Phishing has evolved far beyond “Nigerian prince” emails. Today’s attackers use AI-written messages, realistic branding, and multi-step tricks to steal passwords, MFA codes, money, and sensitive data. The best defense is a mix of smart habits + strong technical controls.
🚀 What’s New in Phishing Tactics
🤖 AI-Written, Highly Personalized Messages
Attackers use public info (LinkedIn, company websites, social media) to craft believable emails that match your role, projects, and writing style.
Example: “Hi Kumud, please review the attached CTM evidence sheet before Friday…”
🧑💼 Executive Impersonation + Invoice Fraud (BEC)
Business Email Compromise targets finance, HR, and admins with urgent payment or gift-card requests—often timed around travel, audits, or month-end.
Red flag: urgency + secrecy + payment change.
📱 MFA Fatigue and Verification Code Scams
Attackers trigger repeated login prompts and pressure users to approve one “to stop alerts,” or ask for OTP codes “for verification.”
Rule: Never share OTP/MFA codes. Never approve prompts you didn’t initiate.
🔗 QR Code Phishing (Quishing)
Instead of links, attackers embed QR codes in emails/posters that lead to fake login pages—often bypassing basic link scanning.
Tip: Use the phone camera preview and verify the domain before signing in.
🌐 Look-Alike Domains and “Evil” URLs
Domains that look nearly identical: micros0ft-login.com, paypaI.com (capital i), subdomains like microsoft.com.secure-login[.]site.
Tip: Read domains right-to-left and verify the real base domain.
📎 HTML Attachments and “Cloud Share” Traps
Attackers send HTML files or fake SharePoint/Google Drive links that open realistic login pages to steal credentials.
Tip: Treat unexpected “shared document” alerts as suspicious—confirm with the sender via another channel.
🎭 Smishing + Vishing (SMS & Voice Phishing)
Scams shift to SMS and calls: “Your parcel is held,” “Your bank account is locked,” “IT support needs your code.”
Tip: Never trust caller ID. Call back via official numbers.
🧠 Multi-Step Phishing (More Realistic)
Attackers build trust over multiple messages: first a harmless question, then a “document,” then login prompt.
Tip: Verify before you click, especially when a conversation suddenly changes direction.
🛑 Common Red Flags (Quick Scan)
✅ Unexpected urgency (“do this now”)
✅ Unusual payment or bank change request
✅ Sender display name looks right but email is wrong
✅ Links/QR codes that don’t match the brand
✅ Requests for OTP/MFA codes or password resets
✅ Attachments you didn’t expect (especially HTML/ZIP)
✅ How to Stay Safe (People + Process + Tech)
👩💻 For Employees (Simple Habits)
✅ The 10-Second Check
-
Who is this really from? (check full email address)
-
What are they asking you to do? (money, login, code, data)
-
Where does the link go? (hover/preview)
-
Verify via Teams/phone if it’s sensitive
🧾 Payment Safety Rule
If it involves money, bank details, gift cards, or payroll, verify using a known number or in-person approval.
🧯 If You Clicked a Phishing Link (What to Do Immediately)
✅ Disconnect from VPN/Wi-Fi if you downloaded something
✅ Report to IT/SOC immediately (don’t feel embarrassed—speed matters)
✅ Change password from a clean device
✅ If you entered MFA/OTP, tell IT right away—session tokens may be compromised
✅ Check for suspicious mailbox rules / forwarding