Phishing is no longer just an email problem. Reports state that 40% of phishing campaigns now span channels beyond email, hitting collaboration tools like Slack and Teams, plus SMS, and social media platforms. Voice phishing (“vishing”) in particular is on the rise: 30% of surveyed organizations reported at least one instance of attackers using spoofed or AI-cloned calls to steal credentials in the past year. QR-code phishing (“quishing”) has also surged, growing 25% year-over-year as threat actors embed malicious codes in posters, invoices, and product packaging to redirect victims to fake login pages or malware downloads.
One of the many factors enabling this increase is the lowered barrier to entry. The amount of off-the-shelf phishing kits on the dark web has increased dramatically, empowering cybercriminals of any skill level to launch high-quality, multi-vector campaigns.
These figures leave no doubt. We must guard every front: email, voice, text, QR codes, and beyond. Otherwise, we risk being outflanked by cybercriminals who can exploit whichever channel their victims trust most.
Smishing (SMS Phishing)
Smishing is phishing via text messages, a social-engineering attack that uses fake mobile texts to trick people into downloading malware, divulging sensitive data, or sending money. These attacks can be surprisingly effective; people generally trust SMS far more than email, and mobile links get much higher click rates (often 9 – 14% in texts versus 2% in emails).
Attackers play on that trust and a sense of urgency. A typical smishing message arrives looking like a delivery notice, invoice, or alert regarding a missed package, unpaid fee, or account problem, and asks the victim to click a link or call a number to resolve the issue.
For example, scammers impersonating toll-road and shipping companies commonly text victims about an outstanding toll or undeliverable parcel, directing them to realistic-looking websites where card data is harvested. Other common lures include fake bank alerts, tax notices, or lottery messages, all urging the recipient to act immediately. More sophisticated frauds even spoof internal contacts, such as an IT or HR text asking a person to reset a password or update payroll info.
Smishing rings can be massive. One notorious group dubbed the ‘Smishing Triad’ now spams millions of scam texts per month. According to security researchers, this syndicate has impersonated legitimate brands and services in at least 120 countries, setting up tens of thousands of fake domains and thousands of SMS accounts to stage global SMS-banking and parcel scams.
Virtually any alert you get by text, from a bank, delivery service, government agency, or colleague, could be a smishing attempt. Most phones lack the advanced phishing filters of desktop email, meaning users must be extremely cautious with any unsolicited link or code in a message.
Vishing (Voice Phishing)
Vishing are phishing attacks using voice calls or voicemail. It’s a classic social-engineering tactic where attackers “cold call” or leave convincing messages to manipulate victims. Hearing a real human voice can create a false sense of trust, making people more likely to comply than with a faceless email.
Modern vishers often use technology to sound legitimate. Using spoofed caller IDs (via inexpensive VoIP services) makes it appear they are calling from your bank, the IRS, IT department, or even a senior manager. For a less refined, but no less effective approach, they’ll use robocall systems to initiate thousands of calls, where often only one victim needs to respond to make the strategy effective.
AI is accelerating vishing. News reports describe attackers using AI voice cloning to impersonate executives or officials on the phone. In one high-profile case, criminals cloned a CEO’s voice in a video call (complete with a deepfake face) to trick an employee into wiring $25 million to a fraudulent recipient.
Even without AI, simple recorded audio or convincing impersonations can fool an unsuspecting victim. Voice calls can bypass email defenses entirely, so organizations must instruct staff to verify any unexpected request, such as calling back on a known number, and treat unsolicited calls with skepticism.
Quishing (QR Code Phishing)
Quishing uses malicious QR codes to lure victims into compromising themselves. It works like phishing but via QR images: a scammer convinces you to scan a QR code (on a poster, email, website, or app), and the code directs your device to a harmful site. It can be difficult to verify a QR code before scanning it, and many people have become used to scanning them without a second thought, thanks to their increased prevalence post-pandemic.
QR codes embed the URL invisibly, so traditional email and web filters often can’t detect the malicious link: decoding a QR requires expensive image/OCR analysis, which isn’t commonly performed by security tools. Furthermore, quishing focuses the attacks on phones or tablets, rather than more secure computer environments.
Quishing attacks can come where you least expect, as criminals have been found to put fake QR codes on legitimate products or posters, enticing people with messages such as “register your product”, or tampered signs that lead to phishing sites. Last year, over half a million phishing emails used QR codes embedded in PDFs. QR-based campaigns have targeted dozens of companies (including a U.S. energy firm) by planting malicious QR codes in emails and advertisements.
Another danger is ”QRLJacking” to exploit the increased prevalence of QR codes being used in place of logins. In these attacks, a person scans the fraudulent QR code and unknowingly logs into a phishing site.
The increasing prevalence of quishing means we should be wary of scanning any unsolicited QR code.
Multi-Layered Defenses
No single control can stop every phishing attack. The answer is a layered defense combining user vigilance with technology and process controls.
Training & Awareness
Regular phishing awareness training is essential. Teach staff to question odd requests, verify sender identities, and report anything suspicious. Employees must know that phishing can come through multiple channels and always think twice before clicking a link or scanning a code.
MFA and Account Security
Strong multi-factor authentication (MFA) must be enforced on every sensitive account. This means using phishing-resistant factors (such as hardware keys or secure app-based authenticators) instead of simple SMS/email codes. When properly done, MFA ensures that even if a password is stolen, attackers can’t easily log in and access sensitive data.
Email & Message Filtering
Deploying advanced email security with sender authentication to block phishing emails is essential. These protections can sometimes be extended to other channels, like scanning links in any corporate messaging apps or PDF attachments. Keep all endpoints patched and anti-malware systems up to date to catch any malicious payloads.
Mobile Device Management
Mobile devices with access to your corporate networks must be secured with robust mobile device management (MDM). This includes device encryption, strong passwords/biometrics, and timely updates. An MDM solution can also enforce mobile antivirus and block risky apps, shrinking the attack surface for smishing and quishing on employee phones.
If a device is lost or compromised, then that device needs to be swiftly blocked from accessing any networks, files, or data.
Incident Response
The scale of the threat of phishing means that organizations should treat an attack with the same priority as all other cybersecurity initiatives. A phishing incident plan should accompany all other incident response documentation. This should instruct employees how to report suspected phishing, and ensure that the IT/security team can quickly isolate affected accounts by revoking credentials or pushing out new certificates.
Vendor and customer notification procedures should also be included if sensitive data might have been exposed. Everyone must know their role in responding to a phish, from recognizing it to activating the breach plan.
Conclusion
Phishing has evolved into a multi-headed menace. As the attack vectors of phishing expand, we must remain vigilant, proactive, and comprehensive in our cybersecurity.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.
