The 2026 CISO Report is Here Download Now

Dark teal and black gradient

Blog

Incident responsePenetration Testing

Top 10 Protections Against Email Phishing Attacks

October 2, 2025

By Kevin Dick

It should come as no surprise that the sophistication and frequency of email phishing attacks is continuing to escalate, providing attackers with a jumping off point for ransomware attacks, data breaches, and other malicious activity.

While it can sometimes be difficult for companies to justify budget for measures to guard against these attacks, recent trends are making it harder to ignore their potentially devastating impacts.

  • Ransomware attacks that rely on email phishing techniques to deploy malicious software are on the rise and smaller and smaller organizations are being targeted.
  • Employees are increasingly working from home in environments that often lack enterprise-level network hardening, and are therefore more vulnerable to attack.
  • State actors are increasingly targeting organizations that handle energy infrastructure, trade secrets, and national security information.

In this blog post, we’ll highlight some of the latest types of email phishing attacks and cover what we feel are the top ten ways you can harden your organization against these attacks.

The Latest Email Phishing Techniques

Cyber criminals are constantly evolving their strategies and tactics to circumvent their victims’ defenses. Phishing, once easy to spot with clumsy emails and obvious scams, has grown increasingly sophisticated, leveraging personalization, trusted brand impersonation, and even AI-generated content to trick users into clicking or sharing sensitive information. These attacks target individuals and organizations alike, exploiting human behavior as much as technical weaknesses. To stay secure, it’s critical to understand the latest phishing techniques and how they’re being deployed. Here are some of the latest email phishing techniques we’ve observed in working with our clients.

AI Powered & Deepfake Phishing (email, voice, video)

  • Attackers now use generative AI to craft ultra-convincing spear-phishing emails, clone executive voices for vishing calls, and even create fake video or “live” deepfakes to authenticate or pressure targets.
  • These AI tools let attackers produce highly personalized messages at scale (correct tone, company-specific details, even voicemail/voice calls that mimic an executive).
  • Real incidents and industry reports show these techniques are increasingly used against enterprises and high-value targets.

Banner Spoofing

  • Attackers obtain an email, sent from an employee of the target organization, which leaks either an “External” or, worse, an “Internal”/”Safe Sender” banner.
  • They create an HTML/CSS payload which either hides the legitimate “External” banner that will be applied by the target organization, or replaces it with the observed “Internal” banner. This payload is embedded in a phishing email sent to one or more employees of the target organization.
  • When the employee(s) read the email, the “Internal” banner (or lack of an “External” banner) makes them more inclined to believe it is from an internal source and follow the included instructions (e.g., click a seemingly legitimate link that is actually malicious).

“Harmless” Attachments

  • Attackers send phishing emails with seemingly “harmless” files attached, including:
    • PDF files with links to webpages that push malicious downloads.
    • HTML files that, once opened, load JavaScript that initiates a malicious download.

Finish Signing Up

  • Attackers send a phishing email that appears to be from a legitimate partner of the victim’s organization.
  • The email prompts the victim to finish signing up for a legitimate service that is offered by the partner. The victim’s email or user ID are pre-populated in the signup screen, which instructs the victim to provide a password to “finish setting up” their account.
  • Because the email appears to be from a known partner and because the email or user ID  are already filled in, users tend to drop their guard and enter one of their current passwords (often the Active Directory password that they associate with their email or user ID).

Top 10 Ways to Harden Your Organization Against Email Phishing Attacks

Tevora has helped some of the world’s leading organizations defend against and respond to email phishing attacks. Based on our experience working with these clients, we’ve developed a list of the top ten things you can do to defend your organization against these dangerous attacks.

1.      Conduct Security Awareness Training.

Conducting effective security awareness training is one of the best things you can do to guard against email phishing attacks.

Some security awareness training programs use run-of-the mill, templated phishing emails—not the type of thing you see with today’s advanced persistent threats. Be sure your training includes simulated email phishing attacks that replicate the latest techniques used by sophisticated attackers, including the techniques described above. Tevora can help ensure you’ve included these types of simulated attacks in your training. For a full list of services, check out our website page.

2.      Use Password Managers.

Have your staff use password managers such as 1Password, KeePass, or LastPass. In our view, these tools are a much more effective way to ensure proper password hygiene than asking staff to remember and use long, complex, unique passwords. If using one of these dedicated tools is not feasible, we suggest using something like Okta that has built-in password management capabilities.

If for any reason your organization is not able to use password managers, the most important message you need to stress with your team is to not reuse passwords. With the proliferation of open-source databases that share breached passwords, the risk of reusing passwords has grown exponentially.

3.      Keep Software Updated.

Make sure to update all of your application and infrastructure software as frequently as possible. Most software updates, even if they are described as containing new or updated features, will contain the latest security updates as well.

Don’t forget that applying updates to mobile devices (Android and Apple) can be just as important, especially in a Bring Your Own Device (BYOD) environment.

4.      Share trusted domains.

While it is a good practice to instruct employees to avoid untrusted domains, it can be difficult to always know which domains should be trusted. We recommend developing a list of domains that your staff can trust, including those that are owned and controlled by your organization. Make sure the list is easily accessible by all of your team members.

5.      Keep Open Door Policy for Your SOC/IR team.

Strive to make your staff feel welcome talking to SOC/IR team members about any security issues. Make it clear to your staff that you will never ask for their password over the phone or email. Get the message out in person rather than relying on written communications, which can often be overlooked. This can go a long way toward shutting down phishing/social engineering attacks.

6.      Use Multi-Factor Authentication (MFA).

While it can be inconvenient, using MFA can save you, even when someone is reusing a compromised password. Or, in some cases, you can get rid of passwords altogether by using Magic links/passwordless as an alternative.

7.      Eliminate Internal Sender Banners.

If you are using an external and internal sender banner, get rid of internal sender banners, which can be spoofed. Switch from prepended/appended HTML banners to native external banners if possible.

8.      Test Against Phishing Attack Scenarios

Conduct extensive ongoing testing to ensure your organization is fully prepared to defend against phishing attacks.

Test the effectiveness of your security awareness training by conducting periodic simulated phishing attacks using the latest phishing techniques. Enforce password resets for staff that fail these tests.

Engage skilled penetration testers to find vulnerabilities in your phishing defenses. Test your SOC/IR team’s response time to reported phishing emails and payload executions.

9.      Audit Organization Passwords.

Conduct periodic audits to compare your team’s passwords against databases of breached passwords. Whenever matches are found, ensure those passwords are changed immediately.

10.  Reward your vigilant employees.

Incentivize your employees to report suspicious emails, phone calls and activity. Document the reporting process specific to your organization and reward employees that report real and simulated attacks with gift cards (or the reward of your choice)…

Webinar

For a deeper dive on email phishing, check out our webinars:

The State of Email Phishing

The Scary Side of Cybersecurity: Why On-Premise Penetration Testing is Key

Threat Hunting in the Age of AI: Before and After the Advent of Artificial Intelligence

The Future of Cyber Insurance: A Proactive Approach to Cyber Threats

Additional Resources

For specific Threat related content, check out our resources page.

We Can Help

If you have questions about email phishing or would like help hardening your organization against these potentially devastating attacks, just give us a call at (833) 292-1609 or email us at [email protected].

About the Author

Kevin Dick is a Manager, Threat Services

Back to Resource Center

Explore More In-Depth Preventative Incident Response Resources

View Our Resources