Driven by a growing digital economy and rapid digital penetration, cybercriminals are increasingly going on phishing trips in Southeast Asia. According to Trend Micro’s 2023 Annual Cybersecurity Report, the region experienced a 48% increase in phishing URLs in 2023 alone. In Singapore, phishing attempts more than doubled between 2021 and 2022, making it one of the most common scams in the city-state.
Beyond the sheer volume of attacks, the sophistication of phishing techniques is also advancing. Historically, cybercriminals employed broad-spectrum phishing, mass-sending generic emails or texts to gather sensitive information, and spear phishing, which used detailed personal information from social media to craft highly specific messages targeting high-value individuals or organisations.
Traditional phishing awareness training focused on spotting suspicious emails and language quirks – and was fairly effective. However, generative AI has transformed phishing by generating realistic, context-aware messages that mimic legitimate communications in language, style, and tone. AI-powered tools can even break language barriers, allowing cybercriminals to target a global audience with accurate translations that incorporate cultural nuances. Consequently, traditional training is no longer sufficient against generative AI’s capabilities.
Countering AI-assisted phishing begins with the zero-trust framework
Defending against deception-driven attacks is not solely a technological battle; it is equally a human challenge, necessitating adjustments across people, processes, and technology to fortify organisations against emerging threats.
It starts with adopting a zero-trust – or ‘never trust, always verify’ – philosophy and building a security culture. Organisations should always verify identities and allow only necessary people and machines to access sensitive information or processes for defined purposes at specific times. This limits the attack surface and slows attackers down. AI-driven detection tools, such as writing style analysis and computer vision, can further help protect the enterprise and support employees in identifying malicious content and behaviour more efficiently.
Beyond technological defences, organisations should implement processes such as multi-stakeholder approval for significant transactions and establish a ‘safe list’ of numbers for live voice authorisation calls, rather than relying on a phone number embedded within a transfer request email. These measures can prevent attacks, even as cybercriminals increasingly use convincing voice deepfakes. Coded language could also be used for additional authentication.
At the same time, cybersecurity awareness training needs to evolve accordingly. Rather than focusing solely on identifying suspicious or malicious emails, it should educate employees on when and how to execute the above processes to prevent successful phishing attempts. These sessions should include simulations of phishing attacks to provide practical experience in identifying potentially suspicious situations — not just emails — and executing the related verification processes.
Most importantly, cybersecurity training should not be a one-time event but an ongoing process with content that is regularly refreshed and updated with the latest phishing techniques, which are constantly evolving with advancements in AI.
Staying ahead of cybercriminals with a unified approach
However, as the digital attack surface continues to expand through digital and AI transformation, cyberthreats like phishing attacks will become increasingly sophisticated and well-coordinated. This growing complexity is even more concerning due to the persistent talent and resource gap that organisations face in keeping up with the rapidly evolving threat landscape.
More than ever, businesses need to adopt a proactive posture towards cybersecurity. This involves moving away from traditional security approaches, which apply uniform security measures across all known systems. Instead, organisations should adopt a risk-based approach that includes continuous asset discovery and assessment, allowing them to prioritise and build appropriate controls for the most critical vulnerabilities.
Comprehensive visibility and centralised risk management are crucial for quick detection and response to anomalies. By focusing on the most at-risk assets and potential intrusions, organisations can better prevent and mitigate threats before they cause significant harm.
Ultimately, there isn’t one single way of combating security threats; the most effective approach combines all of the above. By equipping employees with better, smarter tools and a comprehensive understanding of security practices, businesses can more effectively combat cyberthreats and protect their digital assets and brand.