tech employee can use AI to build a spearphishing kit to go after assets within the organization, creating new areas of insider risk.
And then there’s the element of speed: Cyber criminals using AI can create phishing campaigns and messages faster than ever before, and they can use that increased speed and efficiency to launch more phishing attacks, in more places, against more targets.Social engineering
Just as core to modern phishing as technology is psychological manipulation, also known as social engineering. To get their victims to take the actions they want them to take — like sending money or sharing private information — attackers routinely tug on emotions like fear (e.g., being locked out of an account unless an action is taken), guilt (e.g., feeling the need to respond to a friendly message from an unknown sender), or excitement (e.g., a direct message on LinkedIn about the “perfect” job offer).
Attackers exploit the trust individuals have in well-known companies, in senior leaders, and even in their casual acquaintances. Harder-to-detect phishing attacks increasingly arrive at the most stressful periods for companies — for example, during the holiday season, at tax time, and at the end of the fiscal year — because attackers know that employees are more susceptible to making a mistake when they are busy.Information harvesting
Traditionally, the motive behind most cyber attacks was financial. And that remains the primary goal for many attackers. But today’s cyber criminals don’t just phish for money. They also phish for information. In fact, the number of infostealers — malware designed to covertly steal sensitive information, including personal information, passwords, screenshots, and private documents — delivered via phishing emails increased by 84% between 2024 and 2025, the IBM Institute for Business Value (IBV) reported in its “IBM X-Force 2025 Threat Intelligence Index” report.
“Phishing has emerged as a shadow infection vector for valid account compromises,” reports the IBM IBV, which says nearly one in three cyber attacks takes place using valid accounts. “A surge in phishing emails distributing infostealer malware and credential phishing fuels this trend, which may be attributed to attackers leveraging AI to scale attacks.”
Attackers who use phishing to harvest login credentials like usernames and passwords can sell information for financial gain or use it to infiltrate networks either for espionage purposes or to launch bigger, more stealthy attacks.
In either case, the ultimate prizes are sensitive intellectual property, government secrets, and credential harvesting of high-ranking officials. Nation states, for example, may use phishing as the starting point to infiltrate the phones and networks of politicians, defense contractors, and media. They and other bad actors can use phishing to gain access to critical infrastructure or trade secrets. Consider the 2024 case of a Russian-backed hacking group, which launched a phishing attack in pursuit of sensitive U.S. government information. Earlier in 2025, a Chinese espionage group similarly launched phishing attacks against manufacturing, supply chain entities, and tech companies in Taiwan to gather intelligence data.
Whether they’re seeking money or information, multi-channel phishing allows attackers to cast a wider net. While social media phishing reaches a large audience with a single posting, for instance, a smishing or quishing attack can reach a high volume of users with a greater chance of engagement.
Anti-phishing steps for CISOs
Clearly, cyber criminals are evolving. To keep pace, CISOs must also evolve. The technical skills and business acumen that have traditionally defined their roles are no longer enough. In response to the AI, social engineering, and information harvesting that are fueling multi-channel phishing attacks, CISOs must think differently and cultivate soft skills that will complement their technical expertise.
Among the most important soft skills for CISOs to nurture and develop, for example, are: emotional intelligence skills, which can help them recognize why employees might take phishing bait and create a non-punitive environment where employees feel safe reporting phishing attempts; leadership skills, which can help them influence employees and colleagues in order to create a security-first culture; critical thinking skills, which could help them determine where attacks are most likely to happen and what tactics attackers are most likely to use; and communication and collaboration skills, which they can leverage to educate employees about unconventional phishing tactics and to engage them in enterprise-wide anti-phishing efforts.
And yet, it’s not enough to think differently unless you also act differently. Even as they cultivate new skills and perspectives that will help them identify potential threats, CISOs must therefore embrace new anti-phishing practices that will make their organizations more resilient to threats — regardless of channel or mode of attack.
Automation, real-time threat analysis, and training are the three practices that can make the biggest impact in the face of multi-channel phishing:
1. Automation: Employ AI-based security tools
Cyber criminals aren’t the only ones who can use AI for increased scale and sophistication. Enterprises can deploy it in a similar fashion to stop attacks rather than to launch them.
Indeed, there are AI phishing tools whose specific purpose is mitigating attacks. There are large language models (LLM), for example, whose explicit purpose is detecting signs of phishing in emails, text messages, social media posts, and other forums. Using natural language processing, they can analyze written text for suspicious language and other red flags and automatically alert you to suspected threats. There are other LLMs that are trained to look for anomalies — for example, deviations in typical login times and locations — and still others that use computer vision to sniff out suspicious images like fake brand logos and malicious QR codes.
CISOs who are interested in using AI-based security tools should look for a few key features in the solutions they’re considering. Important anti-phishing capabilities include:
Sentiment and conversation analysis, which gives organizations the aforementioned ability to leverage natural language processing for automated threat detection in text.
Adaptive authentication, which dynamically adjusts authentication requirements in response to high-risk user behavior.
Automated incident response, which allows organizations to detect and automatically quarantine suspicious messages or devices on their network.
Threat intelligence, which cross-references phishing indicators with information about current threats to identify attacks early.
2. Real-time threat analysis: Isolate potential hazards
One of the most important features to look for in AI-based security tools is real-time threat analysis, which can help organizations quickly identify and contain threats before they reach their human targets.
Among the phishing indicators that organizations should be able to monitor in real time are:
Suspicious sender behavior, including spoofed domains, lookalike email addresses, and new senders who are suddenly attempting to contact numerous employees.
Suspicious URLs and domains, including those with poor reputations, unknown links, redirect chains, and credential harvesting pages.
Malicious attachments, including files with macros, executables, and obfuscated scripts.
Risky user behavior, including clicking unknown links, downloading files from suspicious sources, and logging in from unusual locations or at unusual times.
3. Training: Increase security awareness
Because phishing scams target human behavior and error, training to help employees recognize signs of phishing across different attack vectors is a critical and effective deterrent.
When you’re designing an anti-phishing training program, keep the following best practices in mind:
Annual compliance training isn't enough; because phishing threats are dynamic and always changing, training must be frequent and continuous to make sure employees have the most current and accurate information.
Employees are busy and phishing is complex. To account for short attention spans, prioritize brief, digestible, and focused learning modules instead of long, soup-to-nuts training courses.
To increase retention, make learning as relevant and practical as possible by focusing on contextual learning, including scenario-based training and realistic simulations that mimic actual phishing tactics. Real-time feedback when employees fall for simulated attacks also is helpful.
Training should be mandatory for everyone — including senior executives, who are high-value targets and often under-trained in cyber security measures.
Tracking progress over time — including metrics like click rates, reporting rates, and response time — is crucial. Doing so can help companies identify and correct shortcomings while rewarding and incentivizing improvement.
What if a phishing attack succeeds?
Because cyber criminals are so smart and so persistent, nothing is foolproof. Threat response is therefore just as important as threat prevention.
If an attacker succeeds, CISOs can use techniques like zero trust and least privilege to mitigate risk and prevent damage. These solutions create isolated zones within a network that require continuous verification and, as a result, limit attackers’ ability to move freely.
Resilience requires vigilance
Phishing may be an old scam tactic, but it’s also an effective one — which is why cybercriminals continue to use it even as technology evolves. Along with email, attackers today are using new vectors like text messaging and video conferencing to make phishing fruitful.
Cloudflare Email Security is the first-line protection for traditional phishing tactics. Cloudflare One expands protection to newer phishing attack vectors by using zero trust. By understanding what phishing attacks look like across platforms and applications, including the impact of AI phishing, CISOs and their security teams can design systems that address vulnerabilities before they become liabilities.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Learn more about which phishing attacks your current email security systems miss with a free Phishing Risk Assessment.
Key takeaways
After reading this article, you will be able to understand:
How phishing attacks have evolved
3 anti-phishing steps for CISOs
Strategies to get ahead and neutralize modern phishing threats