If you asked us to describe the last decade, we’d call it an ‘explosion of innovation’.
Accelerated by Covid-19, we’ve seen the digital transformation of numerous industries, with cutting-edge technologies like AI, augmented reality and cloud computing fundamentally changing how we do business.
But the journey for greater productivity, efficiency and profit hasn’t come without its costs. These innovations are extremely new. We’re still pushing the boundaries of their potential. And as we do that, they remain highly unregulated.
For example, the first comprehensive horizontal legal framework for AI – the EU AI Act – only entered into force last year. The same AI tools your business is pursuing to enhance processes are also enhancing how cyber criminals target you.
This is one of the biggest developments we see shaping the world of business IT. A development that’s understandably causing significant concern. When phishing goes 4D, the line between colleague email and compromised account is even blurrier.
- 1.2% of emails are malicious, amounting to 3.4 billion phishing emails sent daily
- 74% of security breaches result from human error
- 36% of phishing threats in 2024 involved deceptive links, based on 13 billion analysed emails
Here are four examples of what that looks like, with tips on how to respond and keep your business data safe, alongside insights from Rio Senior Systems Engineers Daniel Milner and Adam Klyn.
1. Deepfakes and Voice Cloning
AI can now generate videos and images that, apart from the occasional extra finger or uneven background, are indistinguishable from real-life photos and recordings.
It’s easy to be caught out by AI-generated content, even for those who know the signs. This is why threat actors are using AI extensively to create deepfakes such as voice cloning.
Take this as an example: a fraudster finds your colleague’s public social media account, which is full of their day-in-the-life vlogs. They then use these vlogs to clone your colleague’s voice, allowing them to be impersonated with striking accuracy.
In 2023, this happened to Mark Read, the CEO of the world’s biggest advertising firm, WPP. Threat actors deployed a voice clone of him in a fraudulent Microsoft Teams meeting, in addition to YouTube footage with other executives, in a plot to access business data.
This attack wasn’t successful, but it was when the CEO of the Euler Hermes Group was voice cloned in 2019 to convince a partner, a German energy agency, to transfer £153,400 ($243,000) to a scammer.
2. AI Social Engineering
You’ve likely used AI in some capacity for your emails. Threat actors certainly do, relying on Large Language Models (LLMs) to generate grammatically flawless, contextually appropriate and personalised messages.
The first thing threat actors do is go to LinkedIn, scraping data that is then used to train AI models. These models then generate phishing emails highly tailored to their targets’ job roles, current projects and colleagues.
The model then writes convincing, clickable content such as fake job offers, policy updates and even emails that mimic the style of known colleagues or executives.
AI-created phishing emails will not contain the traditional red flags like spelling mistakes, awkward phrasing or announcements that you’ve won a free iPhone. This makes it easier for them to slip through existing security filters and lead to data compromise.
“High value targets are always what they’re going after,” explains Daniel Milner, Senior Systems Engineer at Rio IT.
“They want managers and directors. And how do they work to reach these people? Through building trust.
“For this reason, you need to be careful what you share on social media platforms and wary about accepting friend invitations from people you don’t know.
“Personal information about your family, friends and future plans like holidays can be scraped and fed into large language models before being used to develop a conversation that will use those touch points.”
3. QR Code Phishing (Quishing)
QR Code Phishing, or Quishing, exploits the growth in QR code use by replacing legitimate codes with malicious ones.
Threat actors target businesses by embedding these QR codes in phishing emails, fake printed materials such as brochures and even public spaces like coworking offices.
These QR codes are then used to redirect users to fraudulent websites, resulting in malware infections, unwanted subscriptions and data theft. According to Action Fraud, £3.5 million was lost last year due to fraudulent QR codes alone, making this a development to stay alert to.
The “It won’t happen to me” mentality makes companies vulnerable.
– Adam Klyn, Senior Systems Engineer, Rio IT
4. Cloud and SaaS
As more businesses adopt cloud productivity tools, threat actors are increasingly tailoring phishing campaigns to the systems they know businesses rely on.
Microsoft 365, Google Workspace and Slack are just some of the login pages they mimic, creating pixel-perfect replicas that easily deceive the untrained eye, especially when people are focused on staying productive.
Once an employee enters their credentials, threat actors gain access to an Aladdin’s cave of emails, documents and collaboration platforms, opening the door to your business data.
Earlier this year, a group of cyber criminals were successful in opening that door. By creating a fake Microsoft 365 login page and exploiting email URL wrapping features to bypass security filters, they breached a wealth of Microsoft 365 users from legal firms to financial institutions.
Defensive Strategies for Businesses
Phishing continues to be a data-driven phenomenon.
Threat actors are using tools like AI to harvest and analyse your data to target businesses with believable social engineering. They are exploiting data flows, from using emails and QR codes to anticipating how employees will act and respond to data.
To stay resilient, businesses must take a data-first approach, treating every interaction as a data problem that must be measured, monitored and secured.
High value targets are always what they’re going after. They want managers and directors. And how do they work to reach these people? Through building trust.
– Daniel Milner, Senior Systems Engineer, Rio IT
Perform data-driven security awareness training
The most effective training is informed by real attack data. By analysing phishing attempts within your industry, you can identify patterns and feed insights back into your training programmes.
Employees then learn from data-backed examples, seeing for themselves what AI-crafted emails, deepfake audio clips and malicious QR campaigns look like.
Training should evolve as threats evolve and always rely on detailed, data-led examples rather than generic warnings.
Adopt data-centric Multi-Factor Authentication
Layering Multi-Factor Authentication (MFA) alone only creates redundant data checks for businesses before employees are granted access.
Diverse verification methods such as hardware tokens and biometrics add unique, verifiable data points that cannot be phished in the same way as SMS codes or passwords.
Framing MFA in this way ensures every login is validated against multiple independent forms of data, reducing your risk of relying on single credentials.
Use AI-powered detection and monitoring
While some phishing attempts are more convincing than others, every attempt leaves subtle anomalies.
From suspicious metadata to irregular login patterns, the best tool to detect these anomalies at speed and scale is the same technology threat actors are using against you: AI.
Businesses can build models trained on AI phishing indicators that continually ingest data from emails, attachments and endpoints, treating phishing as a data analysis problem.
“Companies need comprehensive anti-spam or anti-virus,” explains Adam Klyn, Senior Systems Engineer at Rio IT.
“Some only have elements of it. If this describes your business, how much have you got? Companies should be auditing this and identifying how to address gaps.”
Verify transfers through data
Finally, strengthen processes involving your people through a data-first mindset. When it comes to high-risk actions such as account escalations or fund transfers, you should always verify the data through multiple channels.
This forms the foundation of the Zero Trust model, where actions like an email request for a wire transfer should be validated against a secondary, independent data source such as secure chat logs or encrypted messaging.
The emergence of 4D phishing highlights the importance of placing data governance at the centre of cybersecurity. Businesses must gain the ability to detect, verify and respond to threats with the same agility that attackers use to exploit emerging technologies.
Building a resilient, data-driven security posture will outlast any perimeter defences or evolving phishing campaigns.
Never assume you won’t be targeted
Both Daniel and Adam agree that one of the most dangerous vulnerabilities businesses face is assuming they are too small to be a target.
“The “It won’t happen to me” mentality makes companies vulnerable,” Adam explains. “Smaller businesses’ question why they’d be attacked as they don’t have the money of the bigger players. But if threat actors target a construction company that runs large transactions of money, they can easily lose £50,000. That’s a big enough target.”
“To the scammers, they know that those targets are quite difficult because they’ve got people who vet their emails and vet everything. A CEO of a small regional firm, they’re not going to have that. They’re always going to be having almost one to one contact. Adds Daniel.
“It’s very easy to pull up how much business is valued at Companies House. Anyone can access it. And you would be able to choose them as a target because they don’t have that protective bubble, making them an easy target.
“The biggest mistake is to think that you’re almost invincible.”