Phishing has evolved dramatically in recent years, becoming one of the most persistent and sophisticated cyber threats. In 2024, cybercriminals are using advanced technologies such as Artificial Intelligence (AI), automation and multi-channel tactics to fool even the most robust security systems. These attacks exploit human and technological vulnerabilities, putting companies and individuals at risk. This article explores modern phishing tactics, their impact and how you can protect your business.
According to Infosecurity Magazine, phishing accounts for 90% of cyber attacks on companies and is the gateway to data breaches and ransomware. The sophistication of these attacks requires not only security tools, but also awareness and continuous training.
What is modern phishing and how does it work?
Modern phishing goes beyond generic emails and suspicious links. It uses social engineering and advanced technology to create highly personalized and convincing attacks. According to TechRadar, the adoption of AI by cybercriminals has increased the efficiency of these scams, allowing them to create messages that perfectly simulate legitimate communications, such as bank charges or corporate updates.
The distinguishing feature of modern phishing is its capacity for personalization. For example, criminals use data from social networks and leaks to construct messages that fool even experienced users. In addition, attacks have expanded to channels such as SMS (smishing) and voice calls (vishing), extending their reach and impact.
The most sophisticated phishing tactics for 2025
1. Abuse of Trusted Platforms
One of the most effective and growing techniques is the misuse of reliable hosting platforms such as OneDrive, Google Drive and GitHub. These platforms are widely used by companies and individuals and therefore pass through security filters with ease. By hosting malware and malicious links in apparently legitimate repositories or files, cybercriminals are able to bypass automated security checks.
A recent example is the use of GitHub to host the Remcos RAT malware, which allows attackers to gain full remote control of the victim's device. The attacks begin with fraudulent emails pretending to be legitimate business communications, such as tax deadlines or audit reports. By clicking on the link, the victim is directed to a GitHub repository, where a password-protected ZIP file contains the malware.
How to protect yourself:
- Use verification tools. Always inspect links and files before accessing them.
- Implement sandbox solutions. Analyze suspicious files without compromising your system.
2. Use of malicious QR codes and Blob URIs
The use of QR codes in phishing, also known as "quishing", has grown exponentially.
This emerging technique involves the use of QR codes generated with ASCII and Blob URIs. Initially used to redirect users to legitimate websites, QR codes are now disguised as ASCII text, making it difficult for OCR tools to detect their true purpose. These QR codes are sent to victims via emails or text messages and, when scanned, redirect the victim to phishing pages disguised as legitimate login portals.
Blob URIs, on the other hand, are used to create malicious links that generate phishing pages directly in the victim's browser, without the need for a remote server. This technique evades URL filtering systems, which normally check external links for malicious behavior. Blob URIs create fraudulent pages directly in the browser, bypassing traditional URL checks.
How to mitigate:
- Avoid scanning QR codes from unknown sources. Use applications that check the destination before redirecting.
- Educate your team. Show practical examples of quishing to raise awareness.
3. Automated Phishing and Deepfakes
With the growing use of AI and automation, phishing attacks have become faster and more sophisticated. Cybercriminals are now able to generate mass, personalized and convincing emails based on data collected from the victim themselves.
AI tools allow attackers to simulate legitimate conversations with details that would fool even the most attentive users. In addition, the use of voice and video deepfakes has facilitated vishing attacks (voice phishing), where the voice of a colleague or superior is faked to convince the victim to share sensitive information or carry out financial transactions.
These automated campaigns can also test various approaches until they find one that gets through the security systems. This is especially dangerous for companies, where a simple human error can open the door to large-scale compromises.
How to defend yourself:
- Adopt AI solutions: Advanced tools can identify anomalies and block deepfakes.
- Confirm unusual requests: Always validate requests through different channels before taking action.
4. Smishing with Zero-Click attacks
Smishing, phishing via SMS, has been on the rise in recent years, taking advantage of the trust that many users place in text messages. One of the most worrying developments in 2024 and one that could expand into 2025 is the use of zero-click attacks, where simply receiving a message is enough to compromise the victim's device, without any interaction being required.
According to Infosecurity Magazin , these attacks exploit vulnerabilities in messaging applications and operating systems, allowing attackers to gain access to the device just by sending a specially formatted message.
How to avoid it:
- Update systems regularly. Security patches are essential against exploited vulnerabilities.
- Disable link previews. This reduces the risk of malware being activated automatically.
5. BEC and Call Center Scam
In addition to widely known threats such as phishing via generic emails, more targeted and personalized forms are emerging, such as Business Email Compromise (BEC) and Call Center Scams. These practices focus on exploiting the trust of employees or executives in order to gain quick financial advantages.
Business Email Compromise (BEC)
BEC is a sophisticated technique involving the manipulation of corporate emails. Criminals take control of or spoof the accounts of trusted executives or suppliers to request financial transfers or access to confidential information.
According to Darktrace, the use of AI in these attacks makes it possible to create convincing and urgent messages, making it difficult for the victim to identify them.
For example, scammers can impersonate a CEO by sending an urgent email to the financial sector asking for an immediate bank transfer. Often, this approach includes exploiting times of increased pressure, such as the end of the fiscal year or important corporate events.
How to avoid it:
- Confirm important requests: Always validate financial transactions through another channel, such as a direct phone call to the requester.
- Implement multi-factor authentication (MFA): This reduces the chances of accounts being compromised.
- Train your team: Regular training helps to identify signs of communications fraud.
Call Center Scams
Another increasingly common method is the Call Center Scam, where criminals pose as representatives of legitimate companies to trick employees.
These operations, usually on a large scale, involve telephone contact in which the scammer pretends to be an executive or member of an internal team, demanding quick actions such as the purchase of gift cards or transactions via PIX.
According to Carta Capital, this type of attack has become one of the main forms of corporate extortion, exploiting hierarchical pressure to obtain immediate compliance from employees.
How to avoid it:
- Educate employees: Warning about the tactic and reinforcing the need to validate unusual requests is essential.
- Restrict fast transactions: Create internal protocols for financial transactions, requiring additional checks.
- Continuous monitoring: AI tools can identify suspicious patterns in calls and communications.
Impact of phishing on companies and individuals
Losses for companies
The consequences of a phishing attack are significant for both companies and individuals. For companies, the impacts can include theft of confidential data, financial loss and reputational damage. In addition, a phishing attack can serve as a gateway for ransomware or other malware, resulting in the interruption of operations and the compromise of the entire network.
Companies suffer huge financial losses, operational disruptions and reputational damage. According to CNN Brazil, the global economic impact of phishing can exceed $3 billion a year. In addition, successful attacks often lead to the compromise of entire networks.
Consequences for individuals
For individuals, the consequences include identity theft, loss of personal funds and compromise of private data. In addition, the most sophisticated attacks can generate psychological damage, especially when they result in significant financial losses or the exposure of sensitive information.
According to the Kaspersky portal, the psychological damage caused by financial fraud is increasingly reported, especially in scams involving life savings.
How to protect your business against modern phishing
1. Awareness and education
Regular training is essential. Phishing simulations help prepare your team to recognize evolving attacks. According to the Cofense portal, companies that carry out regular training reduce phishing incidents by up to 80%.
2. Multifactor Authentication (MFA)
Enabling MFA on all critical systems adds an extra layer of protection, making unauthorized access difficult, even in the case of compromised credentials.
3. AI-based tools
Solutions that use AI are able to analyze behavioral patterns and identify anomalies in messages, blocking attacks before they reach the recipient.
4. Continuous monitoring
Implement tools to monitor trusted platforms such as Google Drive and GitHub, identifying and blocking suspicious activity in real time.
5. Systems maintenance
Make sure that all devices, applications and systems are updated to correct vulnerabilities exploited by zero-click attacks.
Cyber security trends in 2025
By 2025, the use of blockchain to authenticate digital identities is expected to increase. According to the Northdoor Blog, this technology can drastically reduce the effectiveness of phishing attacks, ensuring greater security in digital transactions.
In addition, the integration of predictive AI will be crucial to anticipating threats. Companies are increasingly investing in proactive solutions that combine behavioral analysis and machine learning to mitigate risks before they occur.
Modern phishing represents a constantly evolving threat, requiring companies and individuals to stay one step ahead. Investing in advanced technology, such as AI and blockchain, combined with continuous human training, is key to reducing risks and protecting operations.
Want to know more about how to strengthen your company's digital security?
Keep following the Asper blog for up-to-date insights and strategies.
And to find out how Asper can help your company rigorously protect itself from these threats in 2025, just click on the button below, where you will find details of the solutions we have prepared to help your company protect itself.
