They should expand detection, training, and reporting to the channels people actually use for shopping and delivery updates. SMS, direct messages, and sponsored social posts need the same scrutiny as email, because users often trust them more than they should. Channel-aware controls are now part of identity defence.
Why This Matters for Security Teams
Phishing has moved from a single-channel email problem to a broader identity and trust problem. SMS, direct messages, collaboration apps, and sponsored social posts can all deliver credential theft, token capture, or malicious links that look more legitimate than inbox spam. That means security teams need channel-aware controls, not just mail filters and awareness slides. Current guidance from NIST SP 800-63 Digital Identity Guidelines reinforces that identity assurance depends on context, proofing, and authentication strength, not on the channel a message arrives through.
For practitioners, the real risk is that employees often trust messages based on immediacy and familiarity, especially when the content references shipping, payroll, account recovery, or executive requests. That creates a path around traditional email security layers and into identity workflows, where a single compromised session can become a wider account takeover. NHIMG’s research on New York Times breach shows how identity compromise can spread once attackers gain a foothold, while the DeepSeek breach underscores how exposed secrets and poor control boundaries can amplify the blast radius. In practice, many security teams encounter channel-based phishing only after users have already approved the request, not through intentional detection of the lure itself.
How It Works in Practice
The practical response is to treat phishing as a multi-channel social engineering campaign and to align controls with the places users actually interact. That starts with expanding reporting paths, detections, and user guidance beyond email. If an organisation only monitors mailbox events, it will miss the first contact in SMS, WhatsApp, LinkedIn, X, or consumer messaging apps. A stronger model ties awareness, verification, and incident response to the message source, the requested action, and the identity being targeted.
Teams should build simple verification steps for high-risk requests: confirm payment changes out of band, inspect shortened links before opening them, and require step-up authentication when a message pushes a login, reset, or approval flow. Security operations should also ingest reports from mobile devices and social platforms into the same queue used for email phishing, then correlate them with domain spoofing, impersonation, and account takeover signals. Where possible, integrate detection with identity telemetry so a suspicious text or DM can trigger password resets, token revocation, or session review.
- Expand reporting channels to include SMS, chat apps, and social media.
- Use policy-based verification for payments, credential resets, and executive requests.
- Monitor for impersonation patterns, not just malicious URLs.
- Link user reports to identity response actions such as token revocation.
For background on how identity compromise compounds across systems, NHIMG’s New York Times breach analysis is useful, and DeepSeek breach illustrates how quickly exposed access can become operationally damaging. These controls tend to break down in organisations that lack mobile device management, shared reporting workflows, or clear ownership for non-email channels because attackers simply shift to the least governed route.
Common Variations and Edge Cases
Tighter channel controls often increase friction for users and service desks, so organisations must balance convenience against the risk of fast-moving impersonation. There is no universal standard for how much friction to add on consumer messaging platforms, but current guidance suggests that the highest-risk actions should be verified, even if the initial message appears routine.
Some environments need different handling. In customer-facing organisations, social media impersonation may be more common than SMS fraud, so monitoring should emphasise brand abuse, fake support handles, and replayed scam language. In bring-your-own-device environments, endpoint visibility may be limited, so the focus should shift to user reporting, mobile-aware controls, and identity-layer alerts rather than device inspection. In regulated settings, archiving and legal hold requirements can also affect how message evidence is collected and retained.
Security teams should avoid assuming that one training campaign will cover all channels equally. Email, text, and social media each use different urgency cues, and attackers exploit that difference. Best practice is evolving toward channel-specific playbooks, because a suspicious DM on a social platform is handled differently from a spoofed payroll email, even when the underlying goal is the same: getting the user to approve something they should not.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AT | Phishing across channels depends on user training and reporting. |
| NIST AI RMF | Risk governance must cover identity abuse through non-email channels. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | Account takeover from phishing often starts with credential or token theft. |
Extend awareness training and phishing reporting to SMS, DMs, and social platforms.
Related resources from NHI Mgmt Group
- How should security teams defend against phishing when attacks move beyond email?
- How should organisations prioritise phishing controls for 2026?
- Why does malvertising create a different phishing problem than email-based attacks?
- How can organisations reduce account takeover from browser-based phishing?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
