Modern phishing & social engineering trends you need to know about - Xecunet
Home  /  Industry News  /  Modern phishing & social engineering trends you need to know about

Latest News

Modern phishing & social engineering trends you need to know about

Context phishing, “ClickFix” style attacks, deepfake voice, and what to do about them

Phishing used to be noisy. Misspellings. Weird links. Obvious urgency. The kind of email you could spot from across the room.

That’s not what most organizations are dealing with now.

As we’ve been saying at Xecunet, modern campaigns are increasingly AI-generated, highly personalized, and context-aware, often fueled by breached data and reconnaissance done before the first message is ever sent.

The practical implication is simple: your people aren’t being tricked by bad English anymore. They’re being tricked by believable context. And because the best attacks blend into “normal business,” many of them don’t look like security events until the money is gone or the data is out.

Below are the trends that small and mid-sized organizations should pay attention to right now, along with practical defenses that don’t require a Fortune 500 budget.

“Context phishing” is the new baseline

Context phishing (sometimes called contextual phishing) is what happens when the attacker doesn’t just impersonate a brand, they impersonate your reality:

  • A vendor you use
  • A project you’re running
  • A conversation you recently had
  • A payment request that looks like it belongs in your workflow

This isn’t theoretical. Security researchers and practitioners consistently emphasize that attackers increasingly rely on real business context (suppliers, invoices, internal processes) to make their messages blend in.

One plain-language overview calls contextual phishing “highly targeted” and notes that it uses real projects or vendor relationships to appear legitimate.

Our guidance aligns with this: phishing is now context-aware, and attackers often study public profiles, vendors, and organizational structures to increase their success rates.

What it looks like in the real world

  • “Here’s the updated W-9 / ACH form” (same vendor name, new bank details)
  • “Quick change: wire the deposit to this account instead” (CEO impersonation + urgency)
  • “Here’s the DocuSign for the contract revision” (fake but believable)
  • “We need you to review the invoice discrepancy” (attachment or link to a credential harvest)

Why it works

Because it doesn’t trigger your brain’s “spam filter.” It triggers your brain’s “work filter.”

And that’s the point: the attack is designed to feel like doing your job.

Business Email Compromise (BEC) is still the quiet money drain

Ransomware gets headlines. BEC quietly drains budgets.

We call this out clearly: BEC often produces the greatest financial losses because it exploits trust and weak verification inside payment workflows.

The FBI’s Internet Crime Complaint Center (IC3) continues to report multi-billion-dollar losses tied to BEC.

What’s changed?

  • BEC is more “conversational” (attackers will build rapport)
  • It often moves quickly from email to text/voice
  • It increasingly uses a realistic writing style and internal context

What matters most

BEC prevention is less about “spot the bad email” and more about hardening the business process:

  • Vendor bank changes require a second channel verification
  • Wire approvals require out-of-band confirmation
  • Payment exceptions require a two-person review
  • “Urgent” requests trigger slowdown rules (not fast lanes)

“ClickFix” attacks: phishing that tricks users into running the payload themselves

This is one of the most important evolutions to understand because it changes the shape of the threat.

ClickFix is a social engineering technique in which an attacker convinces a user to manually perform steps that lead to compromise, often by copying/pasting commands, running a script, or “fixing” an alleged issue.

Microsoft describes ClickFix as luring users into executing a malicious command themselves, helping attackers bypass conventional/automated defenses because the action appears to be user-initiated “normal” behavior.

Unit 42 (Palo Alto Networks) also describes ClickFix campaigns that distribute malware such as NetSupport RAT, Latrodectus, and Lumma Stealer, and notes that the technique is “on the rise.”

The U.S. health sector has issued alerts describing ClickFix campaigns and mitigations (useful even outside healthcare because the tactic is cross-sector).

Why ClickFix is so effective

It flips the security model:

  • It may not rely on an “executable attachment.”
  • It may not trigger traditional file scanning.
  • The user becomes the execution step.

What to train people to watch for

Any workflow that says something like:

  • “To fix this, open PowerShell and paste this…”
  • “To verify, run this command…”
  • “To update your access, copy this into Terminal…”
  • “To restore the secure connection, follow these steps…”

That’s not a normal business workflow. That’s an attacker outsourcing execution to your staff.

Deepfake voice and AI-assisted impersonation are moving from novelty to normal

Voice scams (vishing) aren’t new. What’s new is how convincing they’re becoming.

The FBI has explicitly warned that criminals are using AI to craft convincing voice (and video) messages to enable fraud schemes.

In 2025, the FBI issued public alerts about malicious campaigns impersonating senior U.S. officials via text and voice messages, demonstrating how voice-based impersonation is being operationalized at scale.

What small businesses should actually care about

You don’t need to panic about Hollywood deepfakes.

You do need to care about:

  • “CEO voice” asking for an urgent wire transfer
  • “Vendor rep” calling to “confirm” an ACH update
  • “IT support” calling to walk someone through a “fix” (which is actually ClickFix in voice form)
  • “New employee” voice/text asking for password resets or MFA changes

This is where phishing, vishing, and operational fraud converge.

Why MFA isn’t a silver bullet anymore

This matters because many organizations still believe: “We have MFA, we’re fine.”

MFA is critical, but it’s now a baseline, not a guarantee of immunity.

Our framing is correct: identity has become the primary attack surface, and “MFA isn’t enough” on its own.

CISA has also emphasized identity compromise as a major risk area and regularly publishes guidance to help organizations implement stronger identity and access controls.

Attackers don’t always “break” MFA. They route around it:

  • Session hijacking/token theft
  • MFA fatigue/push bombing
  • Social engineering the help desk
  • Convincing users to approve “one quick prompt.”
  • Credential theft combined with real-time phishing kits

The practical defense stack: what actually reduces risk

Here’s the good news: you don’t need exotic tools to get meaningfully safer. You need tight process, identity, and visibility controls.

Harden financial workflows (BEC-proofing)

  • Require a second channel verification for any bank detail change
  • Enforce two-person approval on wires/ACH changes
  • Add a “slowdown rule” for urgency (“We verify urgent requests, always.”)

The FBI continues to emphasize how social engineering drives major losses (including BEC) in its reporting and alerts through IC3.

Train for today’s attacks, not yesterday’s

Training focused on spelling errors and formatting no longer works because modern phishing is context-aware and highly realistic.

Update your training scenarios to include:

  • Vendor invoice changes
  • “Quick Teams/SharePoint file” credential prompts
  • “Copy/paste this command” ClickFix sequences
  • Voice/text follow-ups that pressure immediate action

Adopt an identity-first posture

Use controls that continuously evaluate risk (not just at login), such as conditional access, device trust, privileged account protection, and session monitoring, exactly the “identity-first approach” we advocate.

Lock down vendor access (silent access becomes the breach path)

Vendor access is a growing exposure, and we recommend least privilege, time-based credentials, logging, and formal offboarding.

Make reporting frictionless

Create a single action employees can take when something feels off:

  • “Report Phish” button
  • Dedicated mailbox
  • Slack/Teams channel
  • Simple escalation path

CISA consistently reinforces the need for practical, operational security behaviors and guidance for organizations.

The takeaway

Modern phishing isn’t just “email security” anymore. It’s:

  • Context + impersonation
  • Multi-channel pressure (email + text + voice)
  • User-driven execution (ClickFix)
  • AI-enhanced realism
  • Process exploitation (payments, approvals, vendor changes)

Which means the right response isn’t “teach people to spot bad emails.”

It’s building a business environment where:

  • identity is monitored and controlled,
  • financial workflows can’t be hijacked with one message,
  • vendor access doesn’t linger silently,
  • and employees have clear, safe steps when something feels wrong.

That’s what makes phishing expensive for attackers again. And it’s what keeps your organization safe and promotes business continuity.

You should be concerned about these types of attacks and put a plan in place to stop them.