Email Phishing Tactics Every CISO Should Know

This article will cover phishing threats from the perspective of CISOs. Please spare a thought for them. They are continuously in the line of fire from the top leadership, who ask them, “Why, despite a growing cybersecurity budget, are cyberattacks still a big concern?” At the other end, they have their hands full with addressing attacks that are becoming more sophisticated by the day. This is our attempt to make life a little bit easier for them.

The Evolving Threat Landscape of AI Phishing

One word. Artificial Intelligence. We keep hearing about how AI is transforming tech deployments and deliverables across different industries. Unfortunately, AI is becoming an agent of chaos in phishing. Forget about expert cybercriminals; even amateurs can develop and launch sophisticated attacks courtesy AI-driven phishing toolkits. The emergence of AI-powered chatbots, such as GhostGPT, which are designed explicitly for cybercriminals, further complicates the threat landscape.

Despite advanced defenses, phishing remains a highly popular attack method and persists:

• Email phishing attacks hit 57% of organizations on a daily/weekly basis, while nearly 1.2% of all global emails are malicious. That translates to a staggering 3.4 billion phishing messages flooding inboxes every single day.
• Between September 15, 2024, and February 14, 2025, phishing emails surged by 17.3% [1] over the previous six months. Of these, a staggering 82.6% showed clear signs of AI involvement.
• Impersonation scams fueled by AI are up 148%, [2] as criminals increasingly rely on deepfake voices and synthetic media to trick victims into handing over money or sensitive data.

We are now witnessing a revolution in phishing with its transformation into a full-fledged industry, powered by the rise of Phishing-as-a-Service (PhaaS) platforms. According to The Wall Street Journal [3], cybercriminal groups now sell ready-made toolkits, such as EvilProxy, Tycoon 2FA, and Haozi, that offer drag-and-drop phishing templates, campaign dashboards, and even customer support. Another key accelerator of this industry is the reach amplification delivered by AI, which includes polished emails, deepfake voices, and automated variations.

CISOs are no longer addressing scattered threats but organized business models. Therefore, the advanced cybersecurity framework from a scam perspective must be reworked. They are up against a mature ecosystem of cybercriminals that is making defense even more complex.

Emerging Techniques Driving the Next Wave of Phishing Attacks

As phishing matures into an industry, attackers continue to innovate beyond traditional email lures. Today’s campaigns are exploiting the blind spots in modern security practices and everyday user behavior, leading to a new wave of techniques that are both harder to detect and harder to defend against.

MFA Fatigue Attacks

Just a few years ago, MFA or Multi-Factor Authentication was highly regarded by cybersecurity experts. Times have changed. Attackers are now swamping users with endless push notifications to encourage a frustration-based or complacency-driven click. Imagine an employee suffering from MFA fatigue. This employee receives an email tricking him into attempting a login on a spoofed portal. This action triggers an overwhelming number of push notifications. The intended victim ignores these until accidentally giving the required approval.

Quishing

No, this isn’t a Chinese city, but a portmanteau word combining three words QR Code Phishing. We know how QR codes have become a way of life across the globe. But, as is their nature, cybercriminals want to make this way of life miserable for you. They are now embedding malicious links inside QR codes. This is effective because QR codes look harmless and are trusted by most people. QR codes can also bypass email filters designed to catch suspicious URLs. If you receive these in an email, you might take action on them in an unguarded moment.

Callback Phishing

When you come across a link in an email, you can take your time figuring out whether the link is malicious or not. But what happens when you get a call? At the other end of a call is a trickster whose sole purpose is to create psychological pressure, and this is achieved step by step. The first step in this process involves a phishing email that instructs the intended victims to call a specific number. This could be IT helpdesk, billing support, or even security verification. On the call, the attacker convinces the target to disclose credentials, install malware, or make fraudulent payments.

Hybrid Attacks

Multi-channel attacks are the norm. Think a combination of email, phishing, voice phishing, and others. The focus is on reinforcing the phish or the scam. Imagine a user receiving the first phish via email that encourages urgent action, followed by a phone call reinforcing this message. To bolster the phishing attack, a deep fake video might even be added to this mix. This multi-channel approach increases credibility and raises the likelihood of success.

Collaboration Platform Phishing

The increasing use of collaboration platforms, such as Slack and Microsoft Teams, has put these platforms in the crosshairs of attackers. Employees receive malicious messages mimicking internal notifications, which, because of AI usage, look legitimate and foster trust. As email security improves, adversaries are increasingly exploiting these adjacent channels, making collaboration apps the new extension of the phishing battlefield. This is a critical CISO problem area where attackers are not only moving to new channels, but also enriching these attacks by harnessing emails.

Tactics Behind Business Email Compromise

If CISOs are asked to pick the most damaging forms of phishing, most will pick BEC or Business Email Compromise. As the name suggests, the objective of BEC is to lure employees into making fraudulent payments or disclosing existing data. This is done by impersonating top leadership, executives, and trusted partners. Cybercriminals hack into their accounts and send emails that you are primed to trust. BEC is a little more dangerous than the other phishing attacks because it is not perpetrated on a mass scale. It is targeted, subtle, and a persistent threat. With the rise of AI-powered tools, BEC attacks continue to improve.

Here are some statistics [4] that give you an idea about the extent of the problem:

• BEC incidents surged 30% by March 2025, underscoring their rapid growth.
• 13% jump in Q1 2025 alone, fueled by a rise in gift card scams.
• Over 50% of social engineering cases now stem from BEC.
• Small firms aren’t spared — even those with <1,000 employees face a 70% weekly likelihood of a BEC attempt.
• The average fake wire transfer request hit $24,586 at the start of 2025.

These are some of the most common tactics:

Pretexting

Pretexting is a BEC tactic that depends on creating a very believable storyline. The targets don’t suspect the story is false. The criminal will contact you as auditors, HR staff, or a member of the IT team, and they will validate their credentials. The idea is to lower an employee’s defense, create urgency, and above all, make them feel that the request they are making is nothing out of the ordinary.

Identity Spoofing and Executive Impersonation

We have heard this umpteen times. An employee receives an email from a colleague, vendor, boss, partner, or client. Unfortunately, this is a fake email; however, the headers and domains are modified in a manner that, at first glance, these emails look authentic. Typically, these emails are from high-ranking stakeholders. This puts the right amount of pressure on employees to avoid taking up too much time replying to them. Such emails have a bigger chance of bypassing checks.

Deepfake Audio and Video

If you follow phishing attacks, you will be aware that an employee in an engineering company was duped into sending HK$200m to criminals [5]. The driving agent of this dupe was an AI-generated video. This is not a one-off, and there are many such cases of deep fake audios and videos hitting pay dirt. Attackers now have the capabilities to clone your CEO’s voice or a deep fake video that asks a particular employee to take certain action. These fake audios and videos will become increasingly difficult to distinguish from the real deal over time. Imagine such attacks becoming a part of a bigger plan that includes emails and phishing messages. They will become even harder to distinguish.

Invoice and Payment Diversion

A BEC tactic that can result in a mammoth payday for cybercriminals is mimicking legitimate business transactions. These can take the form of invoices, alterations in payment details, or posing as “legitimate” suppliers, saying their banking information has changed. Funds are diverted into accounts controlled by these cybercriminals; since these payment requests align with business activities, they often go unnoticed.

Deceptive Signatures

Cybercriminals can manipulate an email signature, making changes that are so convincing they can bypass scrutiny. Your company logos, contact details, email address, and more are replicated to ensure that a fraudulent email appears routine and trustworthy. The human mind is attuned to looking for visual cues and signals. Imagine an employee receiving an email with a deceptive signature, but one that has all the visuals that your eye has come to identify as routine.  In such cases, these emails can bypass checks.

With the average cost of a data breach from BEC estimated at $4.89M, second only to ransomware, this is the phishing attack that CISOs must treat as a top priority.

Exploiting Trust from Inside and Outside the Organization

BEC attacks illustrate how attackers victimize employees who work for a particular organization. However, weaponization of phishing can happen from the outside in as well. Think supply chains. Cybercriminals can exploit the same psychological levers – authority, fear, uncertainty, doubts, and familiarity to hack into third-party vendor systems. This allows them to infiltrate your organization via a trusted partner’s compromised account. CISOs have already started taking cognizance of growing attack surfaces that extend beyond the perimeter of their organization.

Supply Chain Phishing Attacks

The Zipline phishing campaign [6] is in the news these days. The focus of the attacker was on supply-chain dependent industries.  Such attacks demonstrate that your supply chains aren’t secure.

Here’s an anatomy of a supply chain attack

A mid-tier auto parts supplier is approached by a new vendor that appears legitimate, offering to maximize operational process efficiency. The charges are a steal, and the references look so genuine that the supplier doesn’t feel the need to check them.  The marketing material is meaningful, the emails are polite and professional, and the website is visually appealing. After a few weeks of back-and-forth, the vendor asks the company to sign an NDA before sharing sensitive documents. The NDA arrives as a ZIP file.

Inside, hidden alongside the harmless paperwork, is a piece of malicious code. The moment it’s opened, attackers gain a foothold in the supplier’s systems. They steal important information, including production schedules, product data, sensitive credentials, and more. This enables the attackers to launch sophisticated phishing attacks at downstream manufacturers. These take the form of fake invoices, fraudulent parts, and more.

How Can CISOs Stay One Step Ahead of Attackers?

CISOs must move from a reactive to a proactive strategy that ups the ante against phishing attacks. Given that they are in the firing line if things go south, they must lead the charge to create an anti-phishing framework tailored to their organization’s specific needs.

1. Combat AI Phishing with AI-Driven Defense

   AI-led phishing attacks are now becoming a clear and persistent danger for enterprises alongside ransomware and insider attacks, with generative tools creating deeply personalized, hard-to-detect scams.

   Strategy: Leverage AI-driven detection tools to counter AI-powered attacks by utilizing behavioral analytics and anomaly spotting.

2. Zero Trust in Communication

   Don’t rely on email headers. Deepfake voices and spoofed exec messages are flooding your employees’ inboxes.

   Strategy: Implement identity verification protocols. This includes voice callbacks, secure multi-channel confirmation, and any other features that align with your organization. For external correspondence, adopting Verified Mark Certificates (VMC) and Common Mark Certificates (CMC) can help establish visual trust by displaying verified brand identities in supported inboxes. They make it harder for attackers to impersonate executives or corporate domains.

3. Advanced Email Security

   Don’t rely on traditional security, as AI-based phishing attacks can easily bypass legacy protocols. More importantly, advanced email security shouldn’t be driven by a single point product.

   Strategy: Layer AI-native email security that leverages intent-aware detection, contextual behavior models, and real-time threat intelligence. Complement these systems with strong domain authentication frameworks like DMARC to validate sender legitimacy and BIMI to visually confirm trusted brand identities in inboxes. This dual assurance – technical and visual – strengthens user confidence while filtering out impersonation attempts before they reach employees.

4. Role-Based Phishing Simulations & Training

   Your employees can be the weakest link in cybersecurity. Not every employee will take phishing threats seriously, and many will struggle to identify a phishing attack if they have been targeted.

   Strategy: Use a combination of next-gen phishing attack simulation tools and adopt phishing awareness training.

5. Vendor Risk Assessments

   Supply chain breaches are now common, and the real target of these breaches might not be your vendors, but your organization. This assumption should drive your security strategy.

   Strategy: Verify vendor certifications for GDPR, SOC 2, and other industry-specific compliance requirements.  Ensure that vendors comply with the security protocols you deem necessary to address phishing threats.

6. Incident Response Planning

   What happens after an incident (phishing attack)? What is the next strategic set of steps that will help you contain the attack? Always plan for a worst-case scenario.

   Strategy: You need to develop a playbook for incident response. Identify the proper communication channels (internal and external) for the right response messaging. Also, conduct exercises that include vendor collaboration to test readiness.

7. Board-Level Reporting

   Phishing defense boosts business continuity and, therefore, is a strategic exercise. Make sure you prepare a solid phishing business case and get the buy-in of your board for your anti-phishing strategy.

   Strategy: Elevate phishing risk as part of enterprise resilience. Use concise metrics and financial risk modeling to align cybersecurity with strategic business priorities.

Conclusion

Phishing isn’t going away anytime soon. No, that isn’t because your defensive framework is weak, but the human element. The key is CISO and employee vigilance. As a CISO, you must create an environment that is supported by the best defenses available, but also security-aware people with a handle on the threat landscape. It is a coming together of people, process, and technology that will deliver you from phishing.

References:

• [1] https://www.knowbe4.com/press/new-knowbe4-report-reveals-a-spike-in-ransomware-payloads-and-ai-powered-polymorphic-phishing-campaigns
• [2] https://moonlock.com/ai-impersonation-scams
• [3] https://www.wsj.com/articles/do-it-yourself-cyberattack-tools-are-booming-7ce1445d
• [4] https://hoxhunt.com/blog/business-email-compromise-statistics
• [5] https://www.theguardian.com/technology/article/2024/may/17/uk-engineering-arup-deepfake-scam-hong-kong-ai-video
• [6] https://industrialcyber.co/manufacturing/zipline-phishing-campaign-uses-social-engineering-to-target-manufacturing-critical-supply-chains/