BALTIMORE, MD—Phishing remains the most prevalent cybercrime in the U.S., with the FBI’s latest Internet Crime Report revealing more than 193,000 complaints last year alone. Cybersecurity experts at ZeroBounce warn that these attacks are becoming increasingly sophisticated, utilizing subtle tactics designed to bypass traditional detection methods and trick even experienced users.
Vlad Cristescu, Head of Cybersecurity at ZeroBounce, highlighted five evolving phishing strategies that pose significant threats:
One emerging tactic is “linkless phishing,” where attackers send short, seemingly innocuous messages without links or attachments, such as “Are you free for a quick call?” or “Can you help me with this task?” These messages aim to initiate a real-time conversation via phone or reply, bypassing email filters.
“People are trained to spot suspicious links, but attackers have adapted by removing them altogether,” Cristescu said. “Once you reply, they continue the impersonation, usually posing as a colleague or executive. If something feels off, don’t respond directly. Verify through another channel before engaging.”
Another deceptive method involves repeated multi-factor authentication (MFA) push notifications followed by an email from purported IT support. After stealing login credentials, attackers flood users with MFA prompts, then instruct them to “just approve one” to stop the alerts.
“This is psychological warfare more than technical trickery,” Cristescu explained. “It exploits a user’s frustration and trust in IT. If you’re receiving multiple MFA prompts you didn’t initiate, that’s not a glitch – it’s an attack. Pause, don’t approve, and escalate it immediately.”
Attackers are also embedding malicious payloads within simple HTML attachments that mimic legitimate login screens when opened in a browser. These can appear as invoices, shared documents, or secure notifications.
“Users think, ‘It’s just an HTML file, what harm could it do?'” Cristescu noted. “But one click can open a cloned login page that captures your credentials instantly. Companies should restrict HTML attachments unless essential, and users should treat unfamiliar HTML files the same way they’d treat a suspicious link – don’t open it unless you’re absolutely sure of the sender.”
Phishing attempts are now extending to calendar invitations. Malicious links can be embedded in meeting invites or “Join” buttons, which often sync directly into users’ calendars and are less scrutinized than emails.
“Calendar invites carry this built-in credibility – they’re not usually scrutinized like emails,” Cristescu said. “But if you’re getting meeting requests from unknown senders, or vague event titles like ‘Sync’ or ‘Project Review,’ treat those just like a phishing email. Disable auto-accept where possible and review every invite manually before clicking anything.”
Cristescu emphasized that modern phishing is strategic, relying on a sense of “business as usual” to succeed.
“The biggest risk today is overconfidence,” Cristescu warned. “No matter how experienced you are, if you stop questioning what lands in your inbox – or your calendar – you’re vulnerable. Awareness must evolve as fast as the threats do. Always verify the sender’s email address, ensure that any link you click matches the legitimate domain, and look out for subtle red flags like spelling errors or unusual formatting. These small checks can make the difference between staying secure and falling for a well-crafted scam.”
Photo via Pixabay
