Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Phishing, QR lures, and AI scams: what should teams change now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11936
Topic starter  

TL;DR: Phishing remains one of the most pervasive cyber risks, with Verizon’s 2025 Data Breach Investigations Report saying social engineering accounts for nearly a quarter of external breaches and 57% of those incidents involve phishing. The control problem is no longer awareness alone, because successful lures now blend AI, QR codes, and multi-channel deception that can bypass point defenses.

NHIMG editorial — based on content published by Zero Networks: What Is Phishing? Everything You Need to Know

By the numbers:

Questions worth separating out

Q: How can organisations reduce the impact of a successful phishing click?

A: Use layered controls that limit what a stolen credential can do.

Q: Why does phishing remain effective even when employees are trained?

A: Phishing remains effective because attackers exploit urgency, familiarity, and normal business processes, which can overwhelm training in the moment.

Q: What do organisations get wrong about QR code phishing?

A: They often treat QR phishing as a user problem instead of a destination validation problem.

Practitioner guidance

  • Strengthen phishing-resistant authentication Require phishing-resistant MFA for privileged access, admin workflows, and sensitive applications so stolen passwords or push-based approvals cannot be reused easily.
  • Contain post-click movement with segmentation Use microsegmentation to isolate critical systems so a phished account cannot pivot across the network with broad lateral movement.
  • Block multi-channel lure paths Extend anti-phishing controls beyond email to include SMS, voice, QR codes, and social channels.

What's in the full article

Zero Networks' full article covers the operational detail this post intentionally leaves for the source:

  • The article expands the four-stage phishing flow into prevention guidance you can apply to real user workflows and response paths.
  • It breaks out specific phishing variants, including spear phishing, clone phishing, whaling, smishing, and vishing, for teams comparing threat patterns.
  • It includes the vendor's view of layered controls such as automated microsegmentation, network-layer MFA, and adaptive policy enforcement.
  • It provides examples of phishing-driven attacks and the defensive framing the vendor uses to connect them to ransomware and lateral movement.

👉 Read Zero Networks' analysis of phishing tactics, AI scams, and containment controls →

Phishing, QR lures, and AI scams: what should teams change now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11491
 

Phishing governance is now an identity control problem, not just a user-awareness problem. The article correctly frames phishing as an access event that can lead to credential theft, privilege abuse, and ransomware. That matters because identity teams own the controls that decide whether a phished secret is still useful after compromise, especially in environments that blend human accounts with service credentials.

A question worth separating out:

Q: Who is accountable when phishing leads to account compromise?

A: Accountability is shared, but security leadership owns the control environment that made impersonation succeed. Email authentication, browser trust configuration, access scoping, and incident reporting are governance responsibilities, not just end-user habits. If phishing can repeatedly turn into compromise, the control model is failing at the organisational level.

👉 Read our full editorial: Phishing is still the main doorway for ransomware and account theft



   
ReplyQuote
Share: