The Rise of Non-Email Based Phishing Attacks

Phishing attacks are one of the most common cyber threats to businesses of all sizes and have traditionally been associated with deceptive emails designed to trick individuals into revealing sensitive information or handing over financial details. However, as digital communication channels change, criminals are increasingly utilising platforms beyond email to execute their phishing schemes. This change poses new threats to organisations striving to protect themselves from the risks associated with cybercrime.

For businesses in the South West, this evolution is particularly important. We’re a region with diverse communities relying on various digital services, meaning criminals have a plethora of opportunities for exploitation. Understanding how phishing tactics are changing is crucial for saying protected.

The Evolution of Phishing Attacks

Historically, email served as the primary source of phishing attacks with criminals crafting convincing emails that appeared to be from legitimate sources, prompting recipients to click on malicious links or provide confidential information. While email is still a significant threat, criminals are now exploiting a broader range of communication channels, including the following:

·       Social media: Attackers may create fake profiles or take over existing ones to send malicious links to unsuspecting users.

·       Messaging apps: Applications such as WhatsApp are increasingly used to target individuals for phishing attacks.

·       SMS (Smishing): Text messages containing links to fraudulent websites or requests for personal information have long since been a threat to both individuals and businesses.

·       Malicious ads (Malvertising): Deceptive advertisements that direct users to phishing sites when clicked.

·       Phone calls (Vishing): Attackers use phone calls to impersonate trusted people, tricking victims into sharing sensitive data.

Adopting a multi-channel approach such as this allows criminals to reach potential victims through various digital touchpoints, increasing the likelihood of a successful breach into their systems.

What is Driving this Shift to Non-Email Phishing Attacks?

There are several key trends which are driving criminals to move beyond email-based phishing:

·       Widespread use of Cloud services: Businesses are adopting Cloud-based tools, creating new targets for phishing attacks designed to compromise Cloud accounts.

·       Integration of personal and work devices: Remote work and flexible working is becoming more common, meaning personal devices are often used to access corporate networks, providing criminals with multiple entry points.

·       Limited awareness of new threats: Users often know to scruntinise emails, but many are less aware of the risks posed by voice calls, social media, or advertising, leaving them more vulnerable to these platforms.

What Should Businesses Do Now?

A proactive approach to your cyber security protocols is needed to combat the risks associated with non-email based phishing attacks. Organisations need enhanced monitoring tools capable of detecting phishing attempts across multiple channels, not just email. Regular security awareness training should cover the full spectrum of channels utilised by criminals to attempt phishing attacks and be tailored to each organisation’s region and industry. 2-step verification (2SV) should be enabled across all business channels to add an additional layer of protection and reduce the chance of data being compromised.  Finally, ensuring that all systems and applications are up to date will help reduce vulnerabilities in your systems that attackers can exploit.

Final Thoughts

Phishing attacks are evolving, and relying solely on email security is no longer sufficient to avoid them. For organisations in the South West, understanding the full range of phishing tactics mentioned in this blog is essential to maintain protection. Staying vigilant, educated, and proactive is the key to staying one step ahead of increasingly sophisticated criminals.

The South West Cyber Resilience Centre is here for businesses of all sizes in the South West region. We continue to provide resources, guidance, and services to help our communities stay safer online. If you have any concerns about phishing attacks or think an attempt may have been made on your South West based business, then contact us today. If you’re not already a member, you can join us today. It’s completely free!