With government data showing phishing remains one of the most prominent cyber risks facing the finance sector, Jason Steer, CISO at cyber threat intelligence specialists Recorded Future, looks at how financial advisers can build intelligence to strengthen cyber resilience.
The prevalent threat of phishing
The recently published Cyber Security Breaches Survey 2025/2026 from the Department for Science, Innovation and Technology (DSIT) found that 44% of finance or insurance businesses had identified cyber breaches or attacks in the last 12 months. This was just above the cross-sector average of 43%.
Security incidents for the average person, typically and sadly, include the hacking of online bank accounts, theft of bitcoin from peoples’ wallets, takeover of social media accounts or even the unauthorised accessing of files or networks by unknown people.
The most prevalent threat vector to accomplish this was phishing, which was experienced by 38% of businesses surveyed by the DSIT. This continues a recurring trend identified in recent editions of the annual Cyber Security Breaches Survey, where phishing consistently ranks as the leading type of breach or attack affecting organisations.
This consistency may prove something of a surprise? Cybercriminals tend to continuously change and rotate attack techniques in an attempt to remain harder to predict and stop. There’s every possibility that a known modus operandi (aka Tools, Techniques and Procedures; what we call TTP’s) become easier to detect, making it harder for threat actors to beat security defences. So, why do criminals continue to favour phishing?
An evolving threat
There are two factors in play, which mean phishing remains a go-to technique for cybercriminals. The first factor; phishing aims to exploit humans, who are considered by criminals as the weakest link in most cyber security strategies. Simply, humans are fallible and even cyber professionals struggle to decide what is a phishing mail or not; should we expect anyone else to?
The second factor; threat actors can quickly adapt and refresh phishing techniques in a bid to stay ahead of unsuspecting victims. This latter point means that, while the fundamental principles of phishing remain the same, how attacks are deployed and scaled can vary significantly.
Essentially, phishing is an act of deception, where a criminal will aim to trick a trusted person into handing over legitimate usernames, passwords, security codes or other clues and hints. Genuine access details can then be used to access secure networks, without an adversary having to bypass robust security systems and verification measures. Gaining legitimate user credentials enables a criminal/threat actor to move with more stealth throughout an adviser’s IT system, lowering the risk of triggering security alerts and being detected.
The act of deception, also known as social engineering, will often involve a threat actor impersonating a trusted individual or organisation, and creating a plausible, convincing scenario to steal information. This has evolved from early versions of scam emails to sophisticated, hard-to-spot phishing campaigns that we see most days in our inboxes; these are the less sophisticated ones….but they clearly work as criminals still send them.
Phishing has become easier in recent years, because tech and software mean language is less of an issue for adversaries. Non-native language speakers can now quickly and easily create well-written phishing content for emails and WhatsApp messages in different languages. They can localise messages to adopt regional dialects, deliberately include common spelling mistakes and add abbreviations and acronyms. Less than ten years ago, it was quite easy to spot phishing messages that were badly written and phrased. Now, authentic looking messages can be created in minutes and rapidly deployed in huge volumes in conjunction with Phishing-as-a-Service (PhaaS) models.
PhaaS provides adversaries with ‘off-the-shelf’ tools and 24/7 support services to quickly launch and adapt phishing campaigns that require little skill, preparation and minimal cost. This type of cybercriminal subscription model is lowering the barriers to entry for phishing, creating conditions for more experimentation and growth in phishing in 2026. This is contributing to the prevalence of phishing attacks.
In 2025, we saw cyber criminals using open-source LLMs to advance sophisticated and convincing phishing kits, which can be sold at scale and easily used by threat actors. These tools have names such as EvilTokens and Labhost, are there remains a competitive market for these services on the dark web.
Building intelligence of evolving threats
To better predict, prioritise and prevent phishing attacks, finance professionals need to develop a strong, informed understanding of how attack techniques are evolving. Phishing attempts often prove successful, because they catch people off guard, particularly when awareness of emerging tactics is limited. Without up-to-date knowledge, professionals may not recognise phishing threats that use cloned voices, deepfake videos or how adversaries add real-life references to attacks to make them seem genuine.
Cyber threat intelligence plays a critical role by providing timely, contextual insights about shifting threat methods, as well as pinpointing data leaks and compromised user credentials.
Advanced intelligence platforms can monitor real-time data from open, closed and proprietary sources, including the dark web and threat actor forums. This can help finance professionals to gain a clearer picture of what cybercriminals are doing and how they are planning to target businesses – and other trusted parties in supply chains – through social engineering.
By building and continually refreshing intelligence about evolving phishing techniques, advisers and organisations can better understand what threats look like to strengthen vigilance against phishing attacks.
![[UNS] celebrate](https://ifamagazine.com/wp-content/uploads/wordpress-popular-posts/801986-featured-300x200.webp)
