Phishing is not what it used to be
The phishing attacks your users see today bear little resemblance to the clumsy emails of a decade ago. Modern phishing is targeted, timely, and technically sophisticated. Attackers research their targets on LinkedIn, time their emails to coincide with real business events, and use infrastructure that passes basic reputation checks.
The result: traditional filters catch the obvious spam, but the dangerous emails land in inboxes anyway. When a message references a real project, uses correct names and titles, and links to a domain that looks almost right, users click. Not because they are careless. Because the attack is convincing.
This post covers what has changed and what defenses actually work against modern social engineering.
How phishing evolved
From broadcast to spear: Mass phishing still exists, but the real damage comes from targeted attacks. An attacker might spend weeks researching a single organization, identifying reporting relationships, and crafting messages that reference real people and projects.
From generic to contextual: Modern phishing emails do not just say "click here." They reference a recent invoice, a pending deal, or a supposed security alert. The context makes the request feel legitimate.
From links to attachments: Malicious attachments have made a comeback. Attackers embed macros in legitimate-looking documents or use archive files that bypass basic scanning. The payload executes after the user opens what looks like a normal spreadsheet.
From external to compromised accounts: Some of the most effective phishing comes from compromised vendor or partner accounts. When your supplier's actual email sends an invoice with updated banking details, even careful users may comply.
Technical defenses that matter
DMARC, SPF, and DKIM: These email authentication protocols help prevent domain spoofing. If you have not implemented DMARC at enforcement level, that should be your first priority.
URL rewriting and sandboxing: Modern email security platforms rewrite links to scan destinations in real time and sandbox attachments before delivery. These are not perfect, but they catch a significant percentage of attacks.
Browser isolation: For high-risk users, browser isolation prevents malicious sites from executing code on local machines even if a user clicks a bad link.
Behavioral detection: Advanced tools look for unusual patterns: logins from impossible geographies, access outside normal hours, or requests for sensitive data that break typical workflows.
The human layer: training that works
Technology alone will not stop phishing. Attackers target people, not just systems. But traditional training (annual videos, fake phishing tests) has limited impact. More effective approaches include:
Just-in-time warnings: Instead of annual training, warn users at the moment of risk. If an email contains external links, display a banner. If a domain was registered recently, flag it.
Report phishing buttons: Make it easy for users to report suspicious emails. Each report becomes a signal for your security team and helps identify campaigns targeting your organization.
Positive reinforcement: When users catch real attacks, acknowledge it. Security culture improves when reporting feels valued, not punitive.
The incident response checklist
When phishing succeeds, speed matters. Have this checklist ready before you need it:
- Identify the scope: which users clicked, what data was entered, what files were opened
- Reset credentials for affected accounts immediately
- Check for lateral movement: unusual logins, new email rules, forwarded messages
- Preserve evidence: save headers, capture screenshots, export mailboxes if needed
- Notify affected parties: users, partners, or customers if their data was exposed
- Update defenses: block identified domains, add sender patterns to filters, brief the team on the attack vector
- Document lessons: update playbooks, training materials, and technical controls based on what failed
Building resilience
The goal is not perfect prevention. That is impossible. The goal is resilience: detecting attacks quickly, responding effectively, and making your organization a harder target than the next one on the list.
For more on building organizational security posture, see our post on Building a Human Firewall Through Security Culture. The combination of smart tools and prepared people is what makes the difference between a near-miss and a breach.
Disclaimer: This post is for educational and informational purposes only and does not constitute legal, compliance, or professional security advice.