While email, SMS, and phone calls dominate the phishing landscape, cybercriminals have adapted their tactics to use less common mediums, exploiting any channel where communication takes place. These unconventional phishing methods, such as phishing through fax, support chat, and even in-app messaging, may not be as widespread, but they can be just as dangerous because they target channels that users and organizations often overlook.
It might seem surprising in the digital age, but fax machines are still used by many businesses, especially in industries like healthcare, law, and finance. Attackers have adapted to this by sending fake faxes that appear to come from trusted entities. A phishing fax might contain an urgent request for payment, a fraudulent invoice, or instructions to visit a malicious website by typing a URL into a browser.
Fax phishing works because many people assume that a fax is inherently more trustworthy than email. Fax machines often bypass modern security tools like spam filters, making it easier for phishing faxes to go unnoticed until it’s too late. Additionally, businesses with older infrastructure may rely heavily on fax communications, making them more susceptible to this form of attack.
With the rise of online customer support through chat services, attackers have found new opportunities to target users. Many companies now offer live chat support on their websites, and cybercriminals have begun impersonating support agents to steal information.
For example, an attacker might use social engineering to convince a customer to share login details, account numbers, or personal information under the guise of helping them resolve an issue. In some cases, attackers may even intercept legitimate support chat conversations or hijack live chats by injecting themselves into the communication.
Because support chat is typically trusted as a secure way to resolve issues, users may be more likely to follow instructions without questioning the authenticity of the interaction. Attackers take advantage of this by creating fake support chat portals or using social engineering techniques to gain access to sensitive data.
Many apps, especially financial, e-commerce, and social media platforms, include in-app messaging systems where users can communicate with customer support or receive updates. Attackers exploit these systems by sending fraudulent messages that appear to be official notifications from the app.
For example, a user might receive an in-app message claiming their account has been compromised and prompting them to click a link to “verify” their information. These messages often mimic the look and feel of legitimate communications from the app, making them difficult to spot. Because users trust the security of their apps, they are more likely to fall for phishing attempts delivered through in-app messaging systems.
As QR codes have become more popular, especially for contactless transactions and sharing information, attackers have started using them in phishing scams. In QR code phishing, cybercriminals send malicious QR codes via email, text, or even physical mail. Scanning the code directs the victim to a phishing site or initiates the download of malicious software.
QR code phishing can be particularly deceptive because users often don’t know where the code will take them until they scan it. Attackers might send a QR code disguised as a discount coupon, a bank promotion, or a link to claim a prize. Once scanned, the victim’s device may be compromised, or they may be prompted to enter personal information on a fake website.
Cybercriminals have also turned to voicemail as a phishing medium. In this tactic, known as vishing voicemail or voicemail phishing, attackers leave a pre-recorded message claiming to be from a trusted source—such as a bank, government agency, or tech support team. The voicemail might warn the victim of suspicious activity on their account and instruct them to call back a specific number.
When the victim calls back, they are connected to an attacker who pretends to be a legitimate representative and proceeds to gather sensitive information. Voicemail phishing is especially effective because people tend to trust voicemails, especially when they sound professional or urgent.
Attackers have begun to target professional networking and collaboration platforms like LinkedIn, Slack, and Microsoft Teams. By impersonating colleagues, recruiters, or company representatives, cybercriminals send phishing messages directly within these platforms, asking for sensitive information or encouraging victims to click on malicious links.
On LinkedIn, attackers might pose as potential employers offering lucrative job opportunities, prompting the victim to fill out fake job applications that capture personal data. On Slack or Teams, attackers may impersonate company administrators, asking employees to reset their passwords or provide sensitive information under the guise of internal policy updates.
In businesses that use fax-to-email services, phishing messages can take advantage of the seamless integration between fax and email. An attacker may send a fraudulent email that looks like a legitimate fax notification, tricking the recipient into opening an attachment or clicking on a malicious link.
Because the fax-to-email system is automated, users may trust the email as a legitimate business communication. This makes them less cautious about verifying the message’s authenticity or recognizing the signs of phishing.
These less common phishing mediums may not be as familiar as traditional email or SMS attacks, but they highlight the evolving nature of phishing tactics. Attackers will exploit any communication method to reach their targets, often finding success in underused channels where users may be less vigilant. To defend against these attacks, it’s crucial for individuals and organizations to treat all forms of communication with a healthy dose of skepticism and verify the legitimacy of any unusual or unsolicited requests, no matter the medium.