The Resurgence of Phishing

With data signalling a resurgence in phishing as an attack platform, we look at the impact that new technologies and strategies are having on the increase in phishing volumes and sophistication, how success rates are on the rise and consider some options that cybersecurity professionals can employ to try and mitigate the threat.

Phishing is something we have all learned to live with. According to one source, 10 years ago, there were around 125,000 sites generating phishing attacks; by the first quarter of 2023 this had grown by a factor of almost 13, to a peak of 1.6 million, but then by the same time the following year there had been a marked reduction to about 960,000.

According to the 2025 Cloud and Threat Report from security vendor Netskope, the numbers are now heading upwards again. Discussing the area of social engineering, it noted: “Phishing is on the rise globally, with 8.4 out of every 1,000 users clicking a phishing link per month, nearly triple last year’s average”.

At 27% of the total, cloud services are the most common targets of successful attacks – that is, ones that result in the recipient clicking on a link. Of these, the ubiquity of Microsoft’s cloud for office apps and email has made it the primary target (42% of clicks on cloud services), with Adobe’s cloud some way behind in second place (18%).

What Is Behind the Resurgence in Phishing Attacks?

A key factor is that phishing attackers are constantly innovating, often with the help of related new technologies such as artificial intelligence (AI) tools to automate attacks and improve spelling, grammar and localization. When we think of the term “phishing” our minds automatically go to emails landing in our inboxes.

While discussing this, the editor of ISC2 Insights was reminded of his first experience of phishing, an incident that not only formed the basis for his own first article on the subject, but one that started a near 25-year interest in the subject.

“I still remember the first ‘proper’ phishing email I received. It was October 2021. I was in Los Angeles covering a Microsoft developer conference and the launch of Windows XP for a business technology magazine in the U.K. Along with other journalists, I was in the press room one morning and an email purporting to be from the bank I happened to have my account with landed in my inbox. It looked legitimate, properly branded with the correct fonts and colors, sounded legitimate and even the links were well crafted as to look real at first glance. I came so close to clicking on a link and that was even knowing what to look for.

“The only clue that it wasn’t real was one small typo! Nonetheless, it caused a stir in the press room as several other journalists gathered around to take a good look at what, for them, was also the first convincing banking phishing email they had seen. Shortly afterwards, the bank in question added an additional security measure, including the customer’s post code in all legitimate messages to help recipients identify a real email from the bank.”

The sophistication of phishing has only grown in the decades that have followed, which is why phishing continues to be an effective method to extract valuable information, access credentials and more from unsuspecting individuals.

However, the new age of phishing attacks is one of diversification in how the bad actors deliver their malicious content to recipients, specifically a move to also using web sites instead of as well as alongside email. That is, the attackers are populating web sites with links that victims click on and land up in trouble. Search engines are the source of almost of fifth (19%) of these links, with shopping sites at 10%, tech sites 8.8%, business-related sites (7.4%) and entertainment sites (5.7%).

While a proportion of these problems are down to attackers breaking in and compromising a site’s page content, they primarily exploit the elements of web sites that aren’t generated by the site owners: comments posted in sites’ customer interaction features, for example; or malicious advertisements that sites pull in from third-party ad services. Even search engine outputs that have been pushed to the top of the results list by clever search engine optimization (SEO) tactics. As the survey puts it: “[Attackers] know their victims may be wary of inbound emails (where they are repeatedly taught not to click on links) but will much more freely click on links in search engine results”.

Defensive Considerations

Although the approach to phishing taken by attackers has evolved, there is some reassurance in the fact that the techniques that can be used to defend against the threats remain largely unchanged. This is because the delivery mechanisms for phishing-style materials are the ones that we have been defending against for years anyway – the main new thing is simply this extra, differently originated set of malicious material. The same tools and techniques that we already use (or, at least, have considered implementing) are just as relevant as always: traffic inspection; deep-level inspection of high-risk file types such as executables; behavioral analysis; and deny by default for access to web sites and online applications.

The resurgence in phishing attacks, just a year or so after they appeared to have peaked, is due in large part to the bad actors who use phishing as their chosen attack vector. Happily, however, this innovation on the part of the attackers does not require a corresponding enormous level of panic by those on the receiving end of the attacks.

Related Insights

• Recognize & Report Phishing Emails
• Deepfake Engineering: A New Concern for the C-Suite
• Five Webinars to Watch: Dealing with Attacks on Your Digital World