Emerging Phishing Trends: Is Your Business Prepared? (And How ISO 27001 Can Help)

The digital landscape is a double-edged sword. While it offers unprecedented opportunities for growth and connection, it also harbours ever-evolving threats. Among the most persistent and damaging of these is phishing. Far from being a static nuisance, phishing attacks constantly morph, leveraging new technologies and psychological tactics to deceive unsuspecting victims. The consequences can be devastating, ranging from significant financial losses and operational disruption, as starkly highlighted by the recent M&S cyberattack, to severe reputational damage that can take years to repair.

This article delves into the murky waters of emerging phishing trends, exploring the sophisticated methods attackers are now employing. We then discuss effective countermeasures, drawing on industry best practices and expert guidance from bodies like the NCSC, and explain how a robust framework like ISO 27001:2022 provides a structured approach to building resilient defences against these threats.

The shifting landscape: emerging phishing trends

Staying ahead of cybercriminals requires understanding their latest playbook. Here are some of the most concerning phishing trends making headlines and threatening businesses today.

SIM-swap fraud: an escalating threat

One rapidly growing phishing-related threat is SIM-swap fraud. While not new, this technique has seen a dramatic resurgence and increased sophistication, leading to devastating consequences for individuals and businesses. The UK has witnessed an alarming 1,055 per cent increase in unauthorised phone SIM swaps in 2024, with cases logged on the National Fraud Database surging from 289 in 2023 to over 3,000 in 2024, according to fraud prevention service CIFAS.

The core mechanism of a SIM-swap attack involves a fraudster deceiving or colluding with a mobile network operator's employee to transfer a victim's legitimate phone number to a SIM card controlled by the attacker. Once the victim's phone number is hijacked, the attacker gains control over all incoming calls and SMS messages. This includes one-time passcodes (OTPs) sent for two-factor authentication (2FA), password reset links, and other sensitive notifications, effectively bypassing a critical layer of security for many online accounts.

The effectiveness of SIM-swap fraud lies in its ability to exploit human vulnerabilities and systemic weaknesses in authentication processes. Attackers often gather personal information about their targets through prior phishing campaigns, social media reconnaissance, or data breaches. Armed with this information, they can convincingly impersonate the victim when contacting the mobile carrier, or they may exploit insider threats within the carrier itself. The ease with which some carriers' verification processes can be subverted has been a significant contributing factor to the rise of this threat.

A stark and recent illustration of the severe impact of such attacks is the cyberattack on Marks & Spencer (M&S), a prominent UK retailer. Reports indicated that SIM-swap tactics were a component of the attack vector that allowed criminals access to M&S systems. The fallout for M&S was substantial and immediate. The company experienced a reported loss of over £700 million in market value, a 6.5% drop in its share price, and an estimated halt in daily online revenue of approximately £3.8 million due to the disruption of its online ordering systems.

Beyond the direct financial costs, such incidents inflict significant reputational damage, erode customer trust, and can lead to prolonged operational disruption as systems are investigated, secured, and restored. The M&S case, alongside the Co-op also reportedly being affected, serves as a critical wake-up call for all organisations, demonstrating that even well-established businesses are vulnerable. It underscores the urgent need to reassess reliance on SMS-based authentication and to implement more robust, multi-layered security controls.

AI-powered phishing

• Hyper-personalisation: AI algorithms analyse vast amounts of data (social media, breached data) to craft compelling and personalised spear-phishing emails, SMS (smishing), or voice messages (vishing) that are difficult to distinguish from legitimate communications. The language used is often flawless and contextually highly relevant to the target.
• Deepfake voice and video: AI creates realistic fake audio or video of trusted individuals (CEOs, colleagues, family members) to trick victims into transferring funds, revealing sensitive information, or granting access. This is particularly potent in BEC attacks.
• AI-generated malicious content: attackers use AI to rapidly generate fake websites, login pages, and email templates that closely mimic legitimate ones, often bypassing traditional signature-based detection.
• Sophisticated chatbots: malicious chatbots can engage victims in seemingly legitimate conversations to extract information or guide them to malicious sites.

The net effect is to increase the believability and scale of attacks, making traditional user awareness training more challenging.

QR code phishing (quishing)

• Mechanism: attackers embed malicious links within QR codes, distributed via emails (often as legitimate-looking requests for 2FA, document access, or payments), physical posters in public places, or even fake invoices and business cards.
• Evasion tactics: QR codes can bypass email security filters that primarily scan text and URLs. Attackers also use redirects and CAPTCHA-like challenges after the QR scan to further evade detection and analysis.
• Exploiting user behaviour: users are often less suspicious of scanning QR codes with their mobile devices, which may have fewer security protections than corporate desktops.
• Recent trend: significant increases have been reported, with Hoxhunt reporting a 25% year-on-year increase and Sublime Email Threat Research also highlighting growth in Q1 2025.

Evolving Business Email Compromise (BEC) tactics

• Beyond invoice fraud: while traditional invoice and payment redirection scams persist, BEC is becoming more sophisticated, involving prolonged social engineering, impersonation of trusted partners or internal executives, and requests for actions beyond fund transfers, such as sharing sensitive data or changing employee payroll details.
• Targeting internal communication platforms: attackers are increasingly targeting platforms like Slack and Microsoft Teams, either by compromising accounts or creating fake profiles to launch internal phishing attacks or spread malware.
• Use of compromised legitimate accounts: attackers leverage previously compromised legitimate email accounts, often from other breaches, to send phishing emails that appear highly credible and bypass sender reputation checks.
• Gift card scams: a common BEC tactic involves impersonating an executive and requesting the urgent purchase of gift cards for clients or employees.

Other notable trends

• MFA fatigue attacks: attackers spam users with MFA push notifications, hoping the victim will eventually approve one out of frustration or by mistake.
• Phishing-as-a-Service (PhaaS): the availability of sophisticated phishing kits and services on the dark web lowers the barrier to entry for less skilled attackers, leading to a higher volume of diverse attacks.
• OAuth phishing: tricking users into granting malicious third-party applications access to their accounts, such as Microsoft 365 or Google Workspace, via OAuth consent screens.

Countermeasures: effective mitigations against phishing

A multi-layered defence strategy is essential given the diverse and evolving nature of phishing attacks. This involves a combination of technical safeguards, robust processes, and, critically, a well-informed and vigilant workforce. Drawing from industry best practices and guidance from bodies like the UK's National Cyber Security Centre (NCSC), here are the key mitigations organisations should consider.

Technical mitigations: building digital fortifications

1. Advanced email filtering and anti-phishing solutions. Deploy sophisticated email security gateways that use machine learning, sandboxing, and threat intelligence to detect and block malicious emails, including those with suspicious links, attachments, or sender impersonation attempts.
2. Robust multi-factor authentication. Implement strong MFA for all user accounts, especially for sensitive systems and data access. Move beyond SMS-based OTPs where possible, favouring more secure methods like authenticator apps, hardware tokens (FIDO2/WebAuthn), or biometric authentication. This directly counters the effectiveness of SIM-swap attacks if SMS is not the sole or primary second factor.
3. URL filtering and DNS protection. Utilise services that block access to known malicious websites and domains, preventing users from landing on phishing sites even if they click a malicious link.
4. Endpoint detection and response (EDR). EDR solutions provide advanced threat detection, investigation, and response capabilities on endpoints, helping to identify and contain malware or suspicious activities resulting from successful phishing.
5. NCSC-advised SIM-swap specific defences. Know your SMS estate: maintain a formal record of how and where SMS is used in business processes and assess the associated risks. Verify SIM swap status: for high-risk transactions reliant on SMS, query mobile network operators or aggregators to check if the SIM associated with a customer's number has been recently swapped, and treat a very recent swap as a high-risk indicator. Protect customer phone number integrity: implement robust customer authentication before allowing phone number details to be amended, notify the old number when a change is made, and partially mask phone numbers when displayed to prevent reconnaissance.

Human-centric mitigations: the indispensable human firewall

1. Comprehensive security awareness training. Regular, engaging, and up-to-date training covering: recognising the various phishing types (email, smishing, vishing, quishing); identifying social engineering tactics and red flags such as urgency, threats, and unusual requests (always pause, stop, think, and get a second opinion if unsure); understanding the risks of AI-generated deepfakes and highly personalised attacks; safe practices for handling links, attachments, and requests for sensitive information; the importance of verifying unexpected requests through separate, trusted channels; and recognising SIM-swap indicators such as sudden loss of phone signal, inability to make or receive calls and texts, loss of access to key accounts, and unauthorised transactions.
2. Phishing simulation exercises. Conduct regular, realistic phishing simulations to test employee awareness and reinforce training, using the results to identify areas for improvement and provide targeted follow-up.
3. Clear reporting mechanisms. Establish transparent and straightforward procedures for employees to report suspicious emails, messages, or potential incidents without fear of blame, and ensure reports are promptly investigated.
4. Strong identity verification processes. Implement stringent identity verification that goes beyond easily obtainable information for account recovery, password resets, or changes to sensitive account details, and ensure strong, unique passwords are used for key accounts.

Process-oriented mitigations: embedding security into operations

1. Incident response plans. Develop and regularly test incident response plans that address phishing attacks and account takeovers, including SIM-swap scenarios, outlining roles, responsibilities, communication channels, containment, eradication, and recovery steps. If a SIM-swap is suspected, immediately contact your bank and mobile service provider.
2. Supplier due diligence and management. Conduct thorough security due diligence for services that involve customer communication or authentication, such as telecommunication providers, SMS aggregators, and email service providers, and ensure contractual agreements include clear security requirements, particularly around preventing and detecting unauthorised SIM swaps.
3. Principle of least privilege. Ensure users only have access to the information and systems necessary for their roles, limiting the potential impact if an account is compromised via phishing.

The ISO 27001:2022 framework: a cornerstone for phishing defence

While specific countermeasures are crucial, a structured and holistic approach to information security management is essential for sustained defence against phishing and other cyber threats. This is where the ISO 27001:2022 standard provides invaluable guidance. ISO 27001 is an internationally recognised framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Its risk-based approach helps organisations identify threats like the phishing techniques discussed above, assess vulnerabilities, and implement appropriate controls.

Several Annex A controls within ISO 27001:2022 are directly or indirectly pertinent to building a robust defence against phishing:

• A.5.7 Threat intelligence: collecting and analysing threat intelligence is vital for staying ahead of emerging phishing tactics, understanding attacker methodologies, and proactively adjusting defences.
• A.5.16 Identity management: establishing and managing secure identities makes it harder for phishers to exploit compromised credentials or create fake identities within the organisation.
• A.5.17 Authentication information: securing passwords, tokens, and biometric data underpins strong MFA and secure password practices, critical defences against credential phishing.
• A.5.20 Addressing information security in supplier agreements: as the NCSC SIM-swap guidance highlights, managing security in the supply chain is key, ensuring expectations for telecommunication providers and other critical services are clearly defined and managed.
• A.5.23 Information security for use of cloud services: with many organisations relying on cloud-based email and collaboration platforms, frequent phishing targets, this control helps ensure appropriate measures are in place.
• A.5.25 and A.5.26 Assessment of and response to information security incidents: these controls ensure potential phishing attempts are properly assessed and effective incident response procedures contain and remediate successful attacks.
• A.6.3 Information security awareness, education, and training: perhaps the most critical control for phishing defence, mandating appropriate awareness education and regular updates for all relevant personnel. This directly addresses the human element exploited by phishing.
• A.7.4 Privacy and protection of PII: phishing attacks often aim to steal personally identifiable information; secure handling of customer phone numbers, for instance, falls under this control.
• A.8.1 User endpoint devices: securely configured and protected devices can prevent malware delivered via phishing from executing, or limit its impact.
• A.8.2 User authentication: reinforces the need for strong authentication mechanisms, directly supporting robust MFA.
• A.8.7 Protection against malware: preventative and detective measures against malware, often the payload of a phishing attack.
• A.8.8 Management of technical vulnerabilities: regularly identifying and remediating vulnerabilities reduces the attack surface phishers might exploit.
• A.8.23 Web filtering: blocking access to known phishing sites or sites hosting malicious content prevents users from inadvertently navigating to them.

By implementing these and other relevant controls within an ISO 27001-compliant ISMS, organisations do not just tick boxes; they build a resilient, adaptive, and comprehensive defence-in-depth strategy. The framework ensures that security measures are not ad hoc but part of a continual cycle of risk assessment, treatment, monitoring, and improvement, which is essential for combating the ever-evolving threat of phishing.

Conclusion: proactive defence in an evolving threat landscape

The surge in sophisticated phishing attacks, from SIM swaps to AI-driven campaigns, poses a clear and present danger to organisations of all sizes. As the M&S incident starkly illustrates, a successful breach can have immense financial and reputational costs. However, businesses can significantly reduce their risk by understanding these emerging threats and adopting a proactive, multi-layered defence strategy.

This strategy must encompass robust technical safeguards, vigilant and well-trained employees, and clearly defined security processes. The ISO 27001:2022 standard provides an excellent, internationally recognised framework for structuring these defences, ensuring a holistic and continually improving approach to information security.

Protecting your organisation is not just about implementing tools; it is about fostering a culture of security and resilience. By taking proactive steps now, you can safeguard your operations, protect your data, and maintain the trust of your customers in an increasingly challenging digital world. Do not wait to become the next headline. Take control of your cybersecurity posture today.