By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: ProofpointPublished August 29, 2025

TL;DR: Phishing is spreading beyond email into Teams, Slack, Zoom, LinkedIn, WhatsApp, and other collaboration channels, increasing account takeover and business email compromise risk, according to Proofpoint, which also cites Verizon, its own human factor research, and observed targeting of 99% of monitored organisations. Human awareness now has to cover identity abuse across every channel, not just inbox defence.


At a glance

What this is: The article argues that modern phishing and account takeover campaigns now operate across multiple communication channels, not just email, and that human behaviour remains central to the attack path.

Why it matters: This matters because IAM, PAM, fraud, and security awareness programmes now have to govern trust and verification across accounts, devices, and collaboration channels where identity is the control plane.

By the numbers:

👉 Read Proofpoint's analysis of multichannel phishing, supplier fraud, and account takeover


Context

Phishing has moved beyond the inbox and now exploits the trust users place in collaboration platforms, messaging apps, and social channels. That shift turns identity into the main battleground, because the attacker does not need to break the platform first if they can persuade a user to approve, forward, pay, or sign in.

For IAM and fraud teams, the governance gap is not simply message filtering. It is the lack of consistent verification controls across communication channels, coupled with weak user signalling around supplier impersonation, business email compromise, and account takeover. The article’s starting position is typical: attackers follow the channel where trust is easiest to manipulate.


Key questions

Q: How should security teams stop phishing that moves from email into chat apps and social channels?

A: Treat collaboration and messaging tools as first-class phishing surfaces. Apply link inspection, message reporting, and sender verification consistently across email, Teams, Slack, Zoom, and mobile channels. The goal is to reduce trust in the channel alone and require a second signal before users act on urgent or unusual requests.

Q: Why do account takeovers become so damaging once an attacker gets into a user’s mailbox or chat account?

A: Because the attacker inherits the user’s authority, context, and established trust relationships. That allows them to approve requests, impersonate colleagues, and move laterally through normal workflows without triggering obvious technical alarms. Strong authentication helps, but step-up checks for sensitive actions are what limit the blast radius.

Q: What do organisations get wrong about email-based fraud?

A: Organisations often treat email fraud as a messaging problem when it is really a trust and workflow problem. The attacker is exploiting how people and systems authorise change, not just how messages are delivered. Strong filtering helps, but it cannot replace validation at the point of decision.

Q: How do security and fraud teams measure whether awareness training is actually reducing social engineering risk?

A: Look for fewer successful impersonation-led approvals, faster reporting of suspicious messages, and lower completion rates for unsafe actions under simulated pressure. Behaviour change is only credible when it shows up in workflow outcomes, not just training completion metrics or quiz scores.


Technical breakdown

How multichannel phishing bypasses email-centric controls

Multichannel phishing uses the same social engineering playbook across email, chat, voice, and file-sharing tools. The attacker benefits from context switching: a request that looks suspicious in email can feel routine inside Teams or Slack, especially when it references an existing project, supplier, or invoice. Traditional secure email gateways help at the perimeter, but they do not cover every trust boundary where users decide whether to click, approve, or disclose. Once the conversation moves to another channel, the message is often treated as internal or familiar, which lowers scrutiny and increases success rates.

Practical implication: Extend anti-phishing controls and user reporting workflows to collaboration and messaging platforms, not just email.

How account takeover turns a social engineering event into identity abuse

Account takeover is the point where the social engineering campaign becomes an identity problem. If attackers obtain credentials, session tokens, or a user’s ability to approve transactions, they can impersonate the account holder and operate inside normal business workflows. That makes detection harder because the activity may look legitimate at the protocol level. The risk rises further when the compromised identity has access to supplier records, finance approvals, or shared mailboxes. In identity terms, the issue is not only authentication weakness, but the absence of strong step-up checks when account behaviour deviates from normal patterns.

Practical implication: Require step-up verification and transaction validation for high-risk actions even when the request appears to come from a trusted account.

Why supplier impersonation succeeds in business workflows

Supplier fraud works because organisations often treat external business relationships as pre-validated trust. Attackers exploit that assumption by changing bank details, requesting urgent payments, or inserting themselves into existing threads. The control failure is not just user inattentiveness. It is a missing verification process for third-party communications that bypasses inbox suspicion and relies on human memory. In practice, the attacker is abusing both identity and process, because the organisation has not separated message authenticity from workflow approval. That is why partner-facing channels need their own identity verification checkpoints.

Practical implication: Add out-of-band confirmation for any payment change, bank detail update, or sensitive supplier request.


Threat narrative

Attacker objective: The attacker wants to convert trust in a communication channel into control over an account, a payment flow, or sensitive data.

  1. Entry occurs through a believable message delivered over email, chat, or another collaboration channel that the recipient already trusts.
  2. Escalation happens when the victim follows the prompt, reveals credentials, approves a request, or transfers the conversation into an attacker-controlled interaction.
  3. Impact follows as the attacker uses the compromised account for business email compromise, data theft, financial fraud, or further account takeover activity.

NHI Mgmt Group analysis

Multichannel phishing is now an identity governance problem, not just a messaging problem. The article is right to move beyond email, because the trust boundary has shifted into collaboration apps, supplier threads, and mobile messaging. That means verification, not just detection, has to be extended across every channel where a user can be manipulated into taking action. Practitioners should treat channel trust as a control surface, not a communication convenience.

Account takeover is the governance failure that turns awareness gaps into security incidents. Once an attacker has the account, they inherit the user’s authority and business context. That is why identity lifecycle controls, session protection, and transaction-level verification need to be tied together rather than managed as separate programmes. The lesson aligns with the NHI and human identity overlap: any identity, human or non-human, becomes dangerous when trust survives after compromise.

Supplier verification gap: organisations often verify the sender but not the change request. The article’s supplier fraud examples show that process integrity matters as much as message authenticity. A request can come from a valid mailbox or chat account and still be fraudulent if the workflow allows bank detail changes or payment approvals without independent validation. Practitioners should design controls around the transaction, not just the identity that submitted it.

Security awareness only works when it is operationalised into decision points. The article’s emphasis on user education is directionally correct, but awareness alone is not a control. Users need clear escalation paths, easy reporting, and forced verification for high-risk actions. Otherwise, the organisation is asking people to detect sophisticated social engineering without giving them a reliable way to stop it.

Multichannel fraud will keep expanding until organisations align identity controls with business process controls. The fastest-growing attack path is the one that blends impersonation, account compromise, and workflow abuse. Teams that separate IAM, fraud, and collaboration security will keep seeing the same incident from different angles. Practitioners should converge those programmes around shared verification and response signals.

What this signals

Multichannel trust will become a formal control objective. Security programmes that still treat collaboration apps as secondary channels will struggle to contain phishing-led compromise. Teams should expect identity verification, fraud prevention, and awareness workflows to converge around shared approval checkpoints and reporting signals.

The practical shift is toward transaction-based verification. Instead of asking whether a message looked legitimate, practitioners will ask whether the request was independently validated before money moved, access changed, or data left the organisation.

Supplier impersonation is the clearest sign that trust boundaries have moved into workflow automation. As collaboration platforms become default business infrastructure, attackers will keep targeting the place where urgency overrides scrutiny. Identity teams should align human verification, privileged approvals, and case escalation paths before that pattern becomes routine.


For practitioners

  • Expand phishing controls beyond email Apply URL rewriting, attachment analysis, and user reporting to Teams, Slack, Zoom, WhatsApp, and other collaboration channels where social engineering now lands. Do not assume email security covers the full attack surface.
  • Add step-up verification for risky account actions Require secondary validation before fund transfers, supplier record changes, mailbox delegation, or access to confidential data, even when the request comes from a familiar account.
  • Create a supplier callback process Verify bank detail changes and urgent payment requests through a known contact path outside the original message thread, and log the confirmation as part of the approval record.
  • Integrate identity and fraud signals Correlate suspicious login events, unusual messaging behaviour, and finance workflow anomalies so a single compromise does not stay siloed in one team’s queue.

Key takeaways

  • Phishing now exploits trust across collaboration and social channels, so email-only defences leave a material gap.
  • Account takeover turns social engineering into identity abuse, which is why step-up verification and workflow validation matter.
  • Supplier fraud succeeds when organisations verify the sender but not the transaction, so callback confirmation is a control, not an option.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
MITRE ATT&CKTA0006 , Credential Access; TA0008 , Lateral MovementThe article describes account takeover and follow-on abuse through trusted channels.
NIST CSF 2.0PR.AC-1Identity and access controls are central to resisting account takeover and impersonation.
NIST SP 800-53 Rev 5IA-2The article depends on trustworthy authentication at the point of user access and approval.
CIS Controls v8CIS-14 , Security Awareness and Skills TrainingThe piece is explicitly about user awareness and human resilience against social engineering.

Map multichannel phishing to credential access and lateral movement, then harden approval and reporting paths.


Key terms

  • Account Takeover: Account takeover is unauthorized use of a legitimate account after an attacker obtains valid access through stolen credentials, tokens, or trusted integrations. The key security problem is that the resulting activity often looks normal to logs and controls, which makes containment and attribution harder than in a forced-entry breach.
  • Business email compromise: A form of social engineering where an attacker impersonates a trusted person or domain to manipulate payment, change banking details, or extract sensitive information. It often succeeds without malware because the attacker targets process trust and human judgement instead of technical controls.
  • Multichannel Phishing: Multichannel phishing is social engineering delivered across email, chat, social media, SMS, or collaboration tools instead of one inbox. The attacker uses whatever channel feels most familiar to the victim, which makes the request harder to scrutinise and increases the chance of credential theft, approval abuse, or fraudulent payment.
  • Supplier Impersonation: Supplier impersonation is a fraud technique where an attacker poses as a vendor, partner, or contractor to change payment details, request urgent transfers, or extract sensitive information. It succeeds when organisations trust the relationship more than they verify the transaction through an independent channel.

What's in the full article

Proofpoint's full article covers the operational detail this post intentionally leaves for the source:

  • Practical guidance for recognising multichannel phishing across email, chat, social, and text-based workflows.
  • Examples of supplier impersonation and business email compromise patterns that show how fraud unfolds in real environments.
  • The 2025 Cybersecurity Awareness Kit structure and how teams can use it to reinforce training across the year.
  • Proofpoint's framing of people, process, and technology together in reducing account takeover risk.

👉 Proofpoint's full article covers the awareness kit, threat patterns, and user guidance in more operational detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management in a way that supports broader identity programmes. It helps practitioners connect identity control design to the risks that emerge when trust is abused across modern digital channels.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org