Emerging Phishing Trends: Is Your Business Prepared? (And How ISO 27001 Can Help)

I. Introduction

The digital landscape is a double-edged sword. While it offers unprecedented opportunities for growth and connection, it also harbours ever-evolving threats. Among the most persistent and damaging of these is phishing. Far from being a static nuisance, phishing attacks constantly morph, leveraging new technologies and psychological tactics to deceive unsuspecting victims. The consequences can be devastating, ranging from significant financial losses and operational disruption, as starkly highlighted by the recent M&S cyberattack, to severe reputational damage that can take years to repair.

This post will delve into the murky waters of emerging phishing trends, exploring the sophisticated methods attackers are now employing. We will then discuss effective countermeasures, drawing on industry best practices and expert guidance from bodies like the NCSC. We will explain how a robust framework like ISO 27001:2022 provides a structured approach to building resilient defences against these threats. Finally, we’ll discuss how Secure Step Forward can partner with you to navigate this complex environment and fortify your organisation.

II. The Shifting Landscape: Emerging Phishing Trends

Staying ahead of cybercriminals requires understanding their latest playbook. Here are some of the most concerning phishing trends making headlines and threatening businesses today:

A. SIM-Swap Fraud (Deep Dive): An Escalating Threat

One rapidly growing phishing-related threat is SIM-swap fraud. While not new, this technique has seen a dramatic resurgence and increased sophistication, leading to devastating consequences for individuals and businesses. The UK has witnessed an alarming 1,055 per cent increase in unauthorised phone SIM swaps in 2024, with cases logged on the National Fraud Database surging from 289 in 2023 to over 3,000 in 2024, according to fraud prevention service CIFAS. This isn’t just about financial loss; as Simon Miller, director of policy, strategy and communications at CIFAS, warns, "When you lose your identity, it has an enduring long-term impact. SIM swap fraud points to the growing sophistication of frauds and gives them more control over our daily lives.”

The core mechanism of a SIM-swap attack involves a fraudster deceiving or colluding with a mobile network operator's employee to transfer a victim's legitimate phone number to a SIM card controlled by the attacker. Once the victim's phone number is hijacked, the attacker gains control over all incoming calls and SMS messages. This includes one-time passcodes (OTPS) sent for two-factor authentication (2fa), password reset links, and other sensitive notifications, effectively bypassing a critical layer of security for many online accounts.

The effectiveness of SIM-swap fraud lies in its ability to exploit human vulnerabilities and systemic weaknesses in authentication processes. Attackers often gather personal information about their targets through prior phishing campaigns, social media reconnaissance, or data breaches. Armed with this information, they can convincingly impersonate the victim when contacting the mobile carrier, or they may exploit insider threats within the carrier itself. The ease with which some carriers' verification processes can be subverted has been a significant contributing factor to the rise of this threat.

A stark and recent illustration of the severe impact of such attacks is the cyberattack on Marks & Spencer (M&S), a prominent UK retailer. Reports indicated that SIM-swap tactics were a component of the attack vector that allowed criminals access to M&S systems. The fallout for M&S was substantial and immediate. The company experienced a reported loss of over £700 million in market value, a 6.5% drop in its share price, and an estimated halt in daily online revenue of approximately £3.8 million due to the disruption of its online ordering systems. Beyond the direct financial costs, such incidents inflict significant reputational damage, erode customer trust, and can lead to prolonged operational disruption as systems are investigated, secured, and restored. The M&S case, alongside the Co-op also reportedly being affected, serves as a critical wake-up call for all organisations, demonstrating that even well-established businesses are vulnerable and that the financial and operational repercussions of a successful SIM-swap enabled attack can be crippling. This incident underscores the urgent need for organisations to reassess their reliance on SMS-based authentication and to implement more robust, multi-layered security controls to protect against this evolving threat.

B. AI-Powered Phishing:

• Hyper-Personalisation: AI algorithms analyse vast amounts of data (social media, breached data) to craft compelling and personalised spear-phishing emails, SMS (smishing), or voice messages (vishing) that are difficult to distinguish from legitimate communications. The language used is often flawless and contextually highly relevant to the target.
• Deepfake Voice/Video (Vishing/Video Phishing): AI creates realistic fake audio or video of trusted individuals (e.g., CEOs, colleagues, family members) to trick victims into transferring funds, revealing sensitive information, or granting access. This is particularly potent in BEC attacks.
• AI-Generated Malicious Content: Attackers use AI to rapidly generate fake websites, login pages, and email templates that closely mimic legitimate ones, often bypassing traditional signature-based detection.
• Sophisticated Chatbots: Malicious chatbots can engage victims in seemingly legitimate conversations to extract information or guide them to malicious sites.
• Relevance: Increases the believability and scale of attacks, making traditional user awareness training more challenging.

C. QR Code Phishing (Quishing):

• Mechanism: Attackers embed malicious links within QR codes. These QR codes are distributed via emails (often as legitimate requests for 2FA, document access, or payments), physical posters in public places, or even fake invoices/business cards.
• Evasion Tactics: QR codes can bypass email security filters that primarily scan text and URLs. Attackers also use redirects and CAPTCHA-like challenges (e.g., Cloudflare Turnstile) after the QR scan to further evade detection and analysis.
• Exploiting User Behaviour: Users are often less suspicious of scanning QR codes with their mobile devices, which may have fewer security protections than corporate desktops.
• Recent Trend: Significant increases have been reported (e.g., Hoxhunt reported a 25% year-over-year increase, and Sublime Email Threat Research also highlighted growth in Q1 2025).
• Relevance: A growing threat vector that leverages mobile devices and user trust in QR codes, bypassing some traditional defences.

D. Evolving Business Email Compromise (BEC) Tactics:

• Beyond Invoice Fraud: While traditional invoice/payment redirection scams persist, BEC is becoming more sophisticated, involving prolonged social engineering, impersonation of trusted partners or internal executives, and requests for actions beyond just fund transfers (e.g., sharing sensitive data, changing employee payroll details).
• Targeting Internal Communication Platforms: Attackers are increasingly targeting platforms like Slack, Microsoft Teams, and other collaboration tools, either by compromising accounts or creating fake profiles to launch internal phishing attacks or spread malware.
• Use of Compromised Legitimate Accounts: Attackers leverage previously compromised legitimate email accounts (often from other breaches) to send phishing emails, making them appear highly credible and bypassing sender reputation checks.
• Gift Card Scams: A common BEC tactic involves impersonating an executive and requesting urgent purchase of gift cards for clients or employees.
• Relevance: BEC remains highly lucrative for attackers and continues to evolve, exploiting trust and internal communication channels.

E. Other Notable Trends:

• Multi-Factor Authentication (MFA) Fatigue Attacks: Attackers spam users with MFA push notifications, hoping the victim will eventually approve one out of frustration or by mistake.
• Phishing-as-a-Service (PhaaS): The availability of sophisticated phishing kits and services on the dark web lowers the barrier to entry for less skilled attackers, leading to a higher volume of diverse attacks.
• OAuth Phishing: Tricking users into granting malicious third-party applications access to their accounts (e.g., Microsoft 365, Google Workspace) via OAuth consent screens.

III. Countermeasures: Effective Mitigations Against Phishing

A multi-layered defence strategy is essential given phishing attacks' diverse and evolving nature. This involves a combination of technical safeguards, robust processes, and, critically, a well-informed and vigilant workforce. Drawing from industry best practices and guidance from bodies like the UK's National Cyber Security Centre (NCSC), here are key mitigations organisations should consider:

A. Technical Mitigations: Building Digital Fortifications

1.  Advanced Email Filtering & Anti-Phishing Solutions: Deploy sophisticated email security gateways that use machine learning, sandboxing, and threat intelligence to detect and block malicious emails, including those with suspicious links, attachments, or sender impersonation attempts.

2.  Robust Multi-Factor Authentication (MFA): Implement strong MFA for all user accounts, especially for sensitive systems and data access. Move beyond SMS-based OTPs where possible, favouring more secure methods like authenticator apps, hardware tokens (FIDO2/WebAuthn), or biometric authentication. This directly counters the effectiveness of SIM-swap attacks if SMS is not the sole or primary second factor.

3.  URL Filtering and DNS Protection:  Utilise services that block access to known malicious websites and domains. This can prevent users from landing on phishing sites even if they click a malicious link.

4.  Endpoint Detection and Response (EDR): EDR solutions provide advanced threat detection, investigation, and response capabilities on endpoints (laptops, desktops, mobile devices), helping to identify and contain malware or suspicious activities resulting from successful phishing.

5.  NCSC-Advised SIM-Swap Specific Defences:

• Know Your SMS Estate: As the NCSC advises, organisations must maintain a formal record of how and where SMS is used in business processes and assess the associated risks. This inventory is vital for understanding potential vulnerabilities.
• Verify SIM Swap Status: For high-risk transactions reliant on SMS (like OTPs for large payments), organisations should, where feasible, query mobile network operators or aggregators to check if the SIM associated with a customer's number has been recently swapped. A very recent swap should be treated as a high-risk indicator.
• Protect Customer Phone Number Integrity: Implement robust customer authentication processes before allowing account phone number details to be amended. Notify the old phone number (and potentially other verified channels like email) when a phone number is updated, prompting immediate contact if the change was unauthorised. Partially mask phone numbers when displayed to users to prevent reconnaissance.

B. Human-Centric Mitigations: The Indispensable Human Firewall

1.  Comprehensive Security Awareness Training: Regular, engaging, and up-to-date training is paramount. This should cover:
    *   Recognising various phishing types (email, SMS/smishing, voice/vishing, QR code/quishing).
    *   Identifying social engineering tactics and red flags (urgency, threats, unusual requests, unexpected messages – always pause, stop, think, and get a second opinion if unsure).
    *   Understanding the risks of AI-generated deepfakes and highly personalised attacks.
    *   Safe practices for handling links, attachments, and requests for sensitive information.
    *   The importance of verifying unexpected requests through separate, trusted communication channels.
    *   Recognising SIM-Swap Indicators: Sudden loss of phone signal (device no longer connected to the network, though Wi-Fi may work), inability to make/receive calls/texts, loss of access to email/bank/social media accounts, and noticing unauthorised transactions.

2.  Phishing Simulation Exercises: Conduct regular, realistic phishing simulations to test employee awareness and reinforce training. Use the results to identify areas for improvement and provide targeted follow-up training.

3.  Clear Reporting Mechanisms: Establish transparent and straightforward procedures for employees to report suspicious emails, messages, or potential incidents without fear of blame. Ensure these reports are promptly investigated.

4.  Strong Identity Verification Processes:  Implement stringent identity verification processes that go beyond easily obtainable information for account recovery, password resets, or changes to sensitive account details (like phone numbers or bank details). Ensure strong, unique passwords are used for key accounts.

C. Process-Oriented Mitigations: Embedding Security into Operations

1.  Incident Response Plans: Develop and regularly test incident response plans that address phishing attacks and account takeovers, including SIM-swap scenarios. These plans should outline roles, responsibilities, communication channels, containment, eradication, and recovery steps. **If a SIM-swap is suspected, immediately contact your bank and mobile service provider.

2.  Supplier Due Diligence & Management: Conduct thorough security due diligence for services that involve customer communication or authentication (e.g., telecommunication providers, SMS aggregators, email service providers). Ensure contractual agreements include clear security requirements and responsibilities, particularly preventing and detecting fraudulent activities like unauthorised SIM swaps.

3.  Principle of Least Privilege: Ensure users only have access to the information and systems necessary for their roles. This limits the potential impact if an account is compromised via phishing.

By implementing these combined technical, human-centric, and process-oriented mitigations, organisations can significantly strengthen their defences against the ever-evolving landscape of phishing threats.

IV. The ISO 27001:2022 Framework: A Cornerstone for Phishing Defence

While specific countermeasures are crucial, a structured and holistic approach to information security management is essential for sustained defence against phishing and other cyber threats. This is where the ISO 27001:2022 standard provides invaluable guidance. ISO 27001 is an internationally recognised framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Its risk-based approach helps organisations identify threats (like the various phishing techniques discussed), assess vulnerabilities, and implement appropriate controls to mitigate those risks.

Several Annexe A controls within ISO 27001:2022 are directly or indirectly pertinent to building a robust defence against phishing:

• A.5.7 Threat intelligence: This control requires organisations to collect and analyse threat intelligence information relating to information security threats. This is vital for avoiding emerging phishing tactics, understanding attacker methodologies, and proactively adjusting defences.
• A.5.16 Identity management: Establishing and managing secure identities for users and systems is fundamental. This control helps ensure that only authorised individuals can access resources, making it harder for phishers to exploit compromised credentials or create fake identities within the organisation.
• A.5.17 Authentication information: This control focuses on securing authentication information (passwords, tokens, biometric data). It underpins the need for strong MFA and secure password practices, critical defences against credential phishing
• A.5.20 Addressing information security in supplier agreements: As highlighted by the NCSC advice on SIM-swap, managing security in the supply chain is key. This control ensures that security expectations, such as those related to telecommunication providers or other critical service providers, are clearly defined and managed.
• A.5.23 Information security for use of cloud services: With many organisations relying on cloud-based email and collaboration platforms (which are often phishing targets), this control helps ensure that appropriate security measures are in place for these services.
• A.5.25 Assessment and decision on information security events & A.5.26 Response to information security incidents: These controls ensure that potential phishing attempts are properly assessed and that effective incident response procedures are in place to contain and remediate successful attacks, minimising damage.
• A.6.3 Information security awareness, education, and training: Perhaps one of the most critical controls for phishing defence. It mandates that all relevant personnel receive appropriate awareness education and regular updates in organisational policies and procedures related to their job function. This directly addresses the human element exploited by phishing.
• A.7.4 Privacy and protection of PII: Since phishing attacks often aim to steal Personally Identifiable Information, this control, which requires measures to protect PII, is highly relevant. Secure handling of customer phone numbers, for instance, falls under this.
• A.8.1 User endpoint devices: Ensuring that user devices (laptops, mobiles) are securely configured and protected (e.g., with anti-malware, patching) can prevent malware delivered via phishing from executing or limit its impact.
• A.8.2 User authentication: This control reinforces the need for strong authentication mechanisms to verify user identities, directly supporting the implementation of robust MFA.
• A.8.7 Protection against malware: This control requires implementing preventative and detective measures to protect against malware, often the payload of a phishing attack.
• A.8.8 Management of technical vulnerabilities: Regularly identifying and remediating technical vulnerabilities in systems and applications reduces the attack surface that phishers might exploit.
• A.8.23 Web filtering:  Implementing web filtering can block access to known phishing sites or sites hosting malicious content, preventing users from inadvertently navigating to them.

By implementing these and other relevant controls within an ISO 27001-compliant ISMS, organisations don’t just tick boxes; they build a resilient, adaptive, and comprehensive defence-in-depth strategy. This framework ensures that security measures are not ad hoc but part of a continual cycle of risk assessment, treatment, monitoring, and improvement, which is essential for combating the ever-evolving threat of phishing.

V. How Secure Step Forward Can Empower Your Phishing Defences

Navigating the complex landscape of phishing threats and implementing a comprehensive framework like ISO 27001:2022 can seem daunting, especially for organisations already stretched thin. At Secure Step Forward, we specialise in helping businesses like yours build resilient information security postures tailored to your specific risks and operational needs.

Our expertise in information security, governance, risk, and compliance (GRC) means we can provide practical, actionable support in several key areas to combat phishing and strengthen your overall security:

• ISO 27001 Implementation & Support: We guide organisations through the entire ISO 27001 journey, from initial gap analysis and risk assessment to policy development, control implementation, and preparation for (or simply alignment with, if certification is not the immediate goal) the standard. We help you translate the Annex A controls into practical measures that directly address threats like phishing.
• Risk Assessments: Our thorough risk assessments will identify your specific vulnerabilities to phishing and other cyber threats, including those related to SIM-swap, AI-driven attacks, and BEC, allowing for targeted and cost-effective mitigation strategies.
• Security Awareness Training: We can help you develop and deliver engaging and effective security awareness training programs that equip your employees to recognise and respond appropriately to the latest phishing tactics, turning your human element into a strong line of defence.
• Incident Response Planning: We assist in developing and refining robust incident response plans, ensuring you are prepared to effectively manage and recover from a phishing attack or data breach, minimising impact and downtime.
• Governance and Compliance as a Service: For ongoing support, our GRC services can help you maintain and continually improve your ISMS, ensuring your defences adapt to the evolving threat landscape and remain aligned with standards like ISO 27001.

Understanding that every organisation is unique, we provide pragmatic solutions that fit your resources and business objectives. Whether you want to enhance specific defences against phishing, achieve alignment with ISO 27001, or develop a comprehensive information security strategy, we are here to help.

Ready to strengthen your defences against sophisticated phishing attacks? 

Contact us today for a consultation, or visit our website to learn how we can help you protect your valuable assets and maintain business continuity.

VI. Conclusion: Proactive Defence in an Evolving Threat Landscape

The surge in sophisticated phishing attacks, from SIM swaps to AI-driven campaigns, poses a clear and present danger to organisations of all sizes. As the M&S incident starkly illustrates, a successful breach can have immense financial and reputational costs. However, businesses can significantly reduce their risk by understanding these emerging threats and adopting a proactive, multi-layered defence strategy.

This strategy must encompass robust technical safeguards, vigilant and well-trained employees, and clearly defined security processes. The ISO 27001:2022 standard provides an excellent, internationally recognised framework for structuring these defences, ensuring a holistic and continually improving approach to information security.

Protecting your organisation is not just about implementing tools; it’s about fostering a culture of security and resilience. By taking proactive steps now, you can safeguard your operations, protect your data, and maintain the trust of your customers in an increasingly challenging digital world. Don’t wait to become the next headline – take control of your cybersecurity posture today.