Phishing remains the most common cybercrime type in the US – that’s not even news, to be fair. But what’s new is a shift in tactics, cybersecurity experts who have analyzed the latest Internet Crime Report from the Federal Bureau of Investigation say.
According to the FBI, the agency received over 193,000 complaints about phishing attacks last year alone. Americans report phishing or spoofing attacks much more often than, say, personal data breaches or incidents of identity theft.
Phishing, of course, has been a feature of cybercrime for ages. However, cybersecurity experts at Zero Bounce, an email verification platform, say that the criminals are now shifting their tactics – today’s attacks are cleaner, more convincing, and designed to fly under the radar.
ZeroBounce has flagged four little-known tactics that even experienced users often miss and thus endanger their digital security:
First, the phenomenon of linkless phishing is on the rise. Indeed, some phishing emails have no links or attachments – just a short, seemingly harmless message like “Are you free for a quick call?” or “Can you help me with this task?”
These messages are designed to bypass filters and start a real-time conversation with a targeted user via phone or reply.
“People are trained to spot suspicious links, but attackers have adapted by removing them altogether,” says Vlad Cristescu, head of cybersecurity at ZeroBounce.
“Once you reply, they continue the impersonation, usually posing as a colleague or executive. If something feels off, don’t respond directly. Verify through another channel before engaging.”
Attackers are also exploiting multi-factor authentication (MFA) – they flood users with push notifications after stealing login credentials and follow up with an email pretending to be IT support, urging them to “just approve one” to stop the alerts.
“This is psychological warfare more than technical trickery,” explains Cristescu. “It exploits a user's frustration and trust in IT. If you're receiving multiple MFA prompts you didn’t initiate, that’s not a glitch – it’s an attack. Pause, don’t approve, and escalate it immediately.”
What’s more, some phishing emails are now hiding their payloads inside a simple HTML attachment that opens in your browser and mimics a login screen. These are particularly deceptive because they look like invoices, shared documents, or secure notifications.
“Users think, ‘It’s just an HTML file, what harm could it do?’ But one click can open a cloned login page that captures your credentials instantly,” Cristescu notes.
“Companies should restrict HTML attachments unless essential, and users should treat unfamiliar HTML files the same way they’d treat a suspicious link – don’t open it unless you’re absolutely sure of the sender.”
Finally, attackers are now sending meeting requests with malicious links embedded in the “Invite” or “Join” button. These invitations sync directly into calendars and often go unquestioned.
“Calendar invites carry this built-in credibility – they’re not usually scrutinized like emails,” Cristescu explains.
“But if you’re getting meeting requests from unknown senders, or vague event titles like ‘Sync’ or ‘Project Review,’ treat those just like a phishing email. Disable auto-accept where possible and review every invite manually before clicking anything.”
In general, the expert sums up, modern phishing is strategic: the more it looks like business as usual, the more dangerous it becomes.
“The biggest risk today is overconfidence. No matter how experienced you are, if you stop questioning what lands in your inbox – or your calendar – you’re vulnerable. Awareness must evolve as fast as the threats do,” warns Cristescu.
“Always verify the sender’s email address, ensure that any link you click matches the legitimate domain, and look out for subtle red flags like spelling errors or unusual formatting. These small checks can make the difference between staying secure and falling for a well-crafted scam.”
Cybercrooks who are involved in phishing attacks are getting more brazen. Just this week, the FBI warned of a new spear phishing campaign where cybercriminals are using AI-generated voice and text messages to impersonate US senior officials.
Your email address will not be published. Required fields are markedmarked