Email Security

Q&A: Fortra’s Senior Threat Researcher On Fighting Phishing, QR Code Scams, And Deep Fakes

Expert Insights interviews John Wilson, senior fellow, threat research at Fortra.

Last updated on Nov 18, 2024
Joel Witts Written by Joel Witts
John Wilson Cover

John Wilson is the senior fellow, threat research at Fortra, where he has a deep focus on fighting social engineering attacks and email fraud. Forta’s Agari platform (acquired in 2021) is a platform for protecting organizations against phishing, Business Email Compromise (BEC), and email threats.

John recently shared his expertise with Expert Insights on the phishing and email security threat landscape, including his advice for where CISOs should focus their efforts on the fight against email fraud.

What are the biggest challenges for customers in the phishing space today and how are threats evolving?

Email impersonation is the biggest phishing challenge facing customers today. There are four types of sender impersonation: Address spoofing, look-alikes, display-name impersonation, and account take-overs.

Modern email authentication standards have greatly reduced address spoofing; however, the other 3 types remain commonplace and difficult to defend against. It is common for modern email clients to hide the technical portion of an email address, so the recipient sees the name of a trusted contact or organization when the message was sent from a completely different address.

A second challenge is the ability of an attacker to hide a malicious link behind innocuous text. A link might display the actual URL of a well-known website or might simply say the name of a well-known organization, when in fact the link leads to a malicious phishing page.

We’ve seen a few new email scams over the past couple of years. One such scam is hybrid vishing, where the user receives an email stating they’ve been charged a few hundred dollars for a subscription renewal.

The email contains a phone number the user can call to “cancel” the service. If the victim calls the number, they’ll be connected to a call center dedicated to the task of draining their bank account. Another somewhat novel scam is the use of a QR code in a phishing message. The QR code masks the actual website and forces the victim to visit the phishing page on their mobile device, which likely does not have the same security protections as their company-issued laptop.

A recent email fraud campaign tries to convince the recipient that the sender has hacked their computer and will share embarrassing webcam footage with all their contacts unless they send bitcoin to a wallet address listed in the email. 

What makes this campaign particularly scary is the fact that the messages included the victim’s home address and a Google Street-View image of their house.

How does the Agari platform help teams address these challenges, and how do you differentiate yourselves from competitors?

Despite the endless creativity of scammers, they are limited to the same four email impersonation techniques to deceive their victims. The Agari Cloud Email Protection platform uses advanced machine learning techniques to identify email impersonation regardless of the specific phishing lure.

By modeling the sending behavior of legitimate individuals and entities, the Agari platform can identify the tell-tale signs of impersonation common to all email scams. All Fortra’s security solutions utilize the Fortra Threat Brain, which is Fortra’s proprietary threat intelligence platform.

Besides identifying anomalies in email suggestive of malfeasance, the Agari platform consults the Fortra Threat Brain to ensure each email message is not associated with a known threat. The sheer volume of Fortra’s threat intelligence (combined with more than 10 years of email identity modeling across a wide range of geographies and industries) give the Agari Cloud Email Protection solution a competitive edge.

What are your top recommendations for CISOs in the process of looking for a phishing protection solution?

There is a plethora of phishing protection solutions on the market today. CISOs should seek to incorporate multiple layers of protection in their email security stack. Solutions that can quarantine messages after delivery are extremely helpful for handling threats that managed to get past other security layers.

CISOs should understand that no email security solution is 100% effective, despite what the vendor may tell you. Therefore, phishing simulation and training is a crucial part of a comprehensive security strategy.

It is important to select a solution that will integrate with your current email platform, without requiring significant changes to your existing mail flow. Finally, CISOs should prioritize solutions that utilize vast amounts of threat intelligence, as well as machine learning to stay on top of emerging threats.

What trends do you expect to see in the phishing space in 2025?

I expect we’ll see increased use of personal data obtained from data breaches as part of email scams in 2025. Personal data will not only increase victim compliance but will also enable more intricate impersonation. I also expect to see more cross-channel attacks, like what we’ve seen with QR code phishing and hybrid vishing. Lastly, AI will enable scammers to target victims in any language, without the spelling and grammatical errors that used to be the hallmark of an email scam.

Putting this all together, I can imagine complex, highly personalized scenarios such as a deep-fake voicemail from your boss instructing you to be on the lookout for an email from the Help Desk related to an important security update for your home router. The email might contain your home address as well as a link you should click to install malware disguised as a router update.

Finally, in your view, what should organizations’ top phishing protection priorities for 2025 be?

Organizations vary widely in terms of their security maturity level. If you have not implemented DMARC, that should absolutely be your top priority for 2025. DMARC prevents bad actors from spoofing your email domain, protecting your employees, trading partners, and customers from exact-domain email spoofing.

Ensure you have deployed an advanced anti-impersonation solution for your inbound email as well as a flexible Digital Loss Prevention (DLP) solution for your outbound email. Because your users are the last line of defense, be sure to invest in phishing simulation and training, ideally as an ongoing effort rather than a once-a-year exercise. 

Give your users an easy way to report suspected phishing messages and be sure to review those reports promptly. While one user might recognize and report a threat, similar messages may have been sent to dozens of other employees. Finally, if you sell directly to consumers, you should consider a monitoring and take down solution to protect your customers from bad actors impersonating your brand.

Further reading:

Joel Witts

Content Director

LinkedIn Email
Joel Witts is the Content Director at Expert Insights, meaning he oversees all articles published and topics covered. He is an experienced journalist and writer, specialising in identity and access management, Zero Trust, cloud business technologies, and cybersecurity. Joel is a co-host of the Expert Insights Podcast and conducts regular interviews with leading B2B tech industry experts, including directors at Microsoft and Google. Joel holds a First Class Honours degree in Journalism from Cardiff University.