They increase risk because they bypass the controls most organisations built around email, while still targeting the same identities and the same SSO-connected applications. That creates more entry paths, less visibility, and a wider blast radius when one account or session is compromised.
Why This Matters for Security Teams
Non-email phishing raises enterprise risk because it attacks the identities, sessions, and approval flows that now sit outside the classic inbox perimeter. Chat platforms, collaboration tools, SMS, QR codes, and social channels can all be used to lure users into granting access or approving actions that look routine. Security teams often overfit controls to email filtering and miss the broader problem: identity compromise is the objective, not the delivery channel.
The risk is amplified where SSO ties many applications to a single sign-in event. One successful lure can cascade into cloud consoles, ticketing systems, code repositories, and finance workflows. NHI Management Group has documented that identity risk is already widespread across non-human and machine-led estates, and the same visibility gap applies when human identities are targeted through non-email paths; see the Ultimate Guide to NHIs — Why NHI Security Matters Now. Current guidance from the NIST Cybersecurity Framework 2.0 supports broad identity and access resilience rather than channel-specific assumptions. In practice, many security teams encounter the abuse path only after a session token has already been reused across multiple apps, rather than through intentional detection of the lure itself.
How It Works in Practice
Non-email phishing works because users authenticate, approve, or share data in places where traditional email security is not operating. Attackers may send a malicious link in a chat message, a fake alert in a collaboration channel, a QR code on a poster or device label, or a text message that pushes the target to a spoofed login page. Once credentials, MFA tokens, or session cookies are captured, the attacker is no longer dependent on the original delivery method.
That changes the defence model. Security teams need controls that follow the identity and the session, not just the message transport. Practical measures include:
- Phishing-resistant MFA for high-value identities, especially where SSO and privileged access are in play.
- Conditional access based on device state, location, and risk signals at sign-in time.
- Session monitoring and rapid revocation when anomalous token use appears.
- Channel-aware awareness training for chat, SMS, QR, social, and voice lures.
- Logging that correlates identity events across collaboration tools, IAM, PAM, and SaaS.
This is also where the NHI perspective matters. Attackers routinely pivot from a compromised human identity into API keys, service accounts, and automation workflows. The operational lesson is consistent with NHIMG research such as the Top 10 NHI Issues and the OWASP NHI Top 10: identity compromise rarely stays confined to the original account. These controls tend to break down when organisations treat chat, SMS, and QR channels as low-risk because those channels are not integrated into the same detection and response workflow as email.
Common Variations and Edge Cases
Tighter anti-phishing controls often increase user friction and operational overhead, requiring organisations to balance stronger assurance against faster business workflows. That tradeoff is especially visible in environments with frequent external collaboration, frontline mobile work, or shared-device access, where static policies can block legitimate activity as often as they stop malicious activity.
Guidance is evolving on how much weight to place on each non-email channel. Best practice is not universal yet for consumer messaging apps, contractor portals, or voice-based social engineering, because telemetry and enforcement differ by platform. Some environments also face a separate problem: QR-based lures can bypass endpoint email controls entirely while still landing on managed devices, so the issue is not the medium but the resulting authentication event.
The most important edge case is when a single compromised identity can trigger high-trust downstream automation. In those settings, a phishing event may not look severe at first, but it can create persistent access through OAuth grants, delegated admin rights, or linked service accounts. Enterprises that rely on the identity plane should treat non-email phishing as an enterprise access problem, not a user-awareness problem. The general risk pattern is well described in the Ultimate Guide to NHIs — Key Challenges and Risks, where weak identity governance expands blast radius across connected systems.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-1 | Non-email phishing succeeds by abusing identity assurance across channels. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Compromised identities often lead to secret and token misuse after phishing. |
| NIST AI RMF | Risk governance must account for cross-channel social engineering and downstream impact. |
Map phishing-driven identity risk into AI and automation oversight, monitoring, and incident response.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
