A quick guide through phishing

Why is phishing such an important topic nowadays?

Phishing remains one of the most effective methods for attackers to compromise systems. Despite all the technological advancements, human error continues to be a weak link. Phishing attacks are increasingly targeted, using social engineering techniques that can bypass even the most sophisticated security systems by tricking individuals into giving up credentials or installing malware. The impact can be devastating, especially in a sector like ours, where data security is paramount for both operational integrity and customer trust.

When people think of phishing scams, they often imagine a rich prince or a member of a royal family offering money. Is this still a common tactic, or have scammers evolved their approach?

The “Prince”or “Member of royal family” scam is still around, but scammers have evolved significantly. Today’s phishing tactics are much more subtle and convincing. They mimic trusted sources, like legitimate businesses, service providers, or even colleagues. A lot of flight scheduling software providers have seen phishing attempts that impersonate the internal communications, making it harder to immediately recognize as a scam. Attackers are also leveraging current events—like COVID-19 or urgent requests for payment or account verification—to exploit vulnerabilities.

How have phishing scams evolved over the years? What are some of the new tactics that scammers use today?

Phishing scams have become far more sophisticated and targeted. Scammers now use spear-phishing, which targets specific individuals or organisations with personalised messages, making it seem like the email is coming from a known and trusted source. Business Email Compromise (BEC) has become another big threat, where attackers trick executives or finance teams into transferring money by impersonating senior officials. We’ve also read about the rise of "vishing" (voice phishing) and "smishing" (SMS phishing), where attackers contact victims through phone calls or text messages, making the phishing landscape much more diverse.

What are some key signs that an email or message might be a phishing attempt?

There are several red flags to look out for. While most people would ignore an unexpected request for personal information or login credentials, they can now come from trusted sources. Scammers often employ tactics of urgency or fear, threatening to close your account or take legal action if you do not respond immediately. In some cases, they may ask you to bypass regular security procedures, such as requesting payment through unusual methods. Although becoming less common in sophisticated phishing attempts, poor spelling or grammar can still be a clear indication of fraud. You should also be cautious of unsolicited attachments or links, particularly from unknown senders. Always examine URLs and email addresses carefully—any discrepancies or subtle changes from official domains, even if they look convincing, should raise suspicion.

If someone suspects they have received a phishing email, what immediate steps should they take?

First and foremost, don’t click on any links or download any attachments. Report the email to your IT or security team right away. Most companies, including ours, have a procedure in place to analyse and blacklist phishing attempts. If the email came from a source that seems familiar, verify it by contacting the sender through a different communication channel. Lastly, flag the email as phishing in your email client so the system can help block similar attempts in the future.

What long-term measures can individuals and businesses implement to protect themselves against phishing attacks?

One of the most effective long-term measures is implementing strong email filtering systems that use machine learning to detect and block phishing attempts. Multi-factor authentication (MFA) should be mandatory, so even if a password is compromised, attackers can’t gain access easily. Regularly updating software and systems ensures that known vulnerabilities can’t be exploited. On the human side, ongoing phishing awareness training is essential, as it helps employees recognize and report phishing attempts before they cause harm. Finally, having a solid incident response plan ensures that if a phishing attack does succeed, your team knows how to minimise damage.

How has AI influenced the landscape of phishing scams? Are scammers using AI to create more convincing phishing attempts?

AI has definitely become a double-edged sword in cybersecurity. Attackers are using AI to automate and enhance their phishing campaigns. AI-driven tools can create highly personalised phishing emails by scraping data from social media or other online sources. These AI-generated emails are often indistinguishable from genuine communications, making it much harder for individuals to recognize a scam. Deepfake technology, combined with AI, is also starting to be used to impersonate executives’ voices or even generate video messages, adding another layer of complexity to phishing attempts.

On the flip side, how is AI being used to detect and prevent phishing attacks?

AI is also a powerful defence tool against phishing. AI-based email filters analyse vast amounts of data and learn from past phishing attempts to recognize new ones. These systems can detect anomalies in writing style, analyse the structure of emails, and even predict likely phishing targets within an organisation. AI-powered threat intelligence platforms can track phishing campaigns across the web and shut them down before they reach their targets. Additionally, AI is used to monitor user behaviour, flagging any unusual activities that might suggest an account has been compromised.

Can you share any examples or case studies of particularly sophisticated phishing scams that have been encountered recently?

One example involved a targeted phishing campaign against a financial officer at a business aviation firm. The attacker impersonated a senior executive using a very convincing email that referenced an upcoming business trip, which is common in our sector. The email requested the transfer of funds to a supposed new vendor account. Fortunately, the finance team spotted an inconsistency in the tone of the email and escalated it to the IT team, who confirmed it was a phishing attempt. Another case we’ve seen involved "clone phishing," where attackers replicated a legitimate email thread but inserted malicious links in new responses, tricking recipients into thinking they were following up on a legitimate conversation.

How important is user education in combating phishing scams? What resources or training would you recommend for someone looking to learn more?

User education is absolutely critical. No matter how advanced your technical defences are, phishing ultimately targets the human element. Regular training, like simulated phishing exercises, helps employees stay alert and understand what to look for. I recommend resources like the SANS Institute, PhishMe, and KnowBe4, which offer training programs and awareness tools. For businesses, conducting regular security audits and training helps build a culture of vigilance, ensuring that everyone understands their role in maintaining security.

What do you see as the future trends in phishing scams? How might they continue to evolve?

Looking ahead, I think we’ll see more phishing attempts using AI and machine learning to craft even more convincing scams, including deep fake videos and audio. As businesses adopt new technologies like IoT and cloud services, attackers will likely exploit those platforms. We may also see an increase in phishing attacks targeting mobile devices, as employees use them more frequently for work. It’s likely that attacks will become more personalised, leveraging more data to make phishing attempts indistinguishable from genuine communications.

Do you have any final advice for our readers on how to stay vigilant and protect themselves against phishing scams?

Stay cautious and always verify. If something feels off about an email or message, take the extra step to confirm its legitimacy, especially if it involves money or sensitive information. Implement multi-factor authentication wherever possible, and ensure you’re using strong, unique passwords. Keep your software and systems up to date, and stay engaged with ongoing training and awareness programs. Phishing is always evolving, so vigilance is your best defence.

Not yet a member of Leon community? Contact our Sales team to find out more or jump straight into the 30-day free trial.