Phishing remains one of the most prevalent and damaging cyber threats, continually evolving with more sophisticated techniques such as spear phishing and Business Email Compromise.
The rise of generative AI and deepfake technology adds further complexity, making it harder for organizations to defend against these attacks.
We asked 5 experts to share their insights on major phishing challenges.
Mika Aalto, CEO of Hoxhunt: Modern threat actors are leveraging AI to craft sophisticated spear phishing campaigns at scale, bypassing traditional email filters and security mechanisms. Adding to the complexity is the rise in omni-channel phishing. Attackers are exploiting not only email, but also SMS (smishing), social media, and messaging apps on personal devices, where people are more likely to click a phishing link. CISOs have low visibility into phishing attacks that successfully bypass technical defenses. Email security solutions cannot guarantee 100% effectiveness, and many phishing attempts reach users without detection.
The prevailing attitude of phishing training as ineffective signifies an overarching challenge to the phishing space. Organizations are attributing most of their cybersecurity budget to technology investments and settling for low-cost, ineffective SAT tools geared for compliance—thus continuing the belief that training is ineffective. Read the full Q&A.
John Wilson, Senior fellow, threat research at Fortra: Email impersonation is the biggest phishing challenge facing customers today. A second challenge is the ability of an attacker to hide a malicious link behind innocuous text. A link might display the actual URL of a well-known website or might simply say the name of a well-known organization, when in fact the link leads to a malicious phishing page.
A recent email fraud campaign tried to convince the recipient that the sender has hacked their computer and will share embarrassing webcam footage with all their contacts unless they send bitcoin to a wallet address listed in the email. What makes this campaign particularly scary is the fact that the messages included the victim’s home address and a Google Street-View image of their house. Read the full Q&A.
Roger Grimes, Data-driven defense evangelist, KnowBe4: The top level of cybersecurity maturity for any organization is changing its culture to one where they are just making the right security decisions without thinking about it much. Social engineering is responsible for 70% to 90% of all successful hacking, and most of that is email phishing. The number of ways someone can be phished is dramatically increasing beyond email and web to SMS, WhatsApp, phone calls, paper mail and in-person. The key is to teach everyone to have a healthy level of skepticism, no matter how the message arrives, whether it arrives unexpectedly and asks them to do something they have never done (at least for that requestor).
A big challenge for many customers is just getting the right level of senior management support to do security awareness training effectively, which means training at least monthly and doing simulated phishing tests at least monthly, if not more often. Read the full Q&A.
Arnout van de Meulebroucke, CTO, Phished: The phishing landscape is constantly evolving, and one of the biggest challenges is the increasing sophistication of attacks. Threat actors are leveraging AI and social engineering techniques to bypass traditional security measures. Additionally, the rise of remote work has expanded the attack surface, making it easier for cybercriminals to exploit vulnerabilities. Human error remains a significant factor, as employees may still click on malicious links or download harmful attachments.
Moreover, with the increasing regulatory landscape, particularly with the implementation of NIS2, organizations are facing stricter compliance requirements. This means that they need to be more vigilant in their cybersecurity practices, including phishing prevention and response. Read the full Q&A.
Javvad Malik, Lead security awareness advocate, KnowBe4: Some of the biggest challenges are around how criminals are using a variety of channels to amplify their attacks. Layering a phishing email with an SMS, a voice message, or a social media direct message can all add to credibility and cause someone to fall victim.
We are also seeing an increase in specific corporate brands being impersonated as well as the increased use of AI tools to launch more convincing attacks. Read the full Q&A.
Expert Insights Phishing Resources:
- Shortlist: Top Phishing Simulation and Training Solutions
- Shortlist: Top Phishing Protection Solutions
- Shortlist: Top Phishing Awareness Training Solutions
- Guide: Phishing, Vishing, SMiShing, Whaling And Pharming: How To Stop Social Engineering Attacks
- Guide: 50 Phishing Stats You Should Know In 2025
