7 New Phishing Techniques & How to Spot Them

If your defense strategy is still focused on what’s happening in the email inbox, you’re missing a huge part of the picture. Phishing has expanded to collaboration tools like Slack, professional networks like LinkedIn, and even calendar invites. The new phishing techniques 2022 were a clear signal that attackers will target employees on any platform they trust. This multi-channel approach creates significant blind spots for security teams relying on traditional, siloed tools. Living Security, a leader in Human Risk Management (HRM), helps you regain visibility by correlating risk signals across behavior, identity, and threat data, giving you a unified view of your human risk.

Key Takeaways

• Modern phishing attacks extend beyond the inbox: Recognize that attackers now use AI-generated content, weaponized calendar invites, and social media platforms to bypass traditional security filters.
• Attackers exploit human trust, not just technical flaws: They create a false sense of legitimacy by impersonating executives, using HTTPS on fake websites, and personalizing messages with a sense of urgency.
• Shift from reactive training to proactive Human Risk Management (HRM): An effective defense analyzes risk signals across behavior, identity, and threats to predict attacks and deliver personalized guidance that changes employee habits.

What Do Modern Phishing Attacks Look Like?

The classic signs of a phishing email, like glaring typos and generic greetings, are becoming less common. Attackers have refined their methods, creating sophisticated campaigns that look legitimate enough to fool even cautious employees. Modern phishing has moved beyond simple email blasts to incorporate AI, multi-channel attacks, and clever social engineering. Understanding these new techniques is the first step in building a stronger defense.

These attacks are not just more convincing; they are also more targeted and evasive. They often bypass traditional security filters by using novel delivery methods or exploiting trusted communication channels. From AI-generated emails that mimic a colleague’s writing style to malicious calendar invites that sit unnoticed, the modern threat landscape requires a new level of vigilance. Let's look at some of the most prevalent and effective phishing techniques security teams face.

AI-Generated Phishing

The use of generative AI in phishing attacks has grown exponentially. One phishing trends report found a 14-fold increase in AI-generated phishing, rising from just 4% of incidents to 56% during a recent holiday season. While not always perfectly sophisticated, these AI-crafted emails feature significantly better grammar, spelling, and tone than their predecessors. This allows attackers to create highly targeted and contextually relevant messages at scale, making them much more difficult for employees to spot. The AI can quickly generate convincing pretext scenarios, impersonate specific individuals, and adapt its language to match the target organization’s culture, all without the tell-tale errors that used to give scams away.

Evolving Business Email Compromise (BEC)

Business Email Compromise (BEC) remains a highly effective and costly threat, and attackers are constantly evolving their tactics. Instead of generic requests, modern BEC scams are tailored to specific industries and events, like tax season. For example, cybercriminals now use new phishing tactics that impersonate investment firms to request updates to tax forms, directing victims to credential-harvesting sites. In other cases, they pose as executives to trick finance or administrative staff into sending sensitive documents like W-2 forms. These attacks rely on a deep understanding of business processes and exploit the trust employees place in internal communications, making them particularly dangerous.

Callback Phishing and Vishing

Callback phishing, or vishing (voice phishing), is a multi-channel technique designed to bypass email security gateways. The initial email contains no malicious links or attachments. Instead, it instructs the recipient to call a phone number to resolve an urgent issue, such as a fraudulent subscription or a security alert. Once on the phone, a live scammer uses social engineering to manipulate the victim into divulging sensitive information or granting remote access to their device. This method is gaining traction because it moves the attack from the inbox to a voice call, a channel that traditional security tools don't monitor, making it a significant blind spot for many organizations.

Weaponized Calendar Invites

One of the more insidious new techniques involves weaponizing .ics calendar files. Attackers send phishing emails with a calendar invitation that, when accepted, adds a malicious event directly to the user’s calendar. These attacks have a failure rate four to six times higher than other phishing methods. The calendar event often contains a link to a phishing site and a compelling description, like "Urgent: Q3 Financial Review." Even if the user deletes the original email, the event remains on their calendar as a persistent and seemingly legitimate reminder. This exploits the inherent trust users have in their calendars, turning a productivity tool into a security threat.

Modern vs. Traditional Phishing: What's Changed?

Phishing has evolved far beyond the poorly worded, generic emails of the past. While those clumsy attempts still exist, modern phishing is a different beast entirely. Attackers have shifted from a high-volume, low-success strategy to highly targeted and sophisticated campaigns that are difficult to distinguish from legitimate communications. They no longer just cast a wide net; they use precision tactics to target specific individuals and organizations. This evolution requires a fundamental shift in how we think about defense, moving from simple awareness to a deeper understanding of human risk. The core of the attack is no longer just a malicious link, but a carefully crafted psychological manipulation designed to exploit trust and urgency. Understanding these new methods is the first step toward building a more resilient security posture.

Hyper-Personalized Targeting

Today’s phishing attacks are no longer confined to your email inbox. Attackers now target employees on the platforms they use every day, including collaboration tools like Slack and Microsoft Teams, text messages, and social media. This multi-channel approach makes threats harder to contain and track. Instead of generic greetings, attackers use personal information gathered from public sources like LinkedIn or from previous data breaches to craft highly specific messages. They might reference a recent project, mention a colleague by name, or tailor the lure to an individual’s specific job role. This level of personalization makes the message seem credible, significantly increasing the chances that the target will click a link or provide sensitive information.

Sophisticated Social Engineering

Modern phishing relies heavily on advanced social engineering. Attackers have become masters of manipulation, creating compelling narratives that exploit human psychology. They often impersonate a trusted source, like a senior executive or a well-known vendor, to create a sense of authority and urgency. These campaigns frequently leverage timely events, such as tax season, company-wide policy changes, or even major news stories, to make their requests seem more plausible. By tapping into current events and established relationships, attackers create a powerful sense of legitimacy that can fool even security-savvy employees. This is why effective security awareness and training must go beyond spotting typos and focus on critical thinking.

Exploiting Trust in HTTPS

For years, security advice has been simple: look for the padlock icon in your browser’s address bar. Unfortunately, this is no longer a reliable indicator of a safe website. Cybercriminals have adapted, and reports show that approximately 80% of phishing websites now use HTTPS encryption. Attackers can easily obtain free SSL/TLS certificates to make their malicious sites appear secure and legitimate to the average user. This tactic effectively weaponizes trust, as people have been trained to associate the padlock with safety. By mimicking the look and feel of a trusted site and adding the layer of HTTPS security, attackers can more easily convince users to enter their credentials or financial information.

Why Are These New Techniques So Effective?

Modern phishing works because it’s built on sophisticated social engineering. Attackers don’t just exploit technical vulnerabilities; they exploit human psychology. By creating a sense of urgency, authority, and trust, they bypass traditional defenses and trick even savvy employees into making mistakes. These tactics are effective because they target the core of how we work and interact, turning our own instincts and professional relationships against us. Understanding the psychology behind these attacks is the first step toward building a more resilient defense, which is a core principle of Human Risk Management (HRM), as defined by Living Security.

Impersonating Executive Authority

This classic tactic remains effective because it preys on our instinct to comply with authority. An urgent request from a C-level executive or a critical business service like Microsoft or DocuSign is designed to make you act before you think. Attackers use this to push fake invoices, urgent payment requests, or messages about salary and performance reviews from internal departments. The goal is to create pressure and bypass normal verification procedures. By mimicking a trusted source, attackers can easily trick employees into wiring funds or revealing sensitive credentials, making phishing simulations that replicate these scenarios essential for defense.

Targeting the Vendor Supply Chain

Your security is only as strong as your partners'. Attackers know this and increasingly target third-party vendors to gain a foothold into your organization. A business email compromise (BEC) attack might not come from your CEO, but from a finance contact at a trusted supplier. These emails, often containing malicious links or fraudulent invoices, seem legitimate because they come from a known sender. During tax season, for example, attackers impersonate vendors or executives to request sensitive tax forms. This method is effective because it exploits the inherent trust in your business relationships, turning your supply chain into an attack vector.

The Rise of Recruitment Scams

A newer, more personal form of phishing preys on professional ambition. Attackers create fake job postings for major companies like Google or Meta, specifically targeting employees in roles like sales and marketing. The lure of a prestigious new job is used to trick individuals into sharing login details for their professional social media accounts. Once compromised, these accounts can be used to launch further attacks against the company or its network. This technique works because it taps into personal aspirations, causing people to lower their guard in the excitement of a potential career move, highlighting the need for a comprehensive Human Risk Management strategy.

How Attackers Exploit Fake Websites and Domains

A convincing fake website is the final piece of the puzzle for many phishing attacks. After an employee clicks a malicious link, they land on a page designed to look exactly like a trusted service, where they are prompted to enter credentials or other sensitive data. Attackers have become incredibly skilled at creating these fraudulent sites, using sophisticated methods to mimic legitimate brands and trick even cautious users. Understanding their playbook is the first step in building a stronger defense.

These tactics go beyond just copying a logo. Attackers register domains that are nearly identical to real ones, abuse security indicators to create a false sense of trust, and target the very services your employees use every day.

Registering Lookalike Domains

One of the oldest tricks in the book is still one of the most effective: registering a domain name that looks almost identical to a legitimate one. This technique, often called typosquatting, preys on small mistakes. An attacker might register micros0ft-login.com or gogle.com, hoping users won't notice the subtle error. They use these domains to host fake login pages or deliver malware. The goal is to trick people into giving away private information by impersonating a trusted source. Because employees are often moving quickly through their workday, these minor discrepancies are easy to miss, making lookalike domains a persistent threat for credential harvesting.

Abusing SSL Certificates for Credibility

For years, security teams trained employees to "look for the lock" to verify a website's safety. Unfortunately, attackers have turned this advice against us. Today, obtaining an SSL/TLS certificate, the technology that enables the padlock icon and HTTPS, is simple and often free. As a result, a staggering 80% of phishing websites now use HTTPS to appear legitimate. This creates a false sense of security, as users see the familiar padlock and assume the site is trustworthy. This tactic effectively weaponizes a standard security feature, making it harder for employees to distinguish a real site from a fraudulent one based on visual cues alone.

Impersonating Banks and E-commerce Sites

Attackers often impersonate brands where users are accustomed to entering sensitive information, such as financial institutions and major e-commerce platforms. They create pixel-perfect copies of login pages for well-known banks or online retailers to steal credentials, credit card numbers, and personal details. These high-value targets are prime for phishing because the potential payoff is so significant. By mimicking trusted entities, attackers lower their target's guard at the most critical moment. A proactive Human Risk Management (HRM) platform helps identify which employees are most likely to fall for these scams by analyzing risk signals across behavior, identity, and threat data.

The Role of Social Media in Phishing Attacks

Phishing is no longer confined to your email inbox. Attackers have expanded their operations to social media and professional networking sites, where users often operate with a higher level of trust. These platforms provide a rich environment for attackers to gather intelligence, build rapport, and launch highly targeted campaigns that bypass traditional email security. The lines between personal and professional life have blurred, and threat actors are quick to exploit this convergence by creating attacks that feel both personal and professionally relevant.

Modern phishing campaigns are multi-channel events. An attacker might identify a target on LinkedIn, gather personal details from their public social media profiles, and then launch an attack through a direct message or a carefully crafted email. This evolution requires a security strategy that looks beyond email threats and understands the full context of human risk. A comprehensive Human Risk Management (HRM) platform provides the visibility needed to see these cross-channel threats. By correlating signals from an employee’s behavior, identity, and real-time threat intelligence, security teams can move from a reactive posture to one that predicts and prevents incidents before they happen. This data-driven approach is essential for securing a workforce that operates across a wide array of digital platforms.

Exploiting LinkedIn and Professional Networks

Professional networks like LinkedIn are prime targets for sophisticated phishing attacks. Users on these platforms expect to receive messages from recruiters, potential partners, and industry peers, which lowers their natural suspicion. Attackers exploit this by creating convincing fake profiles, often impersonating executives or recruiters from well-known companies. They send personalized connection requests and direct messages containing malicious links disguised as job descriptions, project proposals, or industry reports. Because these messages are highly contextual and appear on a trusted platform, employees are more likely to click without scrutiny. As security researchers note, phishing attacks are now common on mobile phones and social media, making professional networks a key battleground.

Targeting Users on Niche Platforms

The threat extends beyond LinkedIn to other platforms where professional communities gather, including industry-specific forums and collaboration tools like Slack and Microsoft Teams. Within these trusted environments, attackers impersonate familiar services or internal departments to trick employees. For example, a threat actor might share a link to a "critical document" via a fake DocuSign or Microsoft 365 notification sent through a compromised Slack account. The top impersonated entities are often trusted services that employees use daily. The contextual legitimacy of receiving such a message in a work-focused channel makes it incredibly effective, as the request doesn't feel out of place.

Gathering Intelligence Across Channels

Social media is an open-source intelligence goldmine for attackers. They meticulously scan public profiles on platforms like LinkedIn, X (formerly Twitter), and Facebook to gather details about an individual’s job title, responsibilities, work relationships, and even personal interests. This information is then used to craft hyper-personalized spear-phishing attacks. For instance, an attacker might reference a recent conference an employee attended or a project they posted about. They often combine this intelligence with timely events, using topics like tax season to create a sense of urgency and pressure employees to act quickly. This exploitation of current topics makes their scams more believable and harder to detect.

How to Spot an Advanced Phishing Attempt

Modern phishing attacks are designed to bypass both technical filters and human intuition. Attackers know the old tricks of misspelled words and generic greetings are no longer enough. Today’s threats are subtle, personalized, and highly convincing. Spotting them requires a sharp eye for detail and a healthy dose of skepticism. It’s less about finding a single smoking gun and more about recognizing a pattern of suspicious signals. By learning to identify behavioral, technical, and contextual red flags, you can train your team to become a formidable line of defense against even the most sophisticated attacks.

Identify Behavioral Red Flags

The most effective phishing attacks play on human psychology. Attackers create a sense of urgency or fear to make you act before you think. They trick people into giving away private information by pretending to be a trusted source and manufacturing a crisis that only you can solve. Be wary of any message that demands immediate action, threatens negative consequences, or makes an offer that seems too good to be true. Ask yourself if the request is unusual. Would your CEO really email you directly asking for a wire transfer? Does it make sense for a colleague to send you a file with a vague name like "Invoice" without any context? These behavioral cues are often the first sign that something is wrong.

Recognize Technical Indicators

While attackers have gotten better at mimicry, they often leave behind technical clues. Pay close attention to the sender's email address. Look for subtle misspellings or domains that are close, but not identical, to your company’s or a trusted partner’s. Hover over links before clicking to see the actual destination URL. Attackers often impersonate well-known brands like Microsoft or DocuSign to lower your guard. Don't be fooled by a padlock icon in the address bar, either. Research shows that about 80% of phishing websites use HTTPS to appear legitimate. Running regular phishing simulations can help your employees practice spotting these technical giveaways in a safe environment.

Analyze Timing and Context

Context is one of your most powerful tools for identifying a phishing attempt. Attackers often time their campaigns to coincide with specific events to make their lures more believable. For example, you can expect a surge in tax-related scams during filing season, as people are already anticipating messages about their finances. Similarly, an email about a package delivery might seem plausible after a major online sale. Always consider the context of a message. Were you expecting this email? Does it align with your current projects or recent activities? If a message arrives out of the blue or feels out of place, treat it with suspicion, even if it appears to come from a known contact.

What Are the Most Effective Defense Strategies?

Building a resilient defense against modern phishing requires a strategy that addresses both technology and human behavior. While technical controls like email filters and firewalls are essential first lines of defense, they can’t catch everything. Attackers know that your employees are the final gatekeepers. An effective defense strategy, therefore, must be layered. It should start with foundational security controls, establish clear best practices for your teams, and ultimately focus on creating lasting, secure behaviors that reduce risk across the organization.

Implement Multi-Factor Authentication (MFA)

Think of multi-factor authentication as one of the most powerful, fundamental controls in your security toolkit. If a phishing attack succeeds in stealing an employee’s password, MFA acts as a critical second barrier, preventing the attacker from accessing their account. By requiring a second form of verification, like a code from a mobile app or a physical security key, you can neutralize the immediate threat of compromised credentials. While not entirely immune to sophisticated attacks like MFA fatigue, implementing MFA across all company accounts dramatically raises the cost and difficulty for attackers. It’s a non-negotiable step in securing your organization’s identity and access management systems.

Establish Email Security Best Practices

Your employees can be your strongest defense when they know what to look for. Establishing and reinforcing clear email security best practices is crucial. Encourage your team to develop a healthy skepticism toward unsolicited messages. This includes habits like closely inspecting the sender's email address for subtle misspellings, hovering over links to verify the destination URL before clicking, and never downloading attachments from unknown or untrusted sources. Fostering a culture where employees feel empowered to question and report suspicious emails without fear of blame is key. Regular practice with tools like phishing simulations can help turn these best practices into instinct.

Go Beyond Awareness to Drive Behavior Change

Traditional security awareness training often fails because it focuses on compliance, not on changing behavior. To truly reduce phishing risk, you must move beyond annual check-the-box exercises. Effective training is personalized, continuous, and designed to create secure habits. Research shows that with the right approach, employees can improve their ability to recognize and report phishing attempts by six times in just six months. This is the core principle of Human Risk Management (HRM). An HRM platform uses data to understand individual risk levels and delivers targeted, adaptive interventions that drive measurable behavior change, turning your biggest potential vulnerability into a proactive line of defense.

How Human Risk Management (HRM) Stops Phishing Before It Starts

Traditional security awareness training isn't enough to stop modern, sophisticated phishing attacks. Checking a compliance box once a year doesn't change behavior or prepare your employees for the hyper-personalized threats they face daily. A proactive strategy is essential. Human Risk Management (HRM), as defined by Living Security, shifts the focus from reactive detection to proactive prevention, stopping phishing attacks before they can cause damage. This approach is built on a continuous cycle of predicting risk, guiding employees with tailored interventions, and acting swiftly to remediate threats.

Predict Risk by Analyzing Behavior, Identity, and Threats

You can’t protect against threats you can’t see. Since phishing is the root cause of up to 95% of security breaches, understanding who is most at risk is the first step to prevention. An effective Human Risk Management program provides this visibility by analyzing data from multiple sources. Instead of just tracking who fails a phishing test, our platform correlates over 200 signals across employee behavior, identity and access systems, and real-time threat intelligence. This comprehensive view helps identify not only who is susceptible to phishing but also who has elevated access or is being actively targeted, allowing you to prioritize your defense efforts where they will have the greatest impact.

Guide Employees with Targeted Interventions

Once you identify where your risks lie, you can guide employees with interventions that actually change behavior. Generic, one-size-fits-all training is ineffective against targeted attacks. The Living Security platform uses its predictive insights to deliver personalized guidance. This could mean assigning a micro-training module on spotting BEC scams to a finance team member or sending a specific phishing simulation to a new hire in a high-risk role. By tailoring training to an individual’s specific role, behaviors, and skill level, you equip them with the relevant knowledge they need to recognize and avoid the real-world threats they are most likely to encounter, making them an active part of your security posture.

Act Autonomously to Remediate Threats

Empowering employees with the right guidance turns them into your first line of defense. Data shows that with effective training, employees can improve their ability to recognize and report attacks by six times in just six months. The Living Security platform helps you act on insights by automating many of the routine remediation tasks that follow. With AI and human oversight, the system can autonomously assign follow-up training or reinforce policies based on an employee's actions. This not only strengthens your defenses but also frees up your security team to focus on more complex threats. When employees are well-trained, they report threats faster, helping your team contain potential breaches quickly and significantly reduce financial impact.

Related Articles

• What Is Social Engineering? Examples & How To Prevent It
• 7 Ways to Prevent Business Email Compromise
• Phishing Prevention: How to Prevent Phishing Scams & Attack
• Most Common Phishing Email Examples to Watch Out for in 2024
• What Is Arsen Gamified Human Risk Management?

Frequently Asked Questions

Why isn't our current security awareness training stopping these new phishing attacks? Traditional security awareness training often takes a one-size-fits-all approach focused on compliance rather than genuine behavior change. Modern phishing attacks, however, are hyper-personalized and psychologically sophisticated. They target specific individuals with contextually relevant lures that generic training simply doesn't prepare them for. To build a real defense, you need to move beyond awareness and focus on driving secure habits. This requires a data-driven strategy that understands individual risk levels and delivers targeted, relevant interventions that stick.

Attackers are using AI to create phishing emails. How can we effectively counter this? Fighting AI-driven threats requires a proactive, predictive defense, not just a reactive one. The best approach is to use a system that can analyze risk signals before an attack even lands. Living Security, a leader in Human Risk Management (HRM), uses an AI-native platform to do just this. By correlating over 200 signals across employee behavior, identity systems, and threat intelligence, our platform can predict which users are most likely to be targeted or fall for a sophisticated phishing attempt. This allows you to act first with targeted training and controls.

Phishing is moving beyond email to platforms like Slack and LinkedIn. How can we protect employees there? Protecting employees across multiple channels requires visibility beyond the email inbox. Traditional security tools are often siloed, leaving you with significant blind spots. A comprehensive Human Risk Management (HRM) platform provides a holistic view by integrating data from various sources. It analyzes risk signals wherever your employees work, whether in collaboration tools, on social networks, or through email. This allows you to understand an individual's complete risk profile and defend against threats no matter how they are delivered.

My team is already overwhelmed. What's the most impactful first step to defend against these advanced threats? The most critical foundational step is implementing multi-factor authentication (MFA) across all systems. It's a powerful control that can stop a credential theft attack in its tracks. Once that's in place, the next most impactful step is to gain clear visibility into where your human risk is concentrated. Instead of trying to train everyone on everything, a platform that identifies your highest-risk individuals allows you to focus your resources where they matter most, making your team more efficient and your defenses stronger.

How is Human Risk Management (HRM) different from just running better phishing simulations? Phishing simulations are a valuable tool, but they are only one piece of the puzzle. They provide a snapshot of how an employee reacts to a specific test at a single point in time. Human Risk Management (HRM), as defined by Living Security, is a complete, continuous strategy. It integrates data from simulations with hundreds of other risk signals across behavior, identity and access, and real-time threats. This creates a predictive, 360-degree view of risk, enabling you to move from simply testing employees to proactively changing their behavior based on a deep understanding of their unique vulnerabilities.