Anti-Phishing Best Practices for Security Teams

The results of an analysis conducted by Avanan revealed that out of all emails analyzed, which totaled more than 55 million, one in every 99 contained a phishing email. 

The Phishing Evolution: From Mass Emails to Deepfakes 

The evolution from mass emails to deepfakes marks a significant transformation within the world of cybercrime. The process has moved from “Phishing 1.0” to “Phishing 3.0,” where the latter denotes hyper-personalized messages created by artificial intelligence. 

• 91% of security experts feel that AI makes phishing attacks and other forms of social engineering much more advanced
• 50% of these respondents perceive hyper-personalized phishing as the top AI-based threat
• 45% of these respondents feel that automated vulnerability discovery is the rising risk, while 40% consider adaptive malware to be the top threat, followed by deepfake voice fraud for 39%
• 46% of companies feel they are not ready for AI attacks, which reflects minimal change over last year’s figure of 45%
• 92% of companies believe that threats driven by AI necessitate a boost to their cybersecurity defenses

In contrast to conventional mass emails that depend upon volume for effectiveness, deepfakes have the ability to produce personalized deception messages that fool even computers.

The Phishing Evolution Sparked an Anti‑Phishing Revolution

Anti-phishing tools, software, and strategies are aimed at stopping, recognizing, and blocking any attacks by hackers trying to steal confidential data using deceptive sites, emails, or other forms of communication. These include AI-driven scanning of emails, security against any harmful activity in your web browser, and educating users.

Despite the tremendous growth in the technology used against phishing, their effectiveness is often hampered by poor implementation, fragmentation of control measures, and too much focus on detection instead of prevention. This is not due to the lack of defensive measures, but more of an inability to implement them effectively.

Why Legacy Tools Fail US Security Teams

Despite significant investments in secure email gateways (SEGs) and endpoint protection, many US organizations remain exposed. The reason lies in a fundamental mismatch between modern phishing tactics and legacy detection models.

• 35% of successful breaches utilize phishing, according to Verizon
• 68% of breaches have a human factor involved, underscoring the limitations of technology-based security measures

Adoption rates of phishing-resistant MFA are less than 50% in many organizations, leaving them vulnerable to credential theft and session hijacking.

Similarly, guidance from the National Institute of Standards and Technology (NIST) highlights gaps in traditional email security architectures, especially in environments lacking Zero Trust enforcement.

Core Failure Points

• Static detection models: Cannot identify AI-generated content
• Email-only focus: Ignores SMS, voice, and collaboration platforms
• Lack of identity context: No behavioral baselining
• Delayed response workflows: Inefficient SOC triage processes
• Compliance misalignment: Incomplete adherence to NIST and CISA frameworks

Legacy vs. Modern Anti-Phishing Architecture

Even widely adopted platforms such as Proofpoint or legacy Microsoft configurations often fall short when deployed without identity intelligence, Domain-based Message Authentication, Reporting, and Conformance (DMARC) enforcement, and behavioral analytics.

The takeaway is simple. Phishing defense must evolve from filtering to identity-centric risk management.

Best Practice #1: Zero-Trust Email with DMARC for US Compliance

Zero Trust is the foundation of modern phishing defense, particularly in regulated US industries. At the email layer, this begins with full DMARC enforcement, as recommended in NIST SP 800-177.

Companies that have DMARC in place with the p=reject policy state that there is an 80% drop in domain impersonation attacks, according to the Anti-Phishing Working Group.

Email domains not utilizing DMARC are 3 to 5 times more vulnerable to being used in phishing attacks.

Step-by-Step DMARC Rollout

1. Audit SPF and DKIM configurations
2. Move DMARC policy from p=none to p=quarantine
3. Enforce p=reject for full protection
4. Monitor aggregate and forensic reports
5. Continuously tune policies

Extend with BIMI for Brand Trust

Brand Indicators for Message Identification (BIMI) allows organizations to display verified logos in inboxes, reducing phishing success rates by improving user trust signals.

Integrate with Microsoft 365 Defender

For organizations using Microsoft 365 Defender:

• Enable anti-phishing policies with impersonation detection
• Configure Safe Links and Safe Attachments
• Enforce conditional access policies (Zero Trust)
• Integrate with identity providers (Azure AD)

Why It Matters for US Compliance

• Aligns with NIST SP 800-177 email security guidelines
• Supports CISA’s Zero Trust Maturity Model
• Reduces spoofing risk in regulated sectors (HIPAA, FINRA)

Organizations that fully enforce DMARC have reported up to 80% reduction in domain spoofing attacks (APWG, 2025).

Best Practice #2: AI-Driven UBA Tailored to US Workflows

User and Entity Behavior Analytics (UEBA) is critical for detecting phishing attempts that bypass perimeter defenses. Unlike traditional tools, UEBA focuses on how users behave, not just what emails contain.

Implementation Approach

1. Baseline Normal Behavior

• Login patterns
• Email sending behavior
• File access activity

2. Apply AI Models

Detect anomalies such as:

• Impossible travel
• Unusual email forwarding rules
• Sudden privilege escalation

3. Integrate with SOC Platforms

• Splunk for SIEM correlation
• CrowdStrike Falcon for endpoint visibility

Real-World Use Case: Healthcare Sector

US healthcare organizations, governed by HIPAA, have seen a rise in phishing attacks targeting:

• Electronic Health Records (EHR)
• Insurance billing systems
• Patient portals

UEBA systems have proven effective in identifying:

• Unauthorized access following a phishing compromise
• Data exfiltration attempts
• Insider misuse triggered by compromised credentials

Key Outcome

Organizations deploying AI-driven UEBA report, found:

• Faster identification and containment as one of the reasons behind reduced breach costs
• By deploying AI and automation technologies, the breach lifecycle considerably reduced, saving about $1.9 million for each incident
• Due to effective breach lifecycle reduction, the breach lifecycle was cut down to about 241 days

Best Practice #4: Phishing IR Playbooks Aligned with NIST

The Cybersecurity and Infrastructure Security Agency (CISA) advises organizations to implement continuous phishing simulation programs to build resilience and Zero Trust.

Phishing simulation programs need to be structured, have defined metrics, and reflect real-world threats.

• Frequency: At least quarterly; higher frequency for high-risk employee groups
• Targeting: Target specific roles (finance, HR, senior leaders, and privileged access)
• Scenarios: BEC, credential theft, MFA fatigue, vendor impersonation
• Realistic: Leverage current threat intelligence, even when using AI to simulate

Metrics That Matter to Leadership

Metrics should be focused on measuring behavioral impact, not simply participation:

• Click rate: In well-run programs, click rates should be maintained under 3%
• Report rate: High performers achieve report rates above 70% of their workforce
• Time to Report: Time taken to escalate suspect emails
• Repeat Susceptibility: Identify high-risk individuals for follow-up interventions

Incident response (IR) is where phishing defense either succeeds or fails. NIST recommends structured playbooks for rapid detection, containment, and reporting.

Alignment Benefits

• Meets the NIST incident response framework
• Supports SEC compliance
• Improves SOC efficiency

Top Threats in 2026: Elections, Ransomware, and GenAI

1. Election-Driven Phishing Campaigns

With the 2026 US midterms approaching, threat actors are leveraging:

• Voter registration phishing
• Political donation scams
• Deepfake impersonations of officials

CISA has warned of increased targeting of:

• State and local governments
• Election infrastructure vendors

2. Ransomware via Phishing

Groups like Clop continue to use phishing as an initial access vector.

Phishing enables:

• Credential harvesting
• Initial foothold for ransomware deployment
• Data exfiltration prior to encryption

Phishing continues to be one of the most prevalent techniques used by cybercriminals to gain entry into a system prior to installing ransomware.

3. GenAI-Powered Attacks

Generative AI has transformed phishing in three key ways:

• Perfect grammar and tone. No longer detectable via language errors
• Hyper-personalization at scale
• Real-time conversational phishing (chat-based attacks)

4. Preparing for Quantum-Era Risks

While still emerging, NIST has emphasized the need for:

• Cryptographic agility
• Identity-first security models

Phishing will remain a key vector even in post-quantum environments.

Arm Your Team with Cyber Technology Intelligence

Phishing defense in 2026 demands a strategic, intelligence-driven approach aligned with US regulatory frameworks and emerging threat realities.

Security leaders must:

• Adopt Zero Trust at the email and identity layers
• Leverage AI for behavioral detection
• Continuously train users through simulations
• Operationalize incident response with NIST-aligned playbooks

Cyber Tech Intelligence provides the research, tools, and intelligence needed to execute this transformation.

Implement US-focused Threat Intelligence in Your Organization

FAQs

1. What is the most effective way of mitigating against phishing attacks within the US enterprise security context in 2026?

It seems that one of the best ways of doing this is to create an identity-driven solution based on layering multiple solutions. Currently, companies are starting to adopt an identity-driven strategy, implementing Zero Trust controls, DMARC enforcement, and behavioral analytics via AI.

2. How can US CISOs align their approaches to dealing with phishing threats with recommendations from CISA and NIST?

One should start by applying strict email authentication policies, especially DMARC policies with reject options. After that, the company should apply the Zero Trust guidelines provided by CISA to continuously validate any accesses.

3. What are the flaws of traditional email security gateways?

They lack advanced capabilities needed to combat current phishing attacks as their architecture relies entirely on email signature identification and domain reputation evaluation.

4. How do US enterprises currently measure their phishing resistance?

Resistance to such threats can be measured by analyzing user actions. The first thing one should pay attention to is the percentage of employees who become victims of phishing simulations.

5. How can organizations prepare against AI-driven phishing attacks and election-based attacks in the United States?

The first step towards preparing for such risks would be acknowledging that phishing attacks have become more personalized and difficult to identify. Organizations need to develop their capacities for detecting AI-driven phishing attacks and improve their identity controls.

To share your insights, please write to us at news@intentamplify.com