Fifty years after #NewZealand stopped #whaling, humpback population showing signs of recovery | RNZ News

#Conservation #Whales #MarineLife #Biodiversity
https://share.google/7zkcHEObdZSf26g10

The Art of Deception: Why Phishing Remains the Predominant Threat to Enterprise Security

2,781 words, 15 minutes read time.

The Evolution of Social Engineering in a Hyper-Connected World

The digital landscape of 2026 presents a paradox where the most sophisticated technological defenses are frequently circumvented by the oldest trick in the book: deception. Phishing remains the primary initial access vector for cyber adversaries, not because of a lack of technical security, but because it targets the most unpredictable component of any network—the human user. Analyzing the 2025 Verizon Data Breach Investigations Report (DBIR) reveals that while vulnerability exploitation has surged, the human element still contributes to approximately 60% of all confirmed breaches. This persistence is rooted in the strategic shift from mass-scale, poorly drafted “spray and pray” emails to highly targeted, technologically augmented social engineering campaigns.

Modern phishing has transcended the era of obvious grammatical errors and generic “Nigerian Prince” solicitations, evolving into a streamlined industry known as Phishing-as-a-Service (PhaaS). This model allows even low-skilled threat actors to deploy professional-grade attack infrastructure, including pixel-perfect clones of corporate login portals and automated delivery systems. Consequently, the volume of reported phishing and spoofing incidents has reached staggering heights, with the FBI’s Internet Crime Complaint Center (IC3) documenting nearly 200,000 complaints in the last year alone. As these attacks become more subtle, often utilizing non-traditional channels like QR codes (Quishing) and SMS (Smishing), the boundary between legitimate communication and malicious intent continues to blur.

The stakes of failing to identify these scams have never been higher for the modern enterprise. Business Email Compromise (BEC), a specialized and highly lucrative form of phishing, accounted for nearly $2.8 billion in adjusted losses in the most recent reporting cycle, with a median loss of $50,000 per incident. These figures underscore a critical reality: phishing is no longer just an IT nuisance but a significant financial and operational risk. By understanding the psychological hooks and technical mechanics that drive these attacks, organizations can move beyond basic awareness and toward a posture of informed resilience.

The Anatomy of Deception: Why Human Psychology is the Ultimate Vulnerability

The efficacy of phishing lies in its ability to hijack the brain’s fast, instinctive decision-making processes, often referred to as “System 1” thinking. Attackers meticulously craft lures that trigger specific psychological responses—most notably urgency, fear, and respect for authority—to bypass the critical evaluation that would otherwise flag a message as suspicious. When a user receives an alert claiming their “payroll account has been suspended” or an “urgent invoice is past due,” the resulting stress response narrows their cognitive focus. This “amygdala hijack” prioritizes immediate action over logical verification, leading users to click links or provide credentials before their rational mind can intervene.

Furthermore, the principle of authority is a cornerstone of successful social engineering, as evidenced by the increasing frequency of executive impersonation. By spoofing the identity of a high-ranking official or a trusted third-party vendor, attackers leverage the social pressure to comply with requests from the top down. This tactic was notably exploited in the 2023 MGM Resorts breach, where attackers used basic reconnaissance from professional networking sites to impersonate an employee. By calling the IT help desk and projecting an authoritative yet distressed persona, the threat actors successfully manipulated support staff into resetting credentials, granting them administrative access to the entire environment.

Beyond immediate emotional triggers, cybercriminals exploit cognitive biases such as the “illusion of truth” and “pattern recognition.” We are conditioned to trust familiar interfaces; therefore, when an attacker presents a login screen that perfectly mimics a Microsoft 365 or Google Workspace portal, our brains subconsciously validate the request based on visual consistency. This reliance on “surface-level” legitimacy is what makes modern phishing so dangerous. Even as users become more skeptical, the sheer volume of digital notifications creates “decision fatigue,” increasing the likelihood that a malicious request will eventually slip through during a moment of distraction or high workload.

Analyzing the Technical Mechanics of Modern Phishing Frameworks

While the psychological lure gets the user to the “door,” modern technical frameworks ensure the door is wide open for the attacker. One of the most significant advancements in recent years is the rise of Adversary-in-the-Middle (AiTM) phishing. Unlike traditional phishing, which simply harvests a username and password, AiTM attacks deploy a proxy server between the user and the legitimate service. This allows the attacker to intercept not just the credentials, but also the Multi-Factor Authentication (MFA) session cookie in real-time. By the time the user has successfully “logged in” to the fake site, the attacker has already hijacked their active session, effectively rendering traditional SMS or app-based MFA obsolete.

The industrialization of these techniques through Phishing-as-a-Service (PhaaS) has fundamentally changed the threat landscape by lowering the cost and complexity of launching a campaign. These platforms provide attackers with sophisticated kits that include evasion features, such as “cloaking,” which shows legitimate content to security crawlers while displaying the phishing page to the intended victim. Additionally, many kits now feature dynamic branding, where the phishing page automatically adjusts its logos and background images based on the recipient’s email domain. This level of automation ensures that every lure feels personalized and legitimate, significantly increasing the conversion rate of the attack.

Furthermore, attackers are increasingly moving away from traditional email links to bypass automated Secure Email Gateways (SEGs). The surge in “Quishing”—phishing via QR codes—exploits a blind spot in many security stacks, as QR codes are often embedded as images that traditional link-scanners cannot easily parse. When a user scans a code on their mobile device, they are often moved off the protected corporate network and onto a personal cellular connection, where endpoint security may be weaker or non-existent. This multi-channel approach, combining email, mobile devices, and proxy infrastructure, demonstrates that phishing has evolved into a sophisticated technical discipline that requires equally sophisticated, layered defenses.

Case Study: The Ripple Effects of a High-Profile Credential Harvest

The devastating potential of modern phishing is perhaps best illustrated by the 2022 breach of Twilio, a major communications platform. This incident serves as a masterclass in how a single, well-executed smishing (SMS phishing) campaign can compromise a global technology provider. The attackers sent text messages to numerous employees, claiming their passwords had expired or their accounts required urgent attention. These messages contained links to URLs that utilized deceptive keywords like “twilio-okta” and “twilio-sso,” directing users to a landing page that perfectly mimicked the company’s actual sign-in portal. By leveraging the inherent trust users place in mobile notifications—which often bypass the scrutiny applied to traditional emails—the threat actors successfully harvested the corporate credentials of several employees.

Once the initial credentials were secured, the attackers did not simply stop at account access; they moved laterally through the environment to escalate their privileges. This specific campaign, attributed to a group known as “Oktapus,” was part of a broader coordinated effort that targeted over 130 organizations. By gaining a foothold in Twilio’s internal systems, the attackers were able to access the data of a limited number of customers and, more alarmingly, the internal console used by support staff. This allowed them to view sensitive account information and, in some cases, intercept one-time passwords (OTPs) intended for downstream users. The Twilio case highlights that the “initial click” is merely the tip of the spear, serving as the catalyst for a much deeper, more systemic compromise of the supply chain.

Analyzing the aftermath of such a breach reveals the immense operational and reputational costs associated with credential harvesting. Twilio was forced to undergo a massive incident response effort, notifying affected customers and re-securing thousands of employee accounts. Furthermore, the breach demonstrated that even tech-savvy employees at a major communications firm are not immune to sophisticated social engineering. The “Oktapus” campaign succeeded because it targeted the intersection of mobile convenience and corporate security protocols. It underscores the reality that in the modern threat landscape, the security of an entire organization often rests on the split-second decision of a single individual responding to a seemingly routine notification on their smartphone.

Identifying Sophisticated Red Flags: Beyond the Misspelled Subject Line

As cybercriminals refine their craft, the “red flags” of a phishing attempt have shifted from obvious linguistic errors to subtle technical anomalies that require a more discerning eye. One of the most prevalent techniques in contemporary phishing is typosquatting or “look-alike” domains, where an attacker registers a domain name that is nearly identical to a legitimate one. For example, an attacker might use “https://www.google.com/search?q=rnicrosoft.com” (using ‘r’ and ‘n’ to mimic an ‘m’) or “google-support.security” to deceive a hurried user. These deceptive URLs are often hidden behind hyperlinked text or buried within a long string of redirects, making them difficult to spot without hovering over the link to inspect the actual destination.

Advanced phishing analysis now requires an understanding of email headers and the underlying infrastructure of digital communication. A sophisticated lure might appear to come from a trusted colleague, but a closer look at the “Reply-To” field or the “Return-Path” in the email header often reveals a completely different, unauthorized address. Furthermore, attackers frequently use “URL padding” or “character encoding” to hide the malicious nature of a link. By including a legitimate domain at the beginning of a long URL string followed by hundreds of hyphens and then the actual malicious destination, attackers take advantage of the fact that many mobile browsers truncate long URLs, showing only the “safe” portion to the user.

The emergence of QR code phishing, or “Quishing,” has added a physical dimension to these digital threats. Because QR codes are essentially “black box” URLs—meaning the destination is invisible until the code is scanned—they are an ideal delivery mechanism for malicious content. Attackers place these codes on physical posters, in PDF attachments, or even on fake “multi-factor authentication” prompts. When scanned, these codes often lead to AiTM proxy sites designed to harvest session tokens. Spotting these scams requires a shift in mindset: users must treat every unsolicited QR code with the same level of suspicion as an unexpected .exe attachment. The absence of traditional email markers like “suspicious sender” makes these attacks particularly effective at bypassing standard mental filters.

The Infrastructure of Defense: Technical Controls to Mitigate Human Error

Relying solely on user education is a recipe for failure; a robust cybersecurity posture requires technical “guardrails” that reduce the impact of inevitable human mistakes. The first line of defense in the email ecosystem is the implementation of a rigorous DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy. When combined with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), DMARC allows organizations to specify how receiving mail servers should handle messages that fail authentication. By moving to a “p=reject” policy, an organization can effectively prevent unauthorized third parties from spoofing their domain, ensuring that only legitimate, signed emails ever reach a recipient’s inbox.

Beyond email authentication, the industry is moving toward “phishing-resistant” Multi-Factor Authentication as the ultimate technical solution to credential theft. Traditional MFA methods, such as SMS codes or “push” notifications, are increasingly vulnerable to interception or “MFA fatigue” attacks, where a user is bombarded with prompts until they inadvertently approve one. FIDO2-compliant hardware security keys, such as YubiKeys, eliminate this risk by utilizing public-key cryptography. In a FIDO2 workflow, the security key will only authenticate with the specific domain it was registered to. If a user is tricked into visiting a phishing site, the hardware key will recognize that the domain does not match and will refuse to provide the credentials, effectively neutralizing even the most convincing AiTM attack.

Finally, the integration of AI-driven “Computer Vision” and “Natural Language Processing” (NLP) into Secure Email Gateways (SEGs) provides a dynamic layer of protection. These modern tools don’t just look for known malicious links; they analyze the sentiment and intent of an email. If a message from an external sender uses high-pressure language (“Action Required Immediately”) or mimics the visual style of a known brand without proper authentication, the system can automatically flag the message, strip the links, or move it to a secure sandbox. By automating the detection of “intent” rather than just “indicators,” organizations can stay ahead of the rapidly changing tactics used by Phishers-as-a-Service.

Institutional Resilience: Moving from “Awareness” to “Security Culture”

The historical approach to phishing—characterized by once-a-year compliance videos and “gotcha” style simulations—has largely failed to produce lasting behavioral change. To build true institutional resilience, organizations must shift from a model of passive awareness to a proactive “security culture” that treats every employee as a sensor in a distributed network. Research from the NIST “Phish Scale” suggests that when simulations are too difficult or punitive, they create “security fatigue,” leading users to ignore even legitimate security alerts. Conversely, an effective culture incentivizes the reporting of suspicious emails through a “no-fault” policy, where a user who clicks a link but immediately reports it is praised for their transparency rather than reprimanded for their mistake.

A critical component of this culture is the implementation of a streamlined reporting pipeline, often facilitated by a “Report Phishing” button directly within the email client. When a user flags a message, it should trigger an automated workflow that correlates the report against other identical messages across the entire organization. This “crowdsourced” intelligence allows security teams to identify a campaign in its infancy, pulling malicious emails from all inboxes before a second user has the chance to interact with them. This transition from a reactive stance (cleaning up after a breach) to a protective stance (neutralizing a threat based on a single user’s report) is what separates resilient organizations from those that remain perpetually vulnerable.

Furthermore, the language of security within an organization must evolve to reflect the sophistication of modern threats. Instead of simply telling employees to “look for typos,” training should focus on the context of requests. Employees should be empowered to verify out-of-band requests—such as a sudden change in vendor wire instructions or an urgent request for sensitive HR data—through a secondary, trusted channel like a known phone number or a verified internal chat. By codifying these “human-in-the-loop” verification steps into standard operating procedures, the organization creates a friction point that social engineering tactics struggle to overcome, regardless of how technically perfect the phishing lure may be.

Conclusion: The Constant Vigilance Required for Modern Digital Hygiene

The battle against phishing is not a technical problem to be “solved,” but a persistent risk to be managed through a strategy of Defense in Depth. As we have explored, the convergence of high-level psychological manipulation and advanced technical frameworks like AiTM and PhaaS means that no single control—whether it be an email filter or a training seminar—is sufficient on its own. A modern defense-in-depth posture must integrate hardened email authentication protocols (DMARC/SPF), phishing-resistant hardware (FIDO2), and a robust, supportive security culture. This multi-layered approach ensures that even when one layer is bypassed, subsequent controls are in place to prevent a single click from escalating into a catastrophic data breach.

Looking ahead, the role of Generative AI in phishing will only increase the speed and scale of these attacks. Large Language Models (LLMs) allow threat actors to generate perfectly composed, contextually relevant lures in any language, effectively eliminating the “poor grammar” red flag that has served as a primary detection method for decades. In this environment, the “Zero Trust” philosophy—never trust, always verify—must extend beyond the network architecture and into the daily habits of every digital citizen. Vigilance is no longer an optional skill for IT professionals; it is a fundamental requirement for anyone navigating the modern web.

Ultimately, the goal of understanding phishing 101 is to move from a state of fear to a state of informed confidence. By recognizing the psychological triggers used by attackers and understanding the technical safeguards available, individuals and organizations can reclaim the upper hand. Cybersecurity is a shared responsibility, and while the tactics of the adversary will continue to evolve, the principles of skeptical inquiry, technical hardening, and rapid reporting remain our most effective weapons. In a world where the next threat is only one click away, the most powerful security tool remains an informed and empowered mind.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• CISA: Phishing Attacks Leveraging Social Engineering
• NIST: The Behavioral Science of Phishing
• Verizon 2024 Data Breach Investigations Report (DBIR)
• MITRE ATT&CK: Phishing (T1566)
• FBI IC3: 2023 Internet Crime Report
• Krebs on Security: Phishing Archives and Analysis
• Microsoft Security: Mitigating AiTM Phishing
• Proofpoint: 2024 State of the Phish Report
• FIDO Alliance: How FIDO Addresses Phishing
• Cloudflare: What is a Phishing Attack?
• SANS Institute: Why Phishing Remains the Top Attack Vector
• ENISA: Understanding the Phishing Threat Landscape
• APWG: Phishing Activity Trends Reports
• OWASP: Authentication and Phishing Prevention Standards
• Google: Safe Browsing Research and Data

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

Related Posts

Leith’s first streetlamps: the thread about that time the Russian Navy made the town dark for a week

This thread was originally written and published in August 2019

I spent the evening trawling through old engravings of Leith, and think I’ve found what I was looking for. The oldest picture (that I can find) showing street lamps in Leith! These five oil lamps are shown in the vicinity of the King’s Wark on the Shore, in a 1790 print by Dominic Serres.

This search was stimulated by a conversation which enlightened me with a curious tale that involved the Leith streetlamps in days of yore. It got me thinking, what were the earliest streetlamps? According to “Leith Through Time” by Jack Gillon and Fraser Parkinson, there is a description of Leith Walk having 40 lamps in 1799 after its upgrade to a road for carriages following the North Bridge being opened and the primary horse and carriage route moving from the Easter Road to Leith Walk.

The Edinburgh World Heritage foundation commissioned an excellent report on the old Edinburgh streetlamps. Although it is principally concerned with the World Heritage area of the Old and New Towns, we can at least get the an idea of the particulars of what early lamps in Leith would have been like from it. A contemporary colour image of a London lamp lighter is shown with his assistant in 1808. The lamp is a glass globe, with a ventilated, wind-proofed cowl. Suspended in the globe is the lamp itself, a small glass dish of oil with a floating disc, with basic lenses from crown glass “bullseyes”. The lamplighter is passing the assistant the oil dish to refill from his jug.

Here’s a similar Georgian lamp frame on Leith Walk today, the crosspiece under the holder for the globe was for the leerie (lamplighter) to prop his ladder up on. When you see these old lamp frames with a ring to hold a glass lamp globe and no source up the centre for gas or electricity, you can be sure these are for old oil lamps. These lamps burned oil, specifically what was known as “train oil”. Which is odd as trains as we think of them now weren’t a thing in the late 18th century; that’s because it’s a corruption of the Dutch traan, a word for fish oil (levertraan in Dutch is cod liver oil, in German it is lebertran). However this is no oil from a fish, specifically it’s oil from a whale!

Leerie, leerie, light the lamps, Lang legs and short shanks. Tak’ a stick and break his back, And send him through the Nor’gate!

An 1820 minute of Edinburgh’s lighting committee explains; “…the Contractor shall furnish the lamps with a sufficient quantity of the best Greenland whale oil and two wicks of sixteen threads of the best Oxford cotton“. The best oil was Grade 1, from the top of the cask. Edinburgh and Leith had a ready local source of such oil from the Leith whale fleet, which was active around the late 18th and early 19th century, but apparently the city sourced it’s municipal lighting oil from Hull.

The city’s lamp contractor was Smith & Company on George Street. The lamps were to be “trimmed daily and the globes to be cleaned at least three times in the week.” Even the finest train oil gave off soot; one of the early lighthouse keepers’ tasks was to polish the soot off of the reflector of the oil lamp (see below). The lamps were to be filled to burn until 3AM, at which point they would burn out and extinguish themselves, although the commission recognised “let the same quantity of oil be put into 2 two lamps and both equally trimmed by the most expert and experienced lamplighters, the one will continue burning from half an hour to an hour longer than the other“

If the name Smith and the association with Georgian lamps is ringing a little bell, that is because Smith was Thomas Smith, the adoptive father of Robert Stevenson – the patriarch of that great Lighthouse-building and lamp and lens-making dynasty. Smith himself was also a builder of some of the first Scottish lighthouses as the chief engineer to the Northern Lighthouse Board and was an early pioneer of lighthouse lamp and lens improvements.

Coincidentally, the Smiths and Stevensons lived at 15 Baxter’s Place, which is the top of the route of Leith Walk, with their works a short walk away at Greenside. So it is perhaps no coincidence this fashionable new stretch of the city got some of his finest street lamps so early. But the reason for this entire thread is less about the lamps themselves, but more because of the curious tale of the week in the winter of 1799 when the Leith street lamps kept going out and leaving the Walk “ever and anon into a more or less eclipsed condition“.

In 1799, Russian warships anchored in Leith Roads off of Inchkeith, part of a squadron from the Baltic Fleet under Vice Admiral Pyotr Khanykov. Britain and Russia were at this time allies in the War of the Second Coalition against revolutionary France and Spain, and the Royal Navy’s North Sea Squadron under Admiral Duncan was co-operating with the Russians on escorting convoys in the North Sea.

The Russian fleet was in a poor state compared to the Royal Navy, and frequently put in to port to repair and seek medical attention; there was an agreement at the time that sick sailors could be brought into Edinburgh for treatment by the Royal Infirmary. The Russian 66 gun man-of-war Iona* under Captain Piavzov arrived in Leith Roads on 19th November from Texel following the failed Anglo-Russian invasion of the Frissian Islands. The newspapers noted she was not fit for sea and she proceeded to put a significant part of her crew ashore with fever and other ailments and buried her dead on Inchkeith.

(* = the contemporary newspaper reference says Jonas, but I am going to assume this was a typo or translation error, as no such ship existed in Russian service, and in Russian I am told that Iona and Jonah are one and the same)

There appears to have been little in the way of contact or hospitality between the Russians and locals; a contemporary account describes a party rowing out from Leith to the Iona only to be completely ignored by the officers and men of the ship and coming away with a very negative opinion about Russian naval efficiency, decorum and cleanliness. The Anglo-Russian naval cooperation agreement was faltering at this time and Russia would shortly quit the alliance, but before leaving, the Iona allowed parties of men ashore into Edinburgh on the pretext of sight-seeing. Possibly they had more carnal reasons for wanting to be on land…

For the better part of a week that December, the street lamps of Leith Walk would mysteriously go out each night, even though they were cleaned, checked and the oil levels trimmed daily sufficient that they should burn until dawn. It was finally discovered by a night watchman that the Russian sailors staggering home down the Walk from the drinking dens of Edinburgh were climbing the lamp posts, removing and extinguishing lamps and drinking the contents of train oil. Why they should go to this effort is potentially revealed by the reference of a late-Georgian cookbook which tells us that the sailors in question were Kamtschadales. What we would now refer to as Kamchadals; these are the inhabitants of Kamchatka in the far east of Russia, descendants of the indigenous peoples of those parts. To them the train oil was a home comfort; just imagine these sailors, some 10,000 miles sailing from home, utterly homesick, in poor health and morale coming ashore and finding that the street lamps of Leith Walk were full of what they considered to be a fine delicacy. Of course they couldn’t but help themselves!

The thing about unpressurised oil lamps though is that they are a rubbish source of light. The Commissioners, on inspecting their lights, found “the great proportion giving light so very feebly“, so it was hardly surprising that when gas lamps came along there was a rapid switch. Gas (town gas, from coal) arrived in Edinburgh in 1818 when the New Street gas works was opened by the Edinburgh Gas Light Company. You can still find some of their covers embedded in Edinburgh pavements. Leith got its gasworks in 1837, on the corner of Baltic and Constitution Streets. Like New Street, it was the arrival of the railway bringing in coal straight from the Lothian coalfield that had made this possible and not just economical but profitable

So next time you’re strolling along some of the Georgian bits of Leith, like Ferry Road, you might look up and think of the time the Russian sailors drank all the lamp oil and left the place in darkness.

And if you’re wanting to go and find even more Georgian oil lamp holders in Leith (and who wouldn’t?) someone’s already identified and catalogued the remaining lot of them in this handy Flickr album.

https://www.flickr.com/photos/historic_streetlights_leith/albums/72157629667895362

If you have found this useful, informative or amusing, perhaps you would like to help contribute towards the running costs of this site – including keeping it ad-free and my book-buying budget to find further stories to bring you – by supporting me on ko-fi. Or please do just share this post on social media or amongst friends.

Explore Threadinburgh by map:

These threads © 2017-2026, Andy Arthur.

NO AI TRAINING: Any use of the contents of this website to “train” generative artificial intelligence (AI) technologies to generate text is expressly prohibited. The author reserves all rights to license uses of this work for generative AI training and development of machine learning language models.