Messaging platforms are now a major vector for phishing and other social engineering attacks, according to a new report from NCC Group’s Fox-IT.
What is phishing on messaging apps?
Phishing on messaging apps is a type of social engineering attack where cybercriminals use text messages, chat apps, or collaboration platforms to trick users into clicking malicious links, sharing credentials, downloading malware, or sending sensitive information. These attacks can happen over SMS, WhatsApp, Microsoft Teams, Slack, Telegram, Discord, and similar platforms.
“Messaging platforms are being leveraged as attack vectors by serving as initial access points, delivery channels, and coordination infrastructure within modern attack chains,” the researchers write.
“Threat actors have used these to deliver phishing links, malicious attachments, QR codes, and fake invitations that exploit legitimate platform features. Even encrypted messaging services are being used to distribute mobile malware and spyware, either through direct user interaction (such as opening files or links) or through feature abuse that enables silent account access.
“In parallel, platforms such as Telegram are being utilised to host phishing infrastructure, malware repositories, stolen data, and automated bot-based services that support large-scale fraud and intrusion campaigns.”
The researchers predict that these attacks will increase as more users adopt these technologies.
“The use of messaging platforms as an attack vector is expected to increase further as these services continue to expand in functionality and integrate with other digital ecosystems,” Fox-IT says. “Some messaging apps are increasingly converging with payments, cloud storage, authentication, and enterprise services. This creates new opportunities for abuse beyond simple message delivery.
“At the same time, attackers are refining their techniques that exploit platform-specific features and user behaviour rather than vulnerabilities in underlying encryption. As messaging platforms replace email and SMS as the primary mode of communication in many regions and organisations, threat actors are likely to treat them as a default vector for initial access, malware delivery, and campaign coordination.”
What is the difference between messaging app phishing and email phishing?
Phishing attacks no longer live only in the inbox. While email remains a major attack vector, threat actors are increasingly using SMS, chat, and collaboration tools to target employees where they are most responsive. Understanding the differences between email phishing and messaging app phishing helps organizations build stronger awareness training and reduce human risk across every communication channel.
| Category | Email Phishing | Messaging App Phishing |
|---|---|---|
| Primary channel | Email platforms such as Outlook and Gmail | SMS and messaging platforms such as WhatsApp, Microsoft Teams, Slack, Telegram, Signal, and Discord |
| How the attack is delivered | Fraudulent emails are sent to impersonate trusted brands, vendors, or internal contacts | Fraudulent messages are sent through chat or text to impersonate coworkers, executives, IT, recruiters, or service providers |
| Common lures | Password resets, invoice issues, shared documents, account alerts, payroll updates | Urgent IT requests, MFA reset prompts, package delivery issues, executive requests, fake support messages |
| Message style | Often more formal, detailed, and branded to resemble legitimate business communication | Usually shorter, more casual, and more urgent to encourage immediate action |
| User behavior context | Often reviewed in a work setting where users may be somewhat alert to phishing risks | Often viewed on mobile devices where users are more likely to respond quickly and with less scrutiny |
| Visible warning signs | Users may be able to inspect sender addresses, domains, formatting, and destination links | Warning signs are often less visible because mobile interfaces hide details and shortened links are common |
| Impersonation tactics | Brand spoofing, vendor spoofing, executive impersonation, fake internal emails | Executive impersonation, fake IT help desk messages, fake recruiter outreach, contact spoofing, or fake peer messages |
| Use of links and files | Commonly includes malicious links and attachments such as PDFs, Office files, or ZIPs | More likely to use shortened links, fake login pages, or app-install prompts, though files can also be used |
| Attack pace | Can create urgency, but often follows a familiar business-email format | Typically faster and more conversational, with pressure to act immediately |
| Interaction model | Often one-way unless the attacker is trying to continue the exchange | Frequently interactive, allowing attackers to respond in real time and build trust |
| Primary objectives | Credential theft, malware delivery, account takeover, wire fraud, and data theft | Credential theft, MFA bypass, account takeover, payment fraud, malware delivery, and social engineering escalation |
| Security coverage | Usually protected by mature email security controls such as filtering, link scanning, and authentication checks | Protection is often more fragmented and depends on platform controls, mobile security, reporting workflows, and user awareness |
| Why it can succeed | Exploits trust in brands and routine business communication | Exploits trust in personal, real-time communication and the speed of mobile behavior |
| Best prevention approach | Train users to inspect senders, avoid suspicious links and attachments, and report suspicious emails | Train users to verify identities, avoid tapping unknown links, question urgent requests, and confirm sensitive actions out of band |
| Best user response | Do not click, do not open attachments, report the message, and verify through a trusted channel | Do not tap links, do not share credentials, report the message, and verify the request through a separate trusted channel |
Fox-IT has the story.
