Phishing has long been associated with deceptive emails, but attackers are now widening their reach. Malicious links are increasingly being delivered through social media, instant messaging platforms, text messages, and even search engine ads. This shift is reshaping the way organisations must think about defence.
From the inbox to every app
Work used to be confined to company networks and email inboxes, which made security controls easier to enforce. Today’s workplace is spread across cloud platforms, SaaS tools, and dozens of communication channels. Employees are accessible through multiple apps, and each one creates new openings for attackers.
Links no longer arrive only in email. Adversaries exploit WhatsApp, LinkedIn, Signal, SMS, and even in-app messaging, often using legitimate SaaS accounts to bypass email filters. With enterprises relying on hundreds of apps with varying security settings, the attack surface has grown dramatically.
Why detection lags behind
Phishing that occurs outside email is rarely reported because most industry data comes from email security vendors. If the email layer is bypassed, companies must rely heavily on user reports. Web proxies offer limited coverage, but advanced phishing kits now use obfuscation techniques, such as altering webpage code or hiding scripts to disguise what the browser is actually displaying.
Even when spotted, non-email phishing is harder to contain. A malicious post on social media cannot be recalled or blocked for all employees like an email. Attackers also rotate domains quickly, rendering URL blocks ineffective.
Personal and corporate boundaries blur
Another challenge is the overlap of personal and professional accounts. Staff routinely log into LinkedIn, X, WhatsApp, or Reddit on work devices. Malicious ads placed on search engines also appear credible to employees browsing for company resources.
This overlap makes corporate compromise more likely. Stolen credentials from personal accounts can provide access to business systems. In one high-profile incident in 2023, an employee’s personal Google profile synced credentials from a work device. When the personal device was breached, it exposed a support account linked to more than a hundred customers.
Real-world campaigns
Recent campaigns illustrate the trend. On LinkedIn, attackers used compromised executive accounts to promote fake investment opportunities, luring targets through legitimate services like Google Sites before leading them to phishing pages designed to steal Google Workspace credentials.
In another case, malicious Google ads appeared above genuine login pages. Victims were tricked into entering details on counterfeit sites hosted on convincing subdomains, later tied to a campaign by the Scattered Spider group.
The bigger impact of one breach
A compromised account grants far more than access to email. With single sign-on integrations, attackers can reach multiple connected applications, from collaboration tools to customer databases. This enables lateral movement within organisations, escalating a single breach into a widespread incident.
Traditional email filters are no longer enough. Security teams need solutions that monitor browser behaviour directly, detect attempts to steal credentials in real time, and block attacks regardless of where the link originates. In addition, enforcing multi-factor authentication, reducing unnecessary syncing across devices, and educating employees about phishing outside of email remain critical steps.
Phishing today is about targeting identity, not just inboxes. Organisations that continue to see it as an email-only problem risk being left unprepared against attackers who have already moved on.
