If you asked us to describe the last decade, we’d call it an ‘explosion of innovation’.
Accelerated by Covid-19, we’ve seen the digital transformation of numerous industries, with cutting edge technologies like AI, augmented reality and cloud computing fundamentally changing how we do business.
But the journey for greater productivity, efficiency and profit hasn’t come without its costs. These innovations are extremely new. We’re still pushing the boundaries of their potential. And as we do that, they remain highly unregulated.
For example, the first comprehensive horizontal legal framework for AI – the EU AI Act – only entered into force last year.
The same AI tools your business is pursuing to enhance processes, are also enhancing how cyber criminals target you.
This is one of the biggest developments we see shaping the world of business IT. A development that’s understandably causing significant concern. When phishing goes 4D, the line between colleague email and compromised account is even blurrier.
- 1.2% of emails are malicious amounting to 3.4 billion phishing emails sent daily
- 74% of security breaches result from human error
- 36% of phishing threats in 2024 involved deceptive links, based on 13 billion analysed emails
Here’s four examples of what that looks like, with tips on how to respond and keep your business data safe alongside insights from Rio Senior Systems Engineers Daniel Milner and Adam Klyn.
1. Deepfakes & Voice Cloning
AI can now generate videos and images that, apart from the occasional extra finger or wonky background, are indistinguishable from real life photos and recordings.
It’s easy to be caught out by AI generated content, even for those of us who know the signs. This is why threat actors are utilising AI extensively to create deepfakes like voice cloning.
Take this as an example: a fraudster finds your colleagues public social media account, which is full of their day in a life vlogs. They then use these vlogs to clone your colleague’s voice, enabling them to be impersonated with striking accuracy.
In 2023, this happened to Mark Read, the CEO of the world’s biggest advertising firm, WPP. Threat actors deployed a voice clone of him in a fraudulent Microsoft Teams meeting, in addition to YouTube footage with other executives in a plot to access business data.
This attack wasn’t successful, but it was when the CEO of the Euler Hermes Group was voice cloned in 2019 to convince a partner, a German energy agency to transfer £153,400 ($243,000) to a scammer.
2. AI social engineering
You’ve likely used AI in some capacity for your emails. Threat actors certainly do, relying on Large Language Models (LLMs) to generate grammatically flawless, contextually appropriate and personalised messages.
The first thing threat actors do is go to LinkedIn, scraping data that is then used to train AI models. These models then generate phishing emails highly tailored to their targets job role, current projects and colleagues.
The model then writes convincing, clickable content – like fake job offers, policy updates and even emails that mimic the style of known colleagues or executives.
AI-created phishing emails will not contain the traditional red flags: spelling mistakes, awkward phrasing or announcement you’ve won a free iPhone. This makes it easier for them to slip through existing security filters and lead to data compromise.
“High value targets are always what they’re going after,” explains Daniel Milner, Senior Systems Engineer at Rio IT.
“They want managers and directors. And how do they work to reach these people? Through building trust.
“For this reason, you need to be careful what you share on social media platforms and wary about accepting friend invitations from people you don’t know.
“Personal information about your family, friends and future plans like holidays can be scraped and fed into large language models before being used to develop a conversation that will use those touch points.”
3. QR Code Fishing (Quishing)
QR Code Fishing or Quishing, exploits the growth in QR code use by replacing legitimate codes with malicious ones.
Threat actors will target businesses by embedding these QR codes in phishing emails, fake physical content like brochures and even public spaces like coworking offices.
These QR codes are then used to redirect users to fraudulent websites, resulting in malware infections, unwanted subscriptions and data theft. According to Action Fraud, £3.5 million was lost last year due to fraudulent QR codes alone, making this a development to stay vigilant towards.
The “It won’t happen to me” mentality makes companies vulnerable.
– Adam Klyn, Senior Systems Engineer, Rio IT
4. Cloud & SaaS
As more businesses adopt cloud productivity tools, threat actors are increasingly tailoring phishing campaigns to the systems they know businesses rely on.
Microsoft 365, Google Workspace and Slack are just some of the login pages they mimic, creating pixel-perfect replicas that easily trick the untrained eye – especially when people are seeking to stay productive.
Once an employee enters their credentials, threat actors gain access to an Aladin’s cave of email, documents and collaboration platforms, opening the door to your business data.
Earlier this year, a group of cybercriminals were successful in opening that door. By creating a fake Microsoft 365 login page and exploiting email URL wrapping features to bypass security filters they breached a wealth of Microsoft 365 users – from legal firms to finance institutions.
Defensive Strategies for Businesses
Phishing continues to be a data-driven phenomenon.
Threat actors are using tools like AI to harvest and analyse your data, to target businesses with believable social engineering. They’re exploiting data flows, from utilising emails and QR codes to anticipating how employees will act and act on data.
To stay resilient, businesses must take a data-first approach, treating every interaction as a data problem that must be measured, monitored and secured.
High value targets are always what they’re going after. They want managers and directors. And how do they work to reach these people? Through building trust.
– Daniel Milner, Senior Systems Engineer, Rio IT
Perform data-driven security awareness training
The most effective training is informed by real attack data. By analysing phishing attempts in our industry, you can detect patterns and feed insights back into your training programs.
Employees then learn from data-backed examples, seeing for themselves what AI-crafted emails, deepfake audio clips and malicious QR campaigns look like.
Training should evolve as threats evolve and always involve granular data over generic warnings.
Adopt data-centric Multi-Factor Authentication
Layering Multi-factor Authentication (MFA) alone just creates redundant data checks for businesses before employees are granted access.
Diverse data checks, like hardware tokens and biometrics add unique, verifiable data points that cannot be phished in the same as SMS codes or passwords.
Framing MFA in this way ensures every login is validated against multiple independent forms of data, reducing your risk of relying on singular credentials.
Use AI-powered detection and monitoring
While some phishing attempts are more believable than others, every attempt produces subtle anomalies.
From suspicious metadata to irregular login patterns, the best tool to spot these anomalies at speed and scale is what threat actors are weaponising against you: AI.
Businesses can build models trained on AI phishing indicators that continually ingest data from emails, attachments and endpoints, treating phishing as a data analysis problem.
“Companies need comprehensive anti-spam or anti-virus,” explains Adam Klyn, Senior Systems Engineer at Rio IT.
“Some only have elements of it. If this describes your business, how much have you got? Companies should be auditing this and identifying how to address gaps.”
Verify transfers through data
Finally, strengthen processes involving your people through a data-first mindset. When it comes to high-risk actions like account escalations or fund transfers, you should always verify the data from multiple channels.
This is the foundation of the Zero Trust model, where actions such as an email request for a wire transfer should be validated against a secondary, independent data source like secure chat logs or encrypted messaging.
The emergence of 4D phishing highlights the importance of centring data governance in cybersecurity. Businesses need to gain the ability to detect, verify, and respond to threats with the same agility that attackers use to exploit emerging technologies.
Building a resilient, data-driven security posture will outlast any perimeter defences and evolving phishing campaigns.
Never assume you won’t be targeted
Both Daniel and Adam agree that one of the most dangerous vulnerabilities businesses have been assuming they are too small to be a target.
“The “It won’t happen to me” mentality makes companies vulnerable,” Adam explains. “Smaller businesses’ question why they’d be attacked as they don’t have the money of the bigger players. But if threat actors target a construction company that runs large transactions of money, they can easily lose £50,000. That’s a big enough target.”
“To the scammers, they know that those targets are quite difficult because they’ve got people who vet their emails and vet everything. A CEO of a small regional firm, they’re not going to have that. They’re always going to be having almost one to one contact. Adds Daniel.
“It’s very easy to pull up how much business is valued at Companies House. Anyone can access it. And you would be able to choose them as a target because they don’t have that protective bubble, making them an easy target.
“The biggest mistake is to think that you’re almost invincible.”