Despite constant innovation in cybersecurity tools, many of today’s most successful attacks rely on techniques that are more than a decade old. From homoglyph domain spoofing to basic credential phishing, attackers continue to exploit the same human behaviors: urgency, trust and cognitive overload.
Legacy tactics remain effective, but organizations sometimes underestimate their persistence, and it can be tempting to focus only on new and shiny attacks/methods while forgetting about the tried and true. Read on to learn what security leaders can do to counter threats that are dismissed as outdated but continue to drive real-world breaches.
New dog, old tricks
Even as AI and other technologies are driving new types of attacks and fraud methodologies, bad actors are still relying on some of the same old, same old. And that’s for one simple reason: they still work.
Take, for instance, homoglyph attacks. Few of the earliest visual deception tricks have remained as doggedly effective as using lookalike characters. One of the easiest and most widely recognized lookalikes is the typing of “r” and “n” to resemble the shape of the letter “m.” This isn’t new by any means, but it continues to be used by bad actors.
Credential phishing is another oldie but goodie. Stolen credentials are involved in 32% of all breaches and phishing remains one of the main ways these are obtained, according to the 2025 Verizon Data Breach Investigations Report. What’s more, bad actors can now purchase things like malware-as-a-service infostealers, which really lower the attacker’s barrier to entry. The recently-released SantaStealer, for instance, is offered as a subscription ranging from $175 to $300 per month. It’s another indicator that credential phishing is here to stay and needs to be addressed.
How can basic attacks still beat modern defenses? Many attacks succeed by exploiting behavior, not technology. Attackers don’t need sophistication when scale and repetition deliver results. There are several enduring human factors that attackers bet on:
- Urgency: “Respond now” or “Fix this immediately.”
- Trust: Brand recognition and familiar workflows
- Cognitive overload: People under pressure click first and validate later.
There are also challenges involved in solving these “old tricks.” One challenge happens when defenders still underestimate the threats. They assume lookalike detection is “solved” because it’s not “new.” They may also fail to monitor and triage early indicators before the campaign peaks.
Another challenge is that awareness training alone tends to hit a plateau. Security training can be thorough, yet failure still happens in real workflows. Training competes with productivity, fatigue, and “always-on” communication channels so that threats can slip through the cracks.
In addition, attack surface expansion amplifies “simple” attacks. Fraud doesn’t require bypassing email security if the lure arrives via other platforms, and collaboration tools and social platforms introduce “trust-by-default” risks.
Three misalignments that keep old attacks successful
Organizations must address their assumptions about older attack types or risk security failures. The first is over-investing in novelty while under-investing in resilience. When this happens, advanced threats get budget attention and basic controls degrade quietly. The result is that old tactics remain the easiest path into the network.
The second is treating phishing as an “email problem.” Phishing-like workflows now span LinkedIn, messaging and Teams/Slack-style platforms as attackers choose channels that bypass legacy detection assumptions.
The third is confusing user error with design failure. Humans will make mistakes; security must assume that baseline. Excessive reliance on “be more careful” messaging shifts responsibility instead of reducing risk.
How to break the cycle without chasing hype
There are four steps organizations can take to end the old way of thinking and build a stronger security program that incorporates older attack types for a more well-rounded strategy. To start, build controls that are strong against “boring” threats. Monitor for domain lookalikes and create takedown workflows. Add browser/email protection layers that reduce click-to-compromise pathways. Conduct continuous credential exposure response (reset, revoke sessions, conditional access).
Another step in breaking the cycle is to reduce decision burden at the point of risk. Make verification easy and use clear internal playbooks. For instance, “If Y asks for money/credentials/access, do X.”
Companies will also need to validate effectiveness using real attacker behavior, not assumptions. Simulate impersonation and credential-theft paths, not just generic phishing tests. Measure time-to-detect and time-to-disable infrastructure, not awareness completion rates.
Finally, operationalize external intelligence for early warning. Underground sources can reveal credential leaks, targeting chatter and kit reuse. Treat it as posture improvement; prevention beats post-incident forensics.
An upgraded strategy for old tricks
Bad actors will always take the path of least resistance. After all, if it ain’t broke, why fix it? What’s broken in some organizations is the mindset that the old attack methods don’t matter anymore. But as this article states, that couldn’t be further from the truth. Bad actors continue to use homoglyph domain spoofing, credential phishing and other “old” attacks to achieve their goals. Humans are wired to respond to urgency and are often overwhelmed at work, and security teams must take the human element into account to cover all possible attack vectors. Use the above recommendations to review and update security strategy so that neither old tricks nor new ones slip past corporate defenses.
Join our LinkedIn group Information Security Community!
