Multichannel phishing is social engineering delivered across email, chat, social media, SMS, or collaboration tools instead of one inbox. The attacker uses whatever channel feels most familiar to the victim, which makes the request harder to scrutinise and increases the chance of credential theft, approval abuse, or fraudulent payment.
Expanded Definition
Multichannel phishing is not a separate technical exploit so much as a coordination tactic that spreads the same fraudulent intent across multiple communication surfaces. Rather than relying on one inbox, the attacker chooses the channel most likely to lower scepticism, such as a work email followed by a chat message, a text message, or a social platform direct message. The purpose is to create familiarity, urgency, and continuity, so the target experiences the request as routine even when the content is malicious. In practice, this sits at the intersection of social engineering, identity impersonation, and workflow abuse, which is why it is especially effective in environments that depend on rapid approvals and distributed collaboration. The NIST Cybersecurity Framework 2.0 is useful here because it frames governance, awareness, and protective controls around real operating conditions rather than a single delivery mechanism. Industry usage is still evolving, and some vendors treat “multichannel” as an umbrella for omnichannel delivery, while others reserve it for attacks that deliberately switch channels after initial contact. The most common misapplication is assuming a message is safe because it arrived in a trusted business app, which occurs when users verify the channel but not the sender or the requested action.
Examples and Use Cases
Implementing defences against multichannel phishing rigorously often introduces friction in everyday communications, requiring organisations to weigh faster collaboration against stronger verification.
- A finance attacker sends a convincing invoice by email, then follows up in a chat tool pretending to be the same supplier and asking for an urgent payment change.
- A help desk target receives a password reset lure by SMS after first seeing a spoofed login alert in email, increasing the chance of credential theft.
- An executive assistant gets a calendar invite, then a direct message requesting a gift card purchase or wire transfer approval, using channel switching to reinforce legitimacy.
- A contractor sees a file-share notification in a collaboration platform and is then prompted in a separate message to re-authenticate through a fake portal that captures secrets and session tokens.
- A security team uses guidance from OWASP and awareness content aligned to CISA phishing guidance to train staff on cross-channel verification before approving requests.
These scenarios are most damaging when the attacker can mimic existing workflows and exploit legitimate urgency, such as vendor payment changes, account recovery, or executive support requests. The challenge is not only message content but also the sequence of interactions across tools, which can make the request appear corroborated.
Why It Matters for Security Teams
Multichannel phishing matters because defenders often harden one channel while leaving adjacent channels under-governed. That creates gaps between email security, collaboration platform controls, mobile device protections, and identity verification steps. For security teams, the operational issue is that trust is usually transferred across channels faster than it is validated, so a message that starts in one medium can be reinforced in another before anyone checks the request against policy. This is where identity security becomes central: if a request can trigger password resets, MFA prompts, payment approvals, or access changes, then phishing becomes an identity abuse problem as much as a messaging problem. Controls should therefore focus on verification procedures, privileged request handling, and user reporting paths, not just detection. The NIST Cybersecurity Framework 2.0 supports that view by tying awareness and protective measures to governance and response outcomes, while ISO/IEC 27001 reinforces the need for consistent control design across channels. Organisations typically encounter the full impact only after a payment diversion, account takeover, or help desk compromise, at which point multichannel phishing becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AT | Awareness and training reduce success of cross-channel social engineering. |
| NIST SP 800-53 Rev 5 | IA-2 | Authentication controls help block stolen credentials from phishing flows. |
| NIST SP 800-63 | IAL2 | Identity proofing supports higher assurance for recovery and change requests. |
Train users to verify requests across channels before acting on sensitive changes.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org