Phishing attacks have evolved significantly in 2024, with artificial intelligence and deepfake technology driving increasingly sophisticated social engineering threats. Recent data indicates that these advanced tactics are presenting new challenges for both individual users and organizations, building upon trends first identified by the FBI and CISA in their joint advisory on messaging vulnerabilities.
AI-powered tools are enhancing phishing attempts by eliminating traditional red flags like spelling and grammatical errors. These tools can rapidly generate convincing phishing pages and create malware for secondary attacks. QR code payloads in phishing emails continue to pose significant risks, accounting for 10.8 percent of attacks in 2024, following a rate of 12.4 percent in 2023. The ongoing threat has prompted organizations like Yoti to develop biometric solutions specifically targeting QR code-based threats.
Image-based phishing has emerged as a prominent threat, with 93 percent of IT and security professionals reporting awareness of such attacks targeting their organizations. Despite this awareness, 76 percent of organizations experienced compromises from these attacks within the past year. The integration of Large Language Models (LLMs) has further complicated phishing detection, with 95 percent of IT and security professionals indicating that LLMs make identifying fraudulent communications more challenging.
Organizations are experiencing increased impacts from phishing attacks, with 96 percent reporting negative consequences, marking a 10 percent increase from the previous year. In response, 74 percent of companies have implemented stricter consequences for employees who fall victim to phishing attempts. Many organizations are turning to passwordless authentication solutions like passkeys to enhance their security posture.
File-sharing services have become a significant vector for phishing operations. Between June 2023 and June 2024, researchers documented a 350 percent increase in file-sharing phishing volume. Approximately 60 percent of these attacks exploited legitimate domains, including webmail services, productivity platforms, file storage services, and e-signature solutions. The trend was particularly evident in a recent major DocuSign phishing campaign that targeted corporate credentials across the US and Europe.
AI tools are being used to analyze social media activity for gathering target information, enabling scammers to create highly personalized messages that appear to originate from trusted contacts. The communications often demonstrate sophisticated composition and formatting that closely mirrors legitimate correspondence. Behavioral biometrics technology is emerging as one counter-measure to detect such AI-driven social engineering attempts.
Security measures recommended by experts include avoiding interaction with unsolicited email links and implementing two-factor authentication for account security. Traditional email security systems have shown limitations in detecting these advanced phishing attempts, particularly those using AI-generated content. The CISA’s latest mobile security guidelines specifically recommend FIDO-based authentication methods as a more phishing-resistant alternative to conventional security measures.
Sources: Help Net Security, Krebs on Security, Economic Times, TWiT.TV, Google Groups
Follow Us