Digital thieves are nothing if not persistent and innovative.
They keep finding new ways to try to part you from your money.
Phishing — where thieves pose as trusted entities or send legitimate looking emails or messages to trick you into giving them access to your accounts — is a widespread method. And it is constantly evolving.
“We’ve seen phishing go through the roof,” said Eva Velasquez, the CEO of the Identity Theft Resource Center, a San Diego-based national nonprofit.
But knowledge is power. So here are three emerging phishing threats to look out for, according to internet safety experts. All three threats target key parts of people’s digital lives: email attachments that lead to fake login pages, multi-factor authentication trickery and deceptive calendar invites.
Spending a few minutes reading these pointers could help you avoid getting your ID or money stolen and save you countless hours of dealing with the fallout.
HTML attachments that open fake login pages
Imagine a busy professional who is in email action mode. In the past 30 minutes on a Saturday morning, he has filled out emailed liability waivers for his seven children’s summer camps, filed an expense report for work, answered a secure portal message from the veterinarian about his sick puppy’s prescription, skimmed 182 email subject lines and paid five bills from his email inbox, including a car insurance premium and his beloved cheese-of-the-month club.
Amid this flurry of inbound emails, ads, invoices and secure messages, he is working on autopilot: opening messages, skimming, clicking and signing in.
What a perfect opportunity.
Scammers are taking advantage of user distraction — and their trust — by sending emails with HTM or HTML attachments. When clicked, those open a browser file that looks like secure, familiar login page. These pages might look like secure invoice viewers, file-sharing services like DocuSign or Dropbox, or sign-in pages to platforms including Microsoft 365.
“Once the user enters their credentials, they are sent surreptitiously to the attacker’s server,” said Vlad Cristescu, the head of cybersecurity with ZeroBounce, a Florida company that helps businesses lower their rate of bounced marketing emails.
Why this method is especially insidious: “There isn’t a clickable link in the email, so standard email security filters (which scan for malicious URLs or attachments like PDFs and ZIPs) may not catch it,” Cristescu added.
To prevent this, he added, companies should “restrict HTML attachments unless essential, and users should treat unfamiliar HTML files the same way they’d treat a suspicious link — don’t open it unless you’re absolutely sure of the sender.”
If you do receive incoming communication with an HTML link or attachment, don’t engage, said Velasquez, with the ITRC.
“Don’t click on links, people. That’s the big, overarching message,” she said. Instead, go to the source: call the phone number on the back of your credit card, visit the bank in person.
Multifactor authentication tricks
If you are one of the many people who uses multifactor authentication, take note.
Multifactor authentication is still very helpful and should be used.
But Cristescu flagged one way that scammers are taking this tool — which is designed to make people’s online accounts more secure — and using it to slither in.
As a refresher, multifactor authentication is an added layer of protection that prevents data thieves from logging into your accounts if they have your username and password. It helps ensure that you’re the one who typed in your password when you log in, and not some scammer in the Philippines or Poughkeepsie.
To use multifactor authentication, you typically download an app, such as Google Authenticator or Microsoft Authenticator. You register your sensitive online accounts, such as Facebook, bank or email, with that app. Then, every time you log into a registered website, the authenticator app generates a new, random code that you enter after your password as a second layer of verification.
With the rise of this protection, a new threat has emerged: Scammers who have your username and password can send log-in requests to your authenticator app. Next, the scammer can pose as an IT expert from your workplace and ask you to approve the log-in request.
If you fall for it, then boom — the scammer is in.
This technique “exploits a user’s frustration and trust in IT. If you’re receiving multiple (authenticator) prompts you didn’t initiate, that’s not a glitch – it’s an attack,” Cristescu said. He recommends pausing, never approving these unexpected requests and flagging the interaction with IT.
Velasquez added that if you get an authenticator notification and you didn’t just log in yourself, “That is a huge red flag. Stop and address it. Don’t ignore it.”
Anytime you interact with IT, be sure you’re the one initiating that contact, she added. If someone from IT calls or emails you, disconnect and reach back out using a trusted method, such as the same phone number you always dial.
Fake calendar invites
A third technique data thieves are using is calendar invites.
“I just get really very angry about this one,” Velasquez said. “It is super hard to detect.”
Here’s what to look out for. If you use an online calendar like Google calendar or the native iPhone calendar app, you might receive an invitation to an event you didn’t see coming. Sometimes these meetings are legitimate. Sometimes, they are not.
Scammers “are now sending meeting requests with malicious links embedded in the invite or ‘join’ button. These invitations sync directly into calendars and often go unquestioned,” according to ZeroBounce.
Scammers use calendar invites because they have “built-in credibility – they’re not usually scrutinized like emails,” Cristescu said. Look for meeting requests from unknown senders and vague event names like “Sync” or “Project Review,” he added.
In some jobs or roles, meetings routinely get added to calendars by other people — clients, prospects, coworkers, bosses, peers.
“I have gotten these repeatedly,” said Velasquez, with the ITRC. “Depending on your lifestyle and your job and how you work, these are going to be particularly challenging. They are real calendar invites. The problem is they have malicious software embedded in them — so when you click on portions of them, ‘Click to join,’ it’s like opening an attachment (or) clicking on a suspicious link. It’s the same principle.”
Cristescu, with ZeroBounce, shared this tip: “Treat those just like a phishing email. Disable auto-accept where possible and review every invite manually before clicking anything.”
Never stop questioning what lands in your inbox or calendar, Cristescu added. “Always verify the sender’s email address, ensure that any link you click matches the legitimate domain, and look out for subtle red flags like spelling errors or unusual formatting.”
A big picture pointer
“All three of these (scams) are so common that it has probably happened to every single person reading the article — at least one of them. That’s how ubiquitous these are,” Velasquez said.
She shared this broader thought: It’s less important to know how to respond to each scenario and more important to pause, be skeptical, double check.
It’s important to be ever more skeptical, because AI makes it easier and easier for thieves to create convincing ruses, Cristescu and Velasquez both said.
AI “really helps with making these phishing offers look and sound so much more legitimate,” Velasquez said. “And with the amount of data that is out there from public sources and from data breaches, it’s very easy to see what relationships people have.” Where you bank, where you do business — that is all fodder for someone to create a copycat page designed to trick you into logging in.
Adopt an “investigator mindset,” Velasquez said. Use this helpful reminder: the acronym STAR, which stands for Stop. Think. Ask questions or ask for help. Reassess.
The ITRC nonprofit can answer questions, for free, through phone and live chat. Toll-free phone: 888-400-5530. Live chat staffed by people, not bots: https://www.idtheftcenter.org/victim-help-center/
