• Phishing emails carrying PDF attachments are on the rise, report warns
• Check Point highlights how hackers love PDFs for customization
• Social engineering attacks using PDFs are also on the rise

At least one in every five phishing emails carries a .PDF attachment, researchers are saying, warning that the popular file format is being increasingly used in social engineering attacks.

A new report from Check Point Research claims PDF-based attacks now account for 22% of all malicious email attachments, making them particularly concerning for businesses sharing large quantities of these files every day.

In earlier years, many of the attacks relied on JavaScript or other dynamic content being embedded within the files. While this approach is still seen in the wild, it has become less common, since JavaScript-based attacks tend to be “noisy” and easier to detect by security solutions.

Email remains one of the most popular attack vectors out there, with more than two-thirds (68%) of cyberattacks beginning this way.

Monitor your credit score with TransUnion starting at $29.95/month

TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You’ll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.

Preferred partner (What does this mean?)

View Deal

Customizing the link

Today, cybercriminals are pivoting towards a simpler, more effective approach, Check Point says – social engineering.

Generally speaking, the attacks don’t differ much from your usual phishing email. The PDF attachment would serve as a launch pad, often carrying a link that would redirect a person to a malicious landing page or a website hosting malware.

That way, the malicious links are hidden from security filters, making sure the files are received straight to the inbox.

Furthermore, placing the link in a PDF gives the attackers full control – they can change the text, the image, or any other aspect of the link, making it more trustworthy.

The files are often designed to mimic trusted brands like Amazon, DocuSign, or Acrobat Reader.

“Even though these attacks involve human interaction (the victim must click the link), this is often an advantage for attackers, as sandboxes and automated detection systems struggle with tasks that require human decision-making,” Check Point concluded.

You might also like

• Private API keys and passwords found in AI training dataset – nearly 12,000 details leaked
• We’ve rounded up the best password managers
• Take a look at our guide to the best authenticator app