Phishing Evolving with AI and Stealth: Kaspersky Highlights Biometric and Signature Risks

In Q2 2025, Kaspersky detected and blocked over 142 million phishing link clicks, marking a 3.3% rise globally and a 25.7% increase in Africa compared to Q1. Phishing attacks are undergoing a significant transformation, fueled by AI-driven deception and advanced evasion techniques. Cybercriminals are now exploiting emerging technologies like deepfakes, voice cloning, and trusted platforms such as Telegram and Google Translate to steal sensitive data, including biometrics and signatures, creating unprecedented risks for both individuals and businesses.

AI-Driven Phishing Tactics

Artificial intelligence has elevated phishing into a more personalized and dangerous threat. Large language models allow cybercriminals to create convincing emails, messages, and websites that closely resemble legitimate sources, removing the grammatical errors that once exposed scams. AI-powered bots, often found on social media and messaging apps, impersonate real users, engaging with victims in prolonged conversations to gain their trust. These bots are often used in romantic or investment scams, enticing victims with fake opportunities and AI-generated audio messages or deepfake videos.

Cybercriminals also use deepfake audio and video to impersonate trusted figures like colleagues, celebrities, or even bank officials, in an attempt to promote fake giveaways or steal sensitive information. For example, automated calls using AI-generated voices impersonate bank security teams, tricking users into sharing two-factor authentication (2FA) codes, which are then used for fraudulent transactions. AI-powered tools further enhance targeting by analyzing public data from social media and company websites to create highly tailored attacks, such as HR-themed phishing emails or calls referencing personal details.

New Evasion Tactics to Bypass Detection

Phishers are employing advanced techniques to bypass traditional security measures and build trust with victims. For example, the Telegram platform’s Telegraph tool, used for publishing long texts, is now being used to host phishing content. Similarly, Google Translate’s page translation feature generates links such as `https://site-to-translate-com.translate.goog/…` that are used by attackers to sidestep security filters.

Attackers have also begun integrating CAPTCHA into phishing sites. CAPTCHA, a common anti-bot mechanism, is often associated with trusted services, making phishing pages appear legitimate. This tactic deceives anti-phishing algorithms, increasing the likelihood that these fraudulent pages will go undetected.

From Passwords to Biometric Data and Signatures

The target of phishing attacks has shifted from passwords to more permanent forms of data, such as biometrics and signatures. Cybercriminals now use fraudulent websites to request access to smartphone cameras under the guise of account verification, capturing biometric data like facial recognition. This data, which cannot be easily changed, is then used for unauthorized account access or sold on the dark web.

Similarly, phishing campaigns are increasingly aimed at stealing electronic and handwritten signatures, which are critical in legal and financial transactions. Attackers impersonate trusted platforms like DocuSign or prompt users to upload their signatures to fraudulent sites. This puts both personal and business reputations at risk and exposes them to significant financial consequences.

“The convergence of AI and evasive tactics has turned phishing into a near-native mimic of legitimate communication, challenging even the most vigilant users. Attackers are no longer satisfied with stealing passwords — they’re targeting biometric data, electronic and handwritten signatures, potentially creating devastating, long-term consequences. By exploiting trusted platforms like Telegram and Google Translate, and co-opting tools like CAPTCHA, attackers are outpacing traditional defenses. Users must stay increasingly skeptical and proactive to avoid falling victim,” said Olga Altukhova, a security expert at Kaspersky.

The Operation ForumTroll Campaign

Earlier in 2025, Kaspersky uncovered a sophisticated targeted phishing campaign called Operation ForumTroll, in which attackers sent personalized phishing emails inviting recipients to a forum event named “Primakov Readings.” These attacks targeted media outlets, educational institutions, and government organizations in Russia. Upon clicking the malicious link, victims were not required to take any further action for their systems to be compromised. The exploit used a previously unknown vulnerability in the latest version of Google Chrome. The links were short-lived to evade detection, often redirecting to the legitimate “Primakov Readings” site after the exploit was patched.

Kaspersky’s Recommendations for Protection

Kaspersky advises the following measures to protect against phishing attacks:

1. Verify unsolicited messages, calls, or links, even if they seem legitimate. Never share 2FA codes.
2. Examine videos for unnatural movements or overly generous offers, which could be signs of deepfakes.
3. Deny camera access requests from unverified sites and avoid uploading signatures to unknown platforms.
4. Limit the sharing of sensitive details online, such as photos of documents or work-related information.
5. Use Kaspersky Next (for corporate environments) or Kaspersky Premium (for individual use) to block phishing attempts.

About Kaspersky

Founded in 1997, Kaspersky is a global cybersecurity and digital privacy company. With over a billion devices protected from emerging cyber threats, Kaspersky’s expertise in threat intelligence is continuously evolving into innovative solutions that protect individuals, businesses, and governments worldwide. The company’s security portfolio includes personal device protection, specialized services for businesses, and Cyber Immune solutions designed to combat sophisticated and evolving digital threats. For more information, visit http://www.kaspersky.co.za.