Experts warn against PDF as bait for phishing emails

In recent months, the phenomenon of hackers imitating well-known brands has become particularly widespread. They use this social engineering technique to trick email recipients into divulging confidential information. Experts from Cisco Talos are once again warning against this. 

Phishing via the telephone

One dangerous trend is TOAD (Telephone-Oriented Attack Delivery), also known as "callback phishing". In this scenario, the victim receives an email with a PDF file containing a telephone number. When calling this number, the victim is connected to a person who pretends to be a representative of a bank, a technology company or a security department, for example. They try to persuade the victim to disclose data or install malware.

Criminals often use VoIP, as it is much more difficult to trace a VoIP number back to a specific person or physical location. Cisco Talos has discovered cases where the same numbers have been used for several consecutive days. The reuse of phone numbers offers certain logistical advantages to fraudsters. It enables constant contact in multi-stage social engineering attacks, allows callbacks to be scheduled and thus legitimizes the alleged brands to the victims. It also reduces costs, especially if the VoIP service is paid for.

QR codes, annotations and other forms of PDF data

QR phishing (or quishing) is another growing fraud method: criminals place a QR code in a PDF file which, when scanned, directs the victim to a phishing website. These websites often use CAPTCHA security features to avoid automatic analysis by cybersecurity tools. In addition, the entire email content is often only in the attachment and is displayed to the victim immediately after opening the message. This makes it difficult for email filtering systems to detect the cyber threat. In such cases, detection mechanisms based on text analysis are ineffective. Only OCR (Optical Character Recognition) technology can detect the cyberattack. However, this is associated with high costs and a certain risk of error.

Not only can text and images be integrated into PDFs, but comments, annotations and forms can also be created. These hidden elements are sometimes used by hackers to embed links to malicious websites. Shortened links are often used here, which are more difficult to check. Documents can also contain hidden information to fool anti-spam systems.

The most frequently counterfeited brands

Using the Brand Impersonation Detection Engine included in the Cisco Secure Email Threat Defense solution, Cisco Talos has determined the following results: Between May 5 and June 5, 2025, Microsoft and PayPal were among the most impersonated brands in phishing emails with PDF attachments. The most frequently spoofed brands in TOAD emails with PDF attachments were NortonLifeLock, Docusign and Geek Squad. The origin of the corresponding attacks was distributed worldwide during this period, from the USA and Europe to Asia and the Pacific region.

Protection against imitation brands

"Brand impersonation is a common social engineering technique and is constantly used by attackers for various types of email threats," explains Thorsten Rosendahl, Technical Leader at Cisco Talos. "Therefore, a brand impersonation detection engine plays a crucial role in the defense against cyber attacks."  

Cisco Talos uses a wide range of AI-based solutions to detect this type of threat to digital networks and protect customers. They range from rule-based engines to advanced machine learning systems. As phishing methods become more sophisticated, user awareness and advanced detection technologies are becoming increasingly important.

Source and further information