New email scam uses hidden characters to slip past filters

Cybercriminals support uncovering caller angles to get your attention, and email remains 1 of their favourite tools. Over the years, you person astir apt seen everything from fake courier notices to AI-generated scams that consciousness amazingly polished. Filters person improved, but attackers person learned to adapt. The latest method takes purpose astatine thing you seldom deliberation about: the taxable enactment itself. Researchers person recovered a method that hides tiny, invisible characters wrong the taxable truthful automated systems neglect to emblem the message. It sounds subtle, but it is rapidly becoming a superior problem.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts, and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide - escaped erstwhile you articulation my CYBERGUY.COM newsletter.

NEW SCAM SENDS FAKE MICROSOFT 365 LOGIN PAGES

Cybercriminals are utilizing invisible Unicode characters to disguise phishing email taxable lines, allowing unsafe scams to gaffe past filters. (Photo by Donato Fasano/Getty Images)

How the caller instrumentality works

Researchers precocious uncovered phishing campaigns that embed brushed hyphens betwixt each missive of an email subject. These are invisible Unicode characters that usually assistance with substance formatting. They bash not amusement up successful your inbox, but they wholly propulsion disconnected keyword-based filters. Attackers usage MIME encoded-word formatting to gaffe these characters into the subject. By encoding it successful UTF-8 and Base64, they tin weave these hidden characters done the full phrase.

One analyzed email decoded to "Your Password is About to Expire" with a brushed hyphen tucked betwixt each character. To you, it looks normal. To a information filter, it looks scrambled, with nary wide keyword to match. The attackers past usage the aforesaid instrumentality successful the assemblage of the email, truthful some layers descent done detection. The nexus leads to a fake login leafage sitting connected a compromised domain, designed to harvest your credentials.

If you person ever tried spotting a phishing email, this 1 inactive follows the accustomed script. It builds urgency, claims thing is astir to expire and points you to a login page. The quality is successful however neatly it dodges the filters you trust.

Why this phishing method is ace dangerous

Most phishing filters trust connected signifier recognition. They look for suspicious words, communal phrases and structure. They besides scan for known malicious domains. By splitting each quality with invisible symbols, attackers interruption up these patterns. The substance becomes readable for you but unreadable for automated systems. This creates a quiescent loophole wherever aged phishing templates abruptly go effectual again.

The worrying portion is however casual this method is to copy. The tools needed to encode these messages are wide available. Attackers tin automate the process and churn retired bulk campaigns with small other effort. Since the characters are invisible successful astir email clients, adjacent tech-savvy users bash not announcement thing unusual astatine archetypal glance.

Security researchers constituent retired that this method has appeared successful email bodies for years, but utilizing it successful the taxable enactment is little common. That makes it harder for existing filters to catch. Subject lines besides play a cardinal relation successful shaping your archetypal impression. If the taxable looks acquainted and urgent, you are much apt to unfastened the email, which gives the attacker a caput start.

How to spot a phishing email earlier you click

Phishing emails often look legitimate, but the links wrong them archer a antithetic story. Scammers fell unsafe URLs down familiar-looking text, hoping you volition click without checking. One harmless mode to preview a nexus is by utilizing a backstage email work that shows the existent destination earlier your browser loads it.

Our top-rated backstage email supplier proposal includes malicious nexus extortion that reveals afloat URLs earlier opening them. This gives you a wide presumption of wherever a nexus leads earlier thing tin harm your device. It besides offers beardown privateness features similar nary ads, nary tracking, encrypted messages and unlimited disposable aliases.

For recommendations connected backstage and unafraid email providers, visit Cyberguy.com

PAYROLL SCAM HITS US UNIVERSITIES AS PHISHING WAVE TRICKS STAFF

A caller phishing method hides brushed hyphens wrong taxable lines, scrambling keyword detection portion appearing mean to users. (Photo by Silas Stein/picture confederation via Getty Images)

9 steps you tin instrumentality to support yourself from this phishing scam

You bash not request to go a information adept to enactment safe. A fewer habits, paired with the close tools, tin unopen down astir phishing attempts earlier they person a accidental to work.

1) Use a password manager

A password manager helps you make strong, unsocial passwords for each account. Even if a phishing email fools you, the attacker cannot usage your password elsewhere due to the fact that each 1 is different. Most password managers besides pass you erstwhile a tract looks suspicious.

Next, spot if your email has been exposed successful past breaches. Our #1 password manager (see Cyberguy.com) prime includes a built-in breach scanner that checks whether your email code oregon passwords person appeared successful known leaks. If you observe a match, instantly alteration immoderate reused passwords and unafraid those accounts with new, unsocial credentials. 

Check retired the champion expert-reviewed password managers of 2025 at Cyberguy.com.

2) Enable two-factor authentication

Turning connected 2FA adds a 2nd measurement to your login process. Even if idiosyncratic steals your password, they inactive request the verification codification connected your phone. This stops astir phishing attempts from going immoderate further.

3) Install a reliable antivirus software

Strong antivirus bundle does much than scan for malware. Many tin emblem unsafe pages, artifact suspicious redirects and pass you earlier you participate your details connected a fake login page. It is simply a elemental furniture of extortion that helps a batch erstwhile an email slips past filters.

The champion mode to safeguard yourself from malicious links that instal malware, perchance accessing your backstage information, is to person beardown antivirus bundle installed connected each your devices. This extortion tin besides alert you to phishing emails and ransomware scams, keeping your idiosyncratic accusation and integer assets safe.

Get my picks for the champion 2025 antivirus extortion winners for your Windows, Mac, Android & iOS devices at Cyberguy.com.

4) Limit your idiosyncratic information online

Attackers often tailor phishing messages utilizing accusation they find astir you. Reducing your integer footprint makes it harder for them to trade emails that consciousness convincing. You tin usage idiosyncratic information removal services to cleanable up exposed details and aged database leaks.

While nary work tin warrant the implicit removal of your information from the internet, a information removal work is truly a astute choice. They aren't cheap, and neither is your privacy. These services bash each the enactment for you by actively monitoring and systematically erasing your idiosyncratic accusation from hundreds of websites. It's what gives maine bid of caput and has proven to beryllium the astir effectual mode to erase your idiosyncratic information from the internet. By limiting the accusation available, you trim the hazard of scammers cross-referencing information from breaches with accusation they mightiness find connected the acheronian web, making it harder for them to people you.

AI FLAW LEAKED GMAIL DATA BEFORE OPENAI PATCH

Researchers pass that attackers are bypassing email defenses by manipulating encoded taxable lines with unseen characters. (Photo by Lisa Forster/picture confederation via Getty Images)

Check retired my apical picks for information removal services and get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web by visiting Cyberguy.com.

Get a escaped scan to find retired if your idiosyncratic accusation is already retired connected the web: Cyberguy.com

5) Check sender details carefully

Do not trust connected the show name. Always cheque the afloat email address. Attackers often tweak domain names by a azygous missive oregon symbol. If thing feels off, unfastened the tract manually alternatively of clicking immoderate nexus wrong the email.

6) Never reset passwords done email links

If you get an email claiming your password volition expire, bash not click the link. Go to the website straight and cheque your relationship settings. Phishing emails trust connected urgency. Slowing down and confirming the contented yourself removes that pressure.

7) Keep your bundle and browser updated

Updates often see information fixes that assistance artifact malicious scripts and unsafe redirects. Attackers instrumentality vantage of older systems due to the fact that they are easier to trick. Staying updated keeps you up of known weaknesses.

8) Turn connected precocious spam filtering oregon "strict" filtering

Many email providers (Gmail, Outlook, Yahoo) let you to tighten spam filtering settings. This won't drawback each soft-hyphen scam, but it improves your likelihood and reduces risky emails overall.

9) Use a browser with anti-phishing protection

Chrome, Safari, Firefox, Brave, and Edge each see anti-phishing checks. This adds different information nett if you accidentally click a atrocious link.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Kurt's cardinal takeaway

Phishing attacks are changing fast, and tricks similar invisible characters amusement however originative attackers are getting. It's harmless to accidental filters and scanners are besides improving, but they cannot drawback everything, particularly erstwhile the substance they spot is not the aforesaid arsenic what you see. Staying harmless comes down to a premix of bully habits, the close tools, and a small skepticism whenever an email pushes you to enactment quickly. If you dilatory down, double-check the details, and travel the steps that fortify your accounts, you marque it overmuch harder for anyone to fool you.

Do you spot your email filters, oregon bash you double-check suspicious messages yourself? Let america cognize by penning to america at Cyberguy.com.

Sign up for my FREE CyberGuy Report
Get my champion tech tips, urgent information alerts, and exclusive deals delivered consecutive to your inbox. Plus, you’ll get instant entree to my Ultimate Scam Survival Guide - escaped erstwhile you articulation my CYBERGUY.COM newsletter.

Copyright 2025 CyberGuy.com.  All rights reserved.