How to Stay Ahead of Creative Phishing Tactics

How to Stay Ahead of Creative Phishing Tactics

Creative phishing tactics are on the rise. Cybercriminals are constantly updating their tricks, techniques and procedures to bypass various security measures. Since up to 90% of data breaches begin with phishing, here’s what’s new out there and how you can stay ahead.


 A recently discovered and currently active attempt targeting Microsoft email users is just the latest example of how persistent the threat is. In some cases, business emails of executives have been compromised and their addresses were then used to send more phishing emails. This ongoing phishing attack can even bypass multi-factor authentication (MFA).

Speaking of MFA, be aware of a tactic called “prompt bombing”. This can take the form of receiving repeated notifications on your phone to confirm a sign-in. The goal is to annoy you and wear you down so you approve the sign-in, allowing the bad guys to break through the MFA. If you didn’t initiate a sign-in, deny any notification asking you to allow it.

Another new approach is pairing a phishing email with a follow-up phone call. According to a new IBM report, a standard email-only attack yielded a 17.8% click rate from its target audience. When cybercriminals paired the same email attack with a matching phone call campaign, the click rate increased to 53.2%. That’s three times the email-only click rate! By combining different tactics, cybercriminals can make their messages seem more credible and urgent. Don’t be fooled.


  • Don’t open attachments or click on links in emails from unknown or untrusted sources. Also look for the other email red flags.
  • To double-check links, simply drag the email from your Inbox to your Junk Email and open it there. Links are exposed and disabled in Junk Email.
  • If an unexpected email, text or phone request has anything to do with money, ALWAYS verify it before taking action. (Don’t reply to the email, instead confirm with a phone call.)
  • If it’s clearly a phishing attempt:
    • Delete it (and empty your Deleted Items folder frequently).
    • Block Sender so future emails from that address will go directly to your Junk Mail.
      • Here’s how: right-click on the email, select “Junk”, select “Block Sender”.
    • Create a Rule so future emails from that address will go directly to your Deleted Items.
      • Here’s how: right-click on the email, select “Rules”, select “Always Move Messages From:”, when the Rules and Alerts box pops up, select “Deleted Items” and click OK.
    • Avoid unsubscribing unless you can verify that the sender’s address is legitimate. Even the unsubscribe link could be malicious.
    • Marketing email software often tracks if you open an email. Here’s a trick: move an unwanted marketing email to Junk *before* you open it. That way, it should report as unopened and eventually the sender may drop you from their list.
    • Clean out your email folders in accordance with your company policy. A stuffed Inbox, Sent Items, and other folders can be a treasure trove for a hacker. If your email is compromised, the more emails you have, the greater the risk.

Reminder: If you *clicked* on an email that turns out to be malicious, report it to your IT provider immediately. Don’t delay – it only takes minutes to cause serious damage.

On the bright side, all unwanted email isn’t malicious. It may just be an offer for something you don’t want. Use these tips to keep those emails out of your Inbox, too.

The tools you use (spam filters, password managers, email multi-factor authentication, etc.) along with your ability to identify potentially dangerous emails, phone calls (and texts) will continue to help you stay ahead of creative phishing tactics.

To learn how CRU Solutions can help keep your business more secure, contact us.