Phishing is no longer just an email problem. A new wave of non-email phishing attacks is targeting employees through social media, instant messaging apps, SMS, malicious search engine ads, and even collaboration tools like Slack and Teams. These campaigns are designed to bypass traditional defenses—leaving organizations exposed while attackers exploit overlooked channels of communication.
Unlike the inbox-focused phishing most security teams prepare for, these multi-channel attacks are far harder to detect and contain. Threat actors are using sophisticated tactics like compromised social media accounts, conditional payloads, and malvertising campaigns to deliver malicious links. Once an employee clicks, attackers can move laterally into core enterprise platforms, often leveraging Single Sign-On (SSO) to escalate a single compromised account into a full-scale breach.
This report reveals how non-email phishing is underreported and underestimated—in part because industry statistics rely heavily on data from email security vendors. The result? Security teams lack visibility into threats spreading across the apps and devices employees use every day.
Case studies include LinkedIn spear-phishing campaigns targeting executives and Google Search malvertising attacks traced to Scattered Spider, both showing how attackers use trusted platforms to build credibility and evade defenses. With rapid domain rotation and advanced obfuscation techniques, blocking malicious URLs has become a losing game of cat and mouse.
The takeaway is clear: the perimeter is no longer the inbox—it’s the user. To defend against this new era of phishing, organizations must expand detection and response strategies across all communication channels where modern work happens.
#phishing #cybersecurity #nonemailphishing #socialengineering #malvertising #SSO #identitysecurity #Slack #Teams #LinkedIn #WhatsApp #smishing #ScatteredSpider #Okta
