.png)
Phishing evolved in 2024: AI‑assisted lures, more convincing impersonations, and new delivery methods made inboxes riskier for businesses. This FAQ collects the most actionable statistics MSPs should use to prioritize defenses, training, and email hardening.
Almost every organization sees phishing: about 94% reported at least one phishing incident in 2024. MSPs should assume every client will be targeted and maintain continuous defenses. Prioritize automated gateway filtering combined with user reporting workflows. Use threat intelligence feeds to block active sending infrastructure quickly. Treat phishing as an ongoing operational task, not a one‑time project.
Attackers most often spoof well‑known brands; Palisade was the top impersonated name in observed campaigns in 2024. Impersonation increases trust and boosts click rates, so educate users to verify sender details and domain spelling. Enforce inbound protections that flag lookalike domains and display‑name spoofing. Combine technical controls with role‑based awareness training for high‑risk teams. Monitor impersonation trends and adapt simulations accordingly.
Users often act within seconds: median click times on realistic simulations are under 30 seconds. That speed shows how convincing modern lures can be and why click‑time protections matter. Implement URL reputation checks and browser isolation to stop clicks from becoming compromises. Measure time‑to‑click in training programs to identify high‑risk users. Use those metrics to tailor targeted coaching and controls.
BEC remains a major risk, representing a substantial share of impersonation attacks aimed at financial and executive targets. Attackers focus on payment workflows and invoice approvals to extract funds. Defend with multi‑step transaction verification, outbound email monitoring, and strict access controls for finance systems. Simulate BEC scenarios in tabletop exercises with clients to refine response procedures. Combine technical detection with clear finance process gates.
Phishing volume remains enormous—estimates place daily sends in the billions—so scale matters for defenders. High volume allows attackers to test variations and harvest credentials at scale. Let automated filtering handle the bulk of obvious spam and save human review for targeted threats. Prioritize signals like sudden volume spikes and new sending IPs to block campaigns fast. Maintain layered defenses across gateway, cloud, and endpoint.
Yes—AI has noticeably improved personalization and fluency, producing messages that better mimic legitimate communication. Attackers use language models to match tone and extract public data for convincing social engineering. This reduces the utility of surface‑level language checks, so focus on metadata, behavioral, and link analysis. Regularly test defenses with AI‑generated lures to expose gaps. Keep training realistic and role‑specific to lower success rates.
Malicious URLs and obfuscated content are among the most common delivery methods in 2024. URLs allow dynamic payloads, tracking, and multi‑hop redirection to evade filters. Implement click‑time scanning and link rewrites to inspect destinations safely. Block or sandbox risky attachment types and monitor redirects. Teach users to inspect links and verify unexpected requests through separate channels.
Obfuscation is widespread—more than half of phishing emails use techniques like encoded links, hidden HTML, or polymorphic attachments. These methods can defeat signature‑based scanners, so add behavior‑based analysis and sandboxing. Use ML models that evaluate execution behavior and anomalies in sending patterns. Test systems regularly with obfuscated samples to validate detection. Maintain quick update cycles for detection signatures and heuristics.
HTML files and compressed archives are frequent choices because they can host scripts or redirect victims to credential harvesters. HTML attachments render in browsers and can contain forms or staged downloads that capture credentials. Where possible, block high‑risk types and detonate suspicious files in sandboxes. Enforce DLP and verify unexpected attachments through a secondary channel. Replace risky workflows with secure file‑sharing when feasible.
Yes—QR‑based scams rose sharply for executives and high‑value targets, often landing credential pages or malicious downloads. Attackers exploit QR convenience to bypass email link scanning. Warn users not to scan codes from unverified messages and enforce mobile security policies. Use URL scanning at the endpoint and include QR scenarios in simulations. Leadership training is critical because executives are frequent targets.
Simulations are useful only when realistic: outdated tests can create false confidence. Modern simulations should mimic AI‑generated text, contextual social engineering, and obfuscation tactics. Combine red‑team exercises with measurable metrics like time‑to‑click and credential‑entry rates. Pair training with technical mitigations and follow‑up coaching for repeat offenders. Regular, varied simulations reduce complacency and improve detection.
Focus on correct email authentication, layered filtering, MFA, and realistic training—these provide the fastest, largest risk reductions. Implement and monitor DMARC, DKIM, and SPF; enable click‑time URL scanning and attachment sandboxing; and enforce MFA for sensitive systems. For guidance and automated checks, use Palisade tools: DMARC/email security score, DKIM, and SPF. Check your DMARC and email security score with Palisade, Review DKIM settings, Check SPF records. Keep incident playbooks current and centralize reporting across clients.
For practical tools, check Palisade’s email security resources and automated checks at Palisade email security tools.
Act immediately: isolate the message, report it to the security team, and reset passwords if credentials were entered. Enable MFA and review authentication logs for suspicious activity. Run targeted scans and follow incident response playbooks. Notify affected third parties if sensitive data was exposed. Quick action limits lateral movement and data loss.
No—DMARC, DKIM, and SPF significantly reduce spoofing but don’t prevent every impersonation. Attackers use lookalike domains and display‑name tricks, which need monitoring and user awareness to spot. Enforce strict DMARC policies (quarantine or reject) and use inbound anomaly detection. Regularly audit DNS records to avoid misconfigurations. Combine technical controls with user verification steps.
Blocking risky types is safest, but some business workflows require HTML content. Where blocking isn’t possible, detonate attachments in sandboxes and apply strong DLP rules. Require user verification for unexpected attachments and review exceptions regularly. Prefer secure file‑sharing tools to reduce email risk. Track and minimize exceptions to keep the attack surface small.
Ongoing training—monthly to quarterly—is more effective than one‑off sessions. Regular, varied simulations keep users alert to new tactics and reduce complacency. Tailor scenarios to roles and recent threat trends for better outcomes. Measure improvements with time‑to‑click and credential‑entry metrics. Reinforce training with technical controls and leadership support.
Track click‑through rates, credential‑capture rates, time‑to‑click, and BEC attempt frequency. Monitor DMARC failure reports, suspicious domain trends, and false negatives from filters. Use aggregated client metrics to spot emerging threats early and prioritize mitigations. Report improvements to clients in service dashboards. Use KPIs to drive remediation priorities and training focus.
Published by Palisade. For tools and guidance, visit https://palisade.email/.
.svg)
