Old-fashioned phishing emails still exist. The Nigerian prince has not retired entirely, and badly typed messages from supposed CEOs still occasionally land in inboxes. Most phishing today, though, looks nothing like that. It is well-written, properly branded, technically sophisticated, and aimed at specific people for specific reasons. Defending against it requires rethinking what your staff have been told to look for.
AI Has Changed the Economics
Generative AI has stripped away two of the historic giveaways: clumsy grammar and obvious translation errors. Modern phishing reads naturally in English, French, Mandarin, or whichever language the target prefers. Voice cloning makes a follow-up call from a fake CFO almost convincing. Image generation produces logo-perfect phishing pages on demand. The training videos that taught staff to spot bad spelling are no longer relevant. The new patterns to teach involve unusual urgency, unexpected payment instructions, and any out-of-band request to bypass normal controls.
MFA Bypass Is Mainstream
Phishing kits now ship with adversary-in-the-middle capability built in. The user lands on a fake login page, the kit relays their credentials and MFA prompt to the real service, and the attacker walks away with a valid session token. From the user’s perspective, everything worked. From the IT team’s perspective, an authorised session begins from an unfamiliar location. web application penetration testing of any login flow now needs to consider this attack pattern explicitly, including how session tokens are issued, scoped, and validated.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: We are seeing token theft become the dominant phishing payload across our client base. Once an attacker has a valid session, MFA does not help, password resets do not help, and the only defences are conditional access, device-bound credentials, and sharp-eyed monitoring. Old guidance about checking the green padlock is no longer fit for purpose.
Targeted Spear Phishing Pays Off
Generic phishing campaigns still happen because they cost almost nothing to run, but the serious damage now comes from targeted attacks. An intruder researches a specific company, identifies a finance lead on LinkedIn, copies the writing style of a recent press release, and sends a single beautifully crafted message at exactly the right moment. The success rate is high. The financial impact is often substantial. Defending against this requires technical controls, written processes, and a culture where employees feel safe reporting unusual messages without fear of looking foolish.
Detection Beats Prevention
Nobody catches every phishing email. Aim instead for fast detection and rapid response. Watch for suspicious sign-ins, new mail forwarding rules, and account changes immediately after a successful login. Investigate every report, even the ones that turn out to be benign. Staff who see action taken keep reporting. Staff who feel ignored stop bothering, which is exactly when the next compromise happens.
Where to Strengthen Next
Run regular simulated phishing exercises that reflect current techniques rather than re-using the same templates from 2019. Layer phish-resistant authentication where possible, particularly for privileged accounts. Test your detection capability against realistic scenarios, including token theft and consent grants. If you have not had your processes reviewed in a while, request a penetration test quote that includes social engineering and a hard look at your authentication architecture. The threat has moved on. Defences should keep pace.
