Phishing is no longer just email spam. The wave of attacks has long since spread across all channels: personalised emails, fake text messages, phone calls, social media and deepfake messages. Technicians and end users are targeted in equal measure – with sophisticated scenarios that often specifically bypass traditional defence systems.

Real-life examples: The ‘police’ send out supposed fines by email – yet genuine correspondence from official bodies always arrives on paper. Emails with a supposed Amazon address (‘amazon@gmx.org’) or links to ‘amaz0n.com’ – where just one letter has been swapped – still look deceptively genuine. AI is now even combining voice and image – deepfake calls and manipulated video conferences purporting to be from your own CEO are no longer a thing of the future.

Anyone who labels people as a weak link in an IT security strategy has failed to grasp the problem. On the contrary: every mouse click, every file share, every response to a message determines whether phishing succeeds or fails. Technical expertise alone is not enough – vigilance, common sense and a security culture that is put into practice make all the difference. Anyone who fails to train their staff regularly leaves themselves open to social engineering – and puts fundamental corporate values at risk.

Phishing awareness doesn’t stop at the door of the IT department. In accounts, sales, management – the danger lurks everywhere, and knowledge is the most important resource everywhere. Terms such as ‘BEC’, ‘MFA fatigue’ or ‘OAuth phishing’ need to be understood by everyone, not just IT administrators. Regular, practical guidance – this is a mandatory task, not an optional extra.

Attackers strike where they suspect negligence and gaps. A one-off e-learning module or an annual training session – that is not enough. Phishing strategies evolve on a monthly basis. Only those who provide consistent, up-to-date and practical guidance can offer their company genuine protection.

It is not enough for an IT manager to simply know the theory. Security standards must be exemplified and enforced – from the CEO right down to the team leader. Anyone who ignores these measures or dismisses them as red tape leaves themselves vulnerable. Those who establish open lines of communication and swift reporting processes, and make it clear that challenging questions are actively encouraged, set genuine standards.

It’s not about protocols, but about recognising patterns of attack: does a supplier ‘suddenly’ ask for new bank details? Does a supposed IT colleague ask for access codes? Does a text message notify you of a parcel delivery with a QR code link? These patterns need to be communicated repeatedly, explored in depth and applied to everyday situations. This is the only way to keep awareness alive.

No excuses: every employee must know exactly what to do if they suspect something is wrong, and must feel confident about reporting even the slightest niggling doubt. Put a stop to delays caused by claims of ‘not being responsible’ or ‘not having the number to hand’ – the quickest route to IT is the way to go. This is what determines whether damage occurs or not.

No security measure is effective unless staff are involved and vigilant. AI takes phishing to a whole new level, and social engineering cannot be filtered out. The solution lies in a combination of security culture and technology: both must be continuously maintained, practised and adapted.

Awareness of the threat landscape is the only way to make businesses resilient to phishing attacks. Nothing less. Ongoing training, measurable awareness and a clear mandate for everyone: stay alert, report any concerns immediately, and never click or disclose information lightly.

Phishing is the biggest risk facing businesses – and it is evolving faster than any technology can keep up with. Any organisation that fails to actively and consistently disseminate knowledge across all departments will, sooner or later, fall victim to it. IT management must take on this responsibility, drive decisions, raise awareness and establish clear processes. The ‘human firewall’ is not just wishful thinking, but an absolute necessity.

Security is a never-ending endeavour. It requires constant attention, clear leadership – and the courage to remain uncomfortable.
 

Effective cyber security training

Securepoint Awareness Next offers phishing simulations that are indistinguishable from the real thing – ensuring your staff learn as much as possible!

Find out more about Securepoint Awareness Next