"Although most of the industry's data on phishing still comes from email security vendors and tools, the picture is starting to change. Roughly 1 in 3 phishing attacks detected by Push Security were delivered outside of email. There are many examples of phishing campaigns operated outside of email, with LinkedIn DMs and Google Search being the top channels we identified. Notable campaigns include:"
"Phishing via non-email channels has a number of advantages. With email being the best protected phishing vector, it sidesteps these controls entirely. There's no need to build up your sender reputation, find ways to trick content analysis engines, or hope your message doesn't end up in the spam folder. In comparison, non-email vectors have practically no screening, your security team has no visibility, and users are less likely to anticipate possible phishing."
"It's arguable that a company Exec is more likely to engage with a LinkedIn DM from a reputable account than a cold email. And social media apps do nothing to analyse messages for phishing links. (And because of the limitations of URL-based checks when it comes to today's multi-stage phishing attacks, this would be extremely difficult even if they tried)."
Phishing in 2025 expanded from email into multiple channels, with roughly one in three attacks delivered outside email. LinkedIn DMs and Google Search emerged as major vectors. Non-email phishing bypasses email protections, avoids sender reputation and content analysis hurdles, and benefits from near-zero screening and little security visibility. Executives show higher engagement risk with perceived reputable social accounts. Social media platforms do not analyze messages for phishing links, and URL-based checks struggle against multi-stage attacks. Search engines enable attackers through compromised high-reputation sites and malicious ads, increasing opportunities for scalable, identity-focused compromise.
Read at BleepingComputer
Unable to calculate read time
Collection
[
|
...
]