The latest Internet Crime Report from the FBI reveals that phishing continues to be the most prevalent cybercrime in the U.S., with over 193,000 complaints last year. However, the growing concern isn’t just the number of incidents; it’s the evolving tactics behind these attacks. Today’s phishing schemes are more sophisticated, convincing, and designed to evade detection altogether.
Key Threats
Experts at ZeroBounce are closely monitoring phishing trends and have identified four lesser-known tactics that even experienced users often overlook. Here’s a look at them – and how professionals can stay one step ahead.
1. Linkless Phishing
Linkless phishing is a growing threat that operates by eliminating the most obvious indicators of a phishing attempt, such as suspicious links or attachments. Traditionally, users are taught to be cautious of emails with unfamiliar or suspicious links. However, attackers have evolved and now send emails without any clickable links, focusing purely on text-based communication to create a more subtle approach.
These emails may look innocent and contain simple requests like, “Are you available for a quick call?” or “Can you help me with something important?” Since there are no links or attachments to flag them as phishing, they are often seen as less suspicious. Once a user replies to the message, the attacker can engage in real-time communication through email, phone, or instant messaging, using social engineering tactics to manipulate the victim.
For instance, an attacker might pose as a trusted colleague or executive to establish rapport and gain the victim’s trust. The conversation could quickly escalate to a request for sensitive information or the installation of malicious software.
If you receive an unexpected, vague request like this, don’t respond directly. Verify the sender’s identity via a different communication channel, such as calling the person using a known phone number or contacting them through an official company channel. It’s always better to err on the side of caution before engaging in any conversation that feels unusual or out of place.
2. Persistent Login Requests
Phishers are using tactics that exploit a user’s trust in IT departments, leveraging the familiar process of multi-factor authentication (MFA) to trick victims. When attackers steal login credentials, they trigger multiple MFA prompts that flood a user’s phone or email. These are designed to appear as though the user has initiated a login attempt, creating a sense of urgency and confusion.
In response to the repeated MFA requests, the attacker follows up with an email pretending to be IT support. The email typically urges the user to “approve one of the requests to stop the alerts.” The pressure and frustration of receiving constant notifications may prompt the user to approve the request without thinking, allowing the attacker to successfully access the account.
This tactic is highly effective because it plays on psychological triggers: the user’s trust in IT personnel, their desire to stop the alerts, and the assumption that the MFA notifications are legitimate.
If you are receiving multiple MFA requests that you did not initiate, this is a clear sign that your account may have been compromised. Do not approve any of the requests. Pause the process, contact your IT department or security team immediately, and report the issue. It’s essential to remain calm and take proactive steps to investigate the cause rather than responding impulsively to the notifications.
3. HTML Attachments
Phishers have gotten more sophisticated by embedding malicious code inside HTML attachments, making them look like legitimate files. These phishing emails often contain an HTML file disguised as an invoice, a shared document, or a secure login page. The user may see the attachment and assume it’s harmless because it’s just a simple HTML file.
Once the user opens the file, it may load a fake login page that mirrors a trusted company portal, or it may display what looks like a legitimate document. However, any credentials entered into this cloned page are sent directly to the attacker. Since HTML files are commonly used for legitimate purposes (e.g., invoices or forms), users are less suspicious of these attachments.
This tactic is particularly dangerous because the HTML attachment is small, looks innocuous, and doesn’t set off the usual alarms that might come with other types of attachments, such as Word or Excel files.
Treat HTML attachments with caution, especially if they come from an unknown source. Don’t open any attachments unless you’re certain of the sender’s identity and the legitimacy of the file. Companies should consider implementing policies to block or restrict the use of HTML attachments unless they are absolutely necessary for business purposes. If you ever receive an HTML file from a suspicious source, treat it like you would a suspicious link—do not click or open it.
4. Calendar Invites
Phishing through calendar invites is an increasingly common and effective strategy, as these invitations often go unchecked due to the inherent trust associated with calendar notifications. Calendar invites typically come across as legitimate and professional, especially when sent from recognized platforms like Microsoft Outlook or Google Calendar. They often don’t raise the same suspicions as an email would because calendar invites are viewed as simple, functional items in our busy schedules.
Malicious calendar invites can contain embedded links that, when clicked, lead to phishing websites or downloading malware. These invites may be disguised with vague titles like “Sync” or “Project Update,” which are designed to blend in with regular work meetings. Since most calendar applications automatically accept invites, the user may be unaware of the threat until it’s too late.
The problem is further compounded when attackers send multiple calendar invites in a short period, potentially overloading the victim’s calendar with requests that seem legitimate. Since calendar invites often carry a sense of credibility and urgency, they are less likely to be scrutinized thoroughly.
To mitigate this risk, always manually review calendar invites, especially if they are from unknown sources or contain vague details. Disable the auto-accept feature in your calendar application and only accept invites from trusted individuals or organizations. Be especially cautious of calendar invites from unfamiliar senders or those with unusual event titles. Additionally, if the invite includes a link, treat it as suspicious and verify it before clicking.
Awareness is Key
Phishing tactics have evolved (and will continue to evolve) to become more sophisticated and harder to detect. Attackers now use psychological manipulation, exploit familiar business processes, and leverage trusted platforms to trick victims.
Always verify the legitimacy of unexpected messages, calendar invites, or requests for sensitive information, and adopt a healthy level of skepticism when interacting with digital communications. By being proactive, cautious sand following the recommendations in this article, you can reduce the likelihood of falling victim to these increasingly complex phishing schemes.
Information provided by courtesy of ZeroBounce.
