Phishing attacks are not limited to email

by Mar 1, 2023Insights

Phishing attacks are some of the oldest known cyber threats, which means they have evolved into sophisticated methods of social engineering. When people think of phishing, they assume it’s a spam email or one that contains a malicious link. However, modern threats now come through other attack vectors, such as open source websites, fake apps and malvertising.

The best method to mitigate phishing attacks is user awareness training. This is the process of training employees in the effective identification of fake emails, malicious links and suspect websites. Employees are the main line of defence in cyber security; if emails and attachments can pass firewalls, then employees become the major checkpoint.

4C Group has partnered with KnowBe4 – a leader in user awareness training and cyber security education for employees. Through this partnership, we offer a highly effective way to minimise the risks of social engineering attempts by empowering employees with knowledge and increased cyber security awareness.

2D illustration of man sitting at computer with a criminal holding a fishing rod in front of his face.

Phishing through other attack vectors

The evolution of phishing has made it more difficult to detect an attack, but there are still some tell-tale signs that can help you identify them more easily. Phishing can be carried out in many ways, including phone calls, text messages, malicious coding and fake apps.

In addition, phishing is not limited to a particular industry or technology. Scams have been perpetrated against employees of small businesses and large corporations alike. They can also be used by anyone with access to an internet connection and an email account (which is just about everyone).

1. Malvertising – This is a form of malicious advertising. It’s an attack vector that involves placing malicious code into legitimate ads that appear on websites and apps. The ad then connects with the user’s browser, which can result in them being infected with malware or ransomware.

Malvertising is often used by cybercriminals because it allows them to target large groups of people at once. Malicious actors can use several different methods for delivering these ads, including:

  • Injecting malicious code into websites that display advertisements through third-party services, such as Google AdSense.
  • Embedding malicious scripts within banner images.
  • Using exploit kits (EKs) to deliver malware through fake Flash updates or Java apps.

2. Open source coding – Open source code is a wonderful thing. It allows for the collaborative development of software, where developers can share their work and build upon each other’s contributions. This helps make the internet a safer place by making it easier for people to find vulnerabilities in programs that could otherwise be exploited by hackers.

However, open source code also has its drawbacks. Anyone can view this information and use it however they wish, so malicious actors have taken advantage of this opportunity in order to create backdoors into systems or otherwise exploit vulnerabilities in commonly used programs.

Someone in need of fraud protection because their device is being hacked

3. Fake apps – Everybody downloads and uses apps on their smartphones and computers. While the vast majority of apps are legitimate, some have been created by cyber criminals. On the surface, these apps look legitimate but once installed, they can give the hacker access to your data. For example, a recent report found that one popular cryptocurrency wallet app was vulnerable to attacks.

Luckily, major app stores from Apple, Android and Google keep an eye on fake apps and delete them before users can download them. However, the odd ones may slip through the cracks. When downloading apps, be sure to get them from a reputable app store, not a random website. Also, be sure to read the reviews and any additional policies attached to the apps.

4. Phone calls and text messages – These methods work the same. A malicious person will pose as someone with authority, like a head of a department within your company or a person from a government department. They will either phone you or send you a text message saying that they need an urgent payment, electronic funds transfer or vital task to be completed.

Since the person is in a position of assumed authority, the receiver is likely to follow the instructions to avoid getting into trouble or incurring more penalties. These are the most brazen phishing attacks as they speak to you directly, but they are also some of the most effective methods.

Graphic illustration of smartphone with orange padlock on the screen and a masked robber running away from the phone

Hackers love simplicity

Hackers are generally lazy; they want to find the easiest, most common methods of attack available. If you’ve patched your software, they will move on to something else that is more likely to succeed.

If you install a new security patch and it hasn’t been tested yet by hackers or researchers, then it’s possible for them to use this as an opportunity for their own gain – even if only temporarily, until the patch is fixed and everyone else knows how it works. Keep an eye on the resources you use and how they are used.

Phishing attacks are not only limited to email. You can be phished in many ways and you should always be vigilant when it comes to protecting yourself from these attacks. User awareness training is vital for all employees, even IT managers, heads of departments and CEOs – nobody is 100% safe from advanced social engineering methods. For more information about our user awareness training services, please contact us today.


At 4C Group of Companies, we strive to effect operational changes and cost savings for customers through our iNSight product and associated services. This product’s main function is to re-purpose and deliver business-critical information to a variety of systems and stakeholders. 

We specialise in information assurance, business assurance, fintech solutions and a variety of cyber security services. For more insights into our products and services, check out our blog page or follow us on Facebook, LinkedIn and Twitter.

You may also like…