March 08, 2025 • By KWD
Listen to this article
With phishing attacks believed to have begun less than a quarter-century ago, what makes this age-old technique so effective as a tool for cyber criminals and scammers?
When you consider phishing, you may immediately think of the initial email sent to a prospective victim receiver. However, phishing is much more than that today; it's about the domain registrations required, the bogus login sites required for credential theft scams, and the pre-campaign diligence performed on possible victim businesses in order to discover the ideal candidate.
In a nutshell, phishing is a multi-pronged attack. And yet, even when poorly implemented, it achieves success.
Why is this the case? I perceive two straightforward causes for phishing's continued growth, evolution, expansion, and success:
Cyber thieves recognize the opportunity and are pursuing the as-a-Service business inside the cyber criminal ecosystem, which appears to be increasing at a faster rate than the universe. Previously, renting a million-strong email list from the dark web was the only option, but today, dark infrastructure, identity theft phishing site kits, and just about any other component of a phishing attack can be rented as a service. Thus, the potential I indicated previously is not necessarily about defrauding a firm; the chance for a web developer may be in constructing a large number of those phishing kits instead of working their 9-5 job. Everybody is getting involved.
When it strikes the potential victim, they are unaware. This is something I preach on a daily basis here. Users are busy doing their jobs, and when they receive an email that is well-written, well-thought out, well-presented, correctly branded, and contextually suitable, they put on their work hat and simply click the link or open the attachment. Users are just unprepared for the attack they will eventually face (if not already).
Given that there is little we can do to halt the growth of the bad actor economy, we must focus on the one aspect we can influence - the user. According to former CISSP Mark Stone, consumers can be educated to be wary of any email that requests passwords, cash transfer, or any other activity that could be abused by a cyber criminal.
Organizations may accomplish skepticism only through ongoing security awareness training; users must be constantly reminded that danger is always present and that they must maintain their defenses while interacting with email or the web.
I believe it is self-evident that phishing will continue to exist. And, given the likelihood that it will continue to increase, now is the moment to switch your users to skeptical mode.
