The Rise of Non-Email-Based Phishing Attacks

When most people hear the word “phishing”, they picture an email. A message from

what looks to be a trusted company, urging them to click on a link, reset a password, or pay an overdue invoice. While email phishing remains one of the most common and damaging cyber threats to businesses; it’s no longer the only form of phishing that businesses need to be aware of. In recent years, criminals have been expanding their tactics, targeting businesses through other methods of communication in an attempt to trick staff when their defences are lower and their guard is down.

The South East Cyber Resilience Centre (SECRC) is seeing more and more reports of variations on the same core idea: tricking someone into revealing sensitive information, banking details, or taking actions that benefit the attacker. The only difference is how the message is delivered.

Here are the most common variations of phishing attacks that we see affecting businesses in the South East:

Smishing: Phishing via SMS or Messaging Apps

“Smishing” (SMS phishing) uses text messages or messaging apps like WhatsApp or Facebook Messenger. The message might claim to be from a parcel delivery service, your bank, or even HMRC and most likely contains a sense of urgency and a link to click. For example:

• “Your package is being held – pay for redelivery.”

• “Unusual login detected. Verify your account now.”

These short yet direct messages aim to catch people off guard. Text messages feel more personal and immediate than emails, so we are more likely to trust them and act on impulse. When they arrive on our mobile phones, devices we use for everything from banking to shopping, the potential damage increases. To make matters worse, attackers can now spoof phone numbers and contact names to make their messages even more convincing.

Vishing: Phishing via Phone Calls

Vishing refers to voice phishing and happens over the phone. Criminals pretend to be

from trusted organisations such as your bank, the police, or a government department. They might tell you there’s been suspicious activity on your account or pressure you into transferring money to a “safe” account.

These calls often sound convincing because criminals use stolen personal information, caller ID spoofing, and even AI-generated voices to sound authentic. Some use pre-recorded messages or fake call centre scripts. A growing concern is the use of AI voice cloning where criminals can replicate someone’s voice using short clips from social media or online videos from the legitimate company. Imagine receiving a call that sounds exactly like your boss asking for urgent help – it’s easy to see how people are caught out!

Quishing: Phishing via QR Codes

Perhaps one of the most recent trends in phishing is “quishing”, or QR code phishing. Criminals embed malicious QR codes into things such as parking meters, restaurant tables, or advertising posters. When scanned, these codes lead to fake websites that steal credentials or install malware onto your device. QR codes have become extremely common, especially since the COVID-19 pandemic, used for menus, payments, and event check-ins. We rarely stop to question them, yet they can direct you to anywhere online within seconds, so we should be just as wary of them as we are links in emails.

One recent scam we’ve seen involves fake parking tickets placed on cars, instructing drivers to “pay now” using a QR code. The link led to a convincing payment page that stole the driver’s banking information.

Why do these attacks work?

Non-email phishing’s success rates lie in trust and timing. Criminals exploit routine. A text from a delivery company, a call from the bank, a QR code to pay at your local café: these are all everyday occurrences that don’t require critical thinking.

Unlike email, where many businesses now have filters and security tools in place, mobile messaging, phone calls, and QR codes often lack built-in protection.

How can you stay protected?

• Do not act on impulse. If a message, call or QR code demands urgent action, then pause before you act. Criminals thrive on panic.
  

• Verify. Do not use contact details or links provided in the message to verify. Visit the company’s official website or call them directly on their verified number.
  

• Be cautious with QR codes. What seems to be the easiest way to sign up or make a payment could end up costing you or your business. If a code looks tampered with or appears in an unexpected place, do not scan it. Use official apps or websites whenever possible.
  

• Educate your staff. Businesses should include other methods of phishing in their cyber training sessions. Realistic examples help staff spot suspicious behaviour. Our fully funded Security Awareness Training sessions cover all aspects of phishing scams, giving your staff the confidence they need to recognise and report.

  
  

• Report it. Forward suspicious texts to 7726 (a free reporting service) and report scams to Action Fraud at www.actionfraud.police.uk.

Final thoughts

Criminals are evolving, and so should we. Non-email-based phishing is a reminder that cyber resilience isn’t just about having the strongest firewalls and spam filters on email domains; it’s about educating your people to stay vigilant across every communication channel available.

We help businesses across the South East region become fully cyber resilient. By joining us, you’ll gain access to free guidance, helpful resources, and fully funded cyber security services such as Security Awareness Training and much more. We can support you in protecting your organisation from evolving cyber threats.

Stay alert, stay informed, and think before you click, scan, or answer.