Digital thieves are nothing if not sustainable and innovative.
They will continue to find new ways to try to break up with you from your money.
Phishing is a wide range of ways that allow burglars to poss as trustworthy entities or send legitimately-looking emails and messages to allow them to access their accounts. And it’s constantly evolving.
“We’ve seen fishing go through the roof,” said Eva Velasquez, CEO of Identity Theft Resource Center, a national nonprofit based in San Diego.
But knowledge is power. According to internet safety experts, here are three emerging phishing threats to watch out for. All three threats cover important parts of people’s digital live performances. Fake login pages, multi-factor authentication tricks, and attachments that lead to invitations for deceived calendars.
Spending a few minutes reading these pointers will save you countless hours of time dealing with fallout, avoiding your ID or money being stolen.
HTML attachment to open fake login page
Imagine a busy professional in email action mode. Over the past 30 minutes on Saturday morning, he sent emails to the summer camp of seven children, submitted expenses reports for work, responded to a safe portal message from the vet about prescriptions for sick puppies, skimmed 182 email subjects, and paid five bills from his email inbox.
Amid a surge in inbound emails, ads, bills and secure messages, he is working on AutoPilot: Open Message, Skimming, Click, Sign In.
What a great opportunity.
Scammers take advantage of user distractions and their trust by sending emails with HTML or HTML attachments. Click to open a browser file that looks like a secure and familiar login page. These pages may look like secure invoice viewers, file sharing services like Docusign or Dropbox, or sign-in pages to platforms that include Microsoft 365.
“When a user enters their credentials, it’s secretly sent to the attacker’s server,” says Vlad Cristescu, head of cybersecurity, ZeroBounce, head of Florida company ZeroBounce, who helps businesses lower the rate of marketing emails that have bounced back.
Why this method is particularly insidious: “Sometimes the standard email security filter (scans malicious URLs and attachments such as PDFs and ZIPs) may not catch because there are no clickable links in emails,” added Cristescu.
To prevent this, companies should “restrict HTML attachments unless they are essential, and users should deal with unfamiliar HTML files just like they would with suspicious links.”
If you receive an incoming communication with an HTML link or attachment, don’t get involved, Velasquez said ITRC.
“Don’t click on the link. That’s a big, comprehensive message,” she said. Instead, call the phone number on the back of your source: credit card to access your bank directly.
Multi-factor authentication trick
If you are one of many people using multifactor authentication, be careful.
Multifactor authentication is still very useful and needs to be used.
However, Cristescu has flagged one way scammers use this tool (designed to make people’s online accounts more secure) and use it to slither.
In a review, multifactor authentication is an additional layer of protection to prevent data burglars from logging in to their account if they have a username and password. It will help you to make sure you are the person who entered your password when logging in and is not a Philippine or Poughkeepsie con man.
To use multifactor authentication, you typically download apps such as Google Authenticator or Microsoft Authenticator. Register confidential online accounts such as Facebook, banks, emails, and more with the app. Then, every time you log into a registered website, the Authenticator app generates a new random code you enter after the password as the second verification layer.
With this increase in protection, new threats have emerged. Scammers with a username and password can send login requests to the Authenticator app. The scammer can then poss as an IT professional in your workplace and ask for approval of the login request.
If you fall into it, the boom-con man is in it.
The technique “exploits user complaints and trust. If you’re receiving multiple (certifier) prompts, it’s not a glitch. It’s an attack,” says Cristescu. He recommends pause, accepting these unexpected requests and not flagging interactions with them.
Not only did Velazquez get a certified notification and log in herself, but added, “It’s a giant red flag. Stop it and deal with it. Don’t ignore it.”
Whenever you interact with it, make sure you are beginning that contact, she added. If someone calls or emails you from there, use a reliable method to disconnect and reach for you, such as the same phone number you always dial.
A fake calendar is invited
The third technique data used by burglars is the calendar invitation.
“I’m really, very angry about this,” Velazquez said. “It’s very difficult to detect.”
What is this looking for? If you use an online calendar, such as Google Calendar or the native iPhone Calendar app, you may receive an invitation to an event that is not visible. Sometimes these meetings are legal. Sometimes it’s not.
The scammer is sending a meeting request that contains a malicious link embedded in an invitation or ‘Merge’ button. These invitations are synced directly to the calendar and are often unquestionable,” according to Zerobounce.
Scammers use calendar invitations because “it’s built-in trust, so they’re not usually scrutinized like email.” Look for meeting requests from unknown senders and look for vague event names such as “Synchronization” or “Project Review.”
In some jobs and roles, meetings are regularly added to the calendar by others, such as clients, prospects, colleagues, bosses, peers, etc.
“I’ve got these things over and over,” Velazquez said, ITRC. “These get especially challenging depending on your lifestyle and your work and how you work. They are real calendar invitations. The problem is that there are malicious software that has some of them embedded. So when you click “click” it’s like clicking (or clicking) a suspicious link. That’s the same principle. ”
Cristescu shared this tip using Zerobounce.
Cristescu should not stop questioning the lands of your inbox and calendar. “Always check the sender’s email address, make sure the link you click matches your legitimate domain, and look for subtle red flags such as spelling errors and unusual formatting.”
Big picture pointer
“All three of these (scams) are so common that it’s probably happened to everyone reading the article, at least one.
She shared this broader idea. Knowing how to respond to each scenario is not so important, it’s more important to pause, be skeptical, double checking.
It’s important to be more skeptical, as AI makes it easier and easier to create compelling looses, Cristescu and Velasquez both said.
AI “really helps in making these fishing offers look and sound,” Velazquez said. “And it’s very easy to see how people have relationships with each other, with the amount of data there from the source of publication and the amount of data there from the data breaches.” In the case of a bank, where you’re doing business – that’s all the feed for someone to create a copycat page designed to trick you into logging in.
Velazquez said it would adopt “an investigator’s mindset.” Use this helpful reminder. think. Ask a question or ask for help. Reevaluation.
ITRC nonprofits can answer questions for free via telephone or live chat. Free phone: 888-400-5530. Live chat staffed by people rather than bots: https://www.idththeftcenter.org/victim-help-center/
Original issue: June 6, 2025, 1:27pm
