The generic phishing campaign that asked you to confirm a package you had not ordered is being replaced by targeted messages that reference the recipient's actual bank, recent activity, family member, or property. The personalisation is sourced from data the attacker bought or assembled, often in minutes, often for very little money. The cost of personalisation has fallen, and so the personalised attack is now economic against ordinary targets.
What this means in practice is that the rules of thumb that distinguished phishing from legitimate communications no longer hold. The misspelled name, the generic greeting, the obviously fake sender: these are artefacts of the old model. The current model has the recipient's correct name, correct bank, correct branch, correct recent transaction, and a request that fits the context.
The defence has to move from spotting the fake to verifying any consequential request through a channel the attacker cannot impersonate. The bank does not call asking for credentials. The lawyer does not email asking for an urgent wire to a new account. The platform does not message asking the user to click through to reset something. The discipline is to treat any such request as suspect until verified out-of-band.
Knowing what is presently on the record is the first thing. The work after that is a matter of judgment.
More from the desk
How a SIM swap works, and what it takes from you
The personal cloud storage and what it quietly holds
Account recovery as the quiet back door
The medical record and the clinic that holds it
What a trust still shows
How the desk distinguishes signal from coincidence