Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Phishing on Messaging Apps: How Attackers Use WhatsApp, Teams, Slack, and SMS

    KnowBe4 Team | Mar 5, 2026

    Threat Actors Abuse Messaging Platforms to Launch Phishing AttacksMessaging platforms are now a major vector for phishing and other social engineering attacks, according to a new report from NCC Group’s Fox-IT.

    What is phishing on messaging apps?

    Phishing on messaging apps is a type of social engineering attack where cybercriminals use text messages, chat apps, or collaboration platforms to trick users into clicking malicious links, sharing credentials, downloading malware, or sending sensitive information. These attacks can happen over SMS, WhatsApp, Microsoft Teams, Slack, Telegram, Discord, and similar platforms.

    “Messaging platforms are being leveraged as attack vectors by serving as initial access points, delivery channels, and coordination infrastructure within modern attack chains,” the researchers write.

    “Threat actors have used these to deliver phishing links, malicious attachments, QR codes, and fake invitations that exploit legitimate platform features. Even encrypted messaging services are being used to distribute mobile malware and spyware, either through direct user interaction (such as opening files or links) or through feature abuse that enables silent account access.

    “In parallel, platforms such as Telegram are being utilised to host phishing infrastructure, malware repositories, stolen data, and automated bot-based services that support large-scale fraud and intrusion campaigns.”

    The researchers predict that these attacks will increase as more users adopt these technologies.

    “The use of messaging platforms as an attack vector is expected to increase further as these services continue to expand in functionality and integrate with other digital ecosystems,” Fox-IT says. “Some messaging apps are increasingly converging with payments, cloud storage, authentication, and enterprise services. This creates new opportunities for abuse beyond simple message delivery.

    “At the same time, attackers are refining their techniques that exploit platform-specific features and user behaviour rather than vulnerabilities in underlying encryption. As messaging platforms replace email and SMS as the primary mode of communication in many regions and organisations, threat actors are likely to treat them as a default vector for initial access, malware delivery, and campaign coordination.”

    What is the difference between messaging app phishing and email phishing?

    Phishing attacks no longer live only in the inbox. While email remains a major attack vector, threat actors are increasingly using SMS, chat, and collaboration tools to target employees where they are most responsive. Understanding the differences between email phishing and messaging app phishing helps organizations build stronger awareness training and reduce human risk across every communication channel.

    Category Email Phishing Messaging App Phishing
    Primary channel Email platforms such as Outlook and Gmail SMS and messaging platforms such as WhatsApp, Microsoft Teams, Slack, Telegram, Signal, and Discord
    How the attack is delivered Fraudulent emails are sent to impersonate trusted brands, vendors, or internal contacts Fraudulent messages are sent through chat or text to impersonate coworkers, executives, IT, recruiters, or service providers
    Common lures Password resets, invoice issues, shared documents, account alerts, payroll updates Urgent IT requests, MFA reset prompts, package delivery issues, executive requests, fake support messages
    Message style Often more formal, detailed, and branded to resemble legitimate business communication Usually shorter, more casual, and more urgent to encourage immediate action
    User behavior context Often reviewed in a work setting where users may be somewhat alert to phishing risks Often viewed on mobile devices where users are more likely to respond quickly and with less scrutiny
    Visible warning signs Users may be able to inspect sender addresses, domains, formatting, and destination links Warning signs are often less visible because mobile interfaces hide details and shortened links are common
    Impersonation tactics Brand spoofing, vendor spoofing, executive impersonation, fake internal emails Executive impersonation, fake IT help desk messages, fake recruiter outreach, contact spoofing, or fake peer messages
    Use of links and files Commonly includes malicious links and attachments such as PDFs, Office files, or ZIPs More likely to use shortened links, fake login pages, or app-install prompts, though files can also be used
    Attack pace Can create urgency, but often follows a familiar business-email format Typically faster and more conversational, with pressure to act immediately
    Interaction model Often one-way unless the attacker is trying to continue the exchange Frequently interactive, allowing attackers to respond in real time and build trust
    Primary objectives Credential theft, malware delivery, account takeover, wire fraud, and data theft Credential theft, MFA bypass, account takeover, payment fraud, malware delivery, and social engineering escalation
    Security coverage Usually protected by mature email security controls such as filtering, link scanning, and authentication checks Protection is often more fragmented and depends on platform controls, mobile security, reporting workflows, and user awareness
    Why it can succeed Exploits trust in brands and routine business communication Exploits trust in personal, real-time communication and the speed of mobile behavior
    Best prevention approach Train users to inspect senders, avoid suspicious links and attachments, and report suspicious emails Train users to verify identities, avoid tapping unknown links, question urgent requests, and confirm sensitive actions out of band
    Best user response Do not click, do not open attachments, report the message, and verify through a trusted channel Do not tap links, do not share credentials, report the message, and verify the request through a separate trusted channel

    KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

    Fox-IT has the story.

    Frequently Asked Questions About Phishing on Messaging Apps

    Which messaging platforms are commonly used in phishing attacks?

    Attackers commonly abuse SMS, WhatsApp, Microsoft Teams, Slack, Telegram, Signal, and Discord. Any platform that allows direct messaging, file sharing, or link sharing can be used in a phishing attack if users are not trained to recognize suspicious behavior.

    Why are messaging apps attractive to threat actors?

    Messaging apps are attractive because they feel personal, immediate, and informal. Users often let their guard down in chat environments, especially on mobile devices. Attackers take advantage of that trust and urgency to push victims into acting before they stop to verify the request.

    What does a messaging app phishing attack usually look like?

    A messaging app phishing attack often looks like a short urgent message from a trusted source. It may claim there is a login issue, a payroll problem, a package delivery failure, or an executive request that needs immediate action. The message usually includes a malicious link, a request for credentials, or instructions to continue the conversation.

    Can phishing happen on internal collaboration tools like Teams or Slack?

    Yes. Internal collaboration tools such as Microsoft Teams and Slack can be used in phishing attacks, especially when attackers compromise an account or impersonate an employee, contractor, or IT administrator. Because these tools are used for day-to-day work, suspicious messages may appear more legitimate.

    What are the warning signs of phishing on messaging apps?

    Common warning signs include unexpected urgent requests, unknown or suspicious links, requests for passwords or MFA codes, unusual tone or grammar, pressure to act quickly, and messages that ask users to bypass normal processes. Any request involving money, credentials, or sensitive data should be verified through a separate trusted channel.

    Is messaging app phishing the same as smishing?

    Not exactly. Smishing specifically refers to phishing delivered through SMS text messages. Messaging app phishing is broader and includes attacks delivered through chat and collaboration platforms such as WhatsApp, Teams, Slack, Telegram, and Discord, in addition to SMS.

    What should employees do if they receive a suspicious message?

    Employees should avoid clicking links, downloading files, or replying with sensitive information. The message should be reported according to the organization’s security process, and the request should be verified through a separate trusted channel such as a known phone number, official help desk process, or direct conversation with the supposed sender.

    How can organizations prevent phishing on messaging apps?

    Organizations can reduce risk by combining security awareness training, clear reporting processes, identity verification practices, mobile security controls, and policies for handling sensitive requests. Training should cover phishing beyond email so employees can recognize suspicious behavior across messaging and collaboration platforms.

    Can security awareness training help stop messaging app phishing?

    Yes. Security awareness training helps employees recognize the tactics used in messaging app phishing, including urgency, impersonation, and malicious links. When training reflects real-world communication channels, employees are better prepared to spot and report suspicious messages before damage occurs.

    Why is phishing on messaging apps becoming more common?

    As employees rely more on mobile devices, chat tools, and collaboration platforms, attackers are following that behavior. Messaging apps offer a fast, direct way to reach users in environments where they may be less cautious than they are in email, making them an increasingly effective channel for social engineering.

     

    Return To KnowBe4 Security Blog

    The world's largest library of security awareness training content

    In your fight against phishing and social engineering you can now deploy the best-in-class simulated phishing platform combined with the world's largest library of security awareness training content; including 1000+ interactive modules, videos, games, posters and newsletters.

    You can now get access to our Training  Preview to see our full library of security awareness content; you can browse, search by title, category, language or content topics.

    ModStore01-1The Training Preview includes:

    • Interactive training modules
    • Videos
    • Trivia Games
    • Posters and Artwork
    • Newsletters and more!

    Start Your Preview

     

    Topics: Social Engineering, Phishing, Human Risk Management

    KnowBe4 Team

    ABOUT KNOWBE4 TEAM

    The KnowBe4 Team delivers timely, expert-driven insights on cybersecurity trends, emerging threat intelligence, human risk best practices, compliance strategies and industry research to help organizations strengthen their human defense layer and stay informed, resilient, and secure.

    Read more from KnowBe4 »

    Subscribe to Our Blog

    We Train Humans & Agents
    All Posts

    Posts By Topic

    View All

    Get the latest insights, trends and security news. Subscribe to CyberheistNews.