Phishing emails now often contain no links or attachments and have become more strategic in attacks
Email users have been issued a warning over easy-to-miss calendar invites. A specialist says they could be a gateway for cybercriminals to access your private information.
The alert follows the government’s latest cyber security breaches survey, which showed more than four in ten businesses reported falling prey to some form of cyber security breach or attack in the 2024/25 period. The survey pinpointed phishing attacks as the most common type, accounting for 85% of the cyber attacks businesses faced.
Phishing is a cybercrime where an email or another fraudulent communication is sent impersonating someone else. It’s done to swipe sensitive data such as passwords and banking details.
READ MORE: Urgent recall of paracetamol pills due to contamination concernREAD MORE: Waitrose makes major change to popular perk with loyalty card
Vlad Cristescu, Head of Cybersecurity at ZeroBounce, cautioned against complacency. He said: “The biggest risk today is overconfidence,” he warns. “No matter how experienced you are, if you stop questioning what lands in your inbox – or your calendar – you’re vulnerable. Awareness must evolve as fast as the threats do.
“Always verify the sender’s email address, ensure that any link you click matches the legitimate domain, and look out for subtle red flags like spelling errors or unusual formatting. These small checks can make the difference between staying secure and falling for a well-crafted scam.”
Cybersecurity experts at ZeroBounce have identified five lesser-known tactics employed by criminals that can often slip under the radar of even the most clued-up users. Here are the key threats and how professionals can stay one step ahead.
Calendar invites
Attackers are now sending meeting requests with malicious links embedded in the invite or ‘Join’ button. These invitations sync directly into calendars and often go unquestioned.
“Calendar invites carry this built-in credibility – they’re not usually scrutinised like emails,” Cristescu explains. “But if you’re getting meeting requests from unknown senders, or vague event titles like ‘Sync’ or ‘Project Review,’ treat those just like a phishing email.
Disable auto-accept where possible and review every invite. ” Vlad warns that modern phishing is strategic and the more it appears like business as usual, the more dangerous it becomes.
Rise of linkless phishing
Phishing emails now frequently contain no links or attachments, instead featuring brief messages such as “Are you free for a quick call?” or “Can you help me with this task?” These are designed to completely bypass filtering systems and initiate real-time scams via phone or response.
“People are trained to spot suspicious links, but attackers have adapted by removing them altogether,” says Vlad.. “Once you reply, they continue the impersonation, usually posing as a colleague or executive. If something feels off, don’t respond directly. Verify through another channel before engaging.”
Fraudulent log-in requests
After obtaining log-in details, scammers send multiple multi-factor authentication (MFA) push notifications, then email posing as IT support, persuading victims to ‘just approve one’ notification to stop the incessant alerts.
“This is more about psychological warfare than technical trickery,” explains Cristescu. “It exploits a user’s frustration and trust in IT. If you’re receiving multiple MFA prompts you didn’t initiate, that’s not a glitch – it’s an attack. Don’t approve, pause and escalate it immediately.”
Dodgy HTML attachments
Phishing emails are now hiding their payloads within simple HTML attachments that open in your browser and mimic a login screen. These can be especially deceptive as they look like invoices, shared documents, or secure notifications.
“Users think, ‘It’s just an HTML file, what harm could it do?'”, Vlad points out. “But one click can open a cloned login page that captures your credentials instantly. Companies should restrict HTML attachments unless necessary, and users should treat unfamiliar HTML files the same way they’d treat a suspicious link – don’t open it unless you’re absolutely sure of the sender.”