Email Security Blog

Dually Deceptive: Two New Phishing Scams Swimming by Your SEG

There is a lot of truth to the old saying, “there are plenty of fish in the sea”, especially when it comes to phishing threats. New and unique phishing scams arise constantly. In fact, APWG, a U.S.-based international cybercrime coalition, counted 139,685 unique phishing threats in 1Q20 alone.1 Sadly, these cyberattacks are more sophisticated, targeted, and illusive than ever before.

Whether you’re a business owner, IT manager, or company CEO, it’s always a good idea to understand the complexity of the latest phishing scams so that you can assess the threat level and ensure you have the necessary email security solutions in place to protect your organization.

One of the latest in a series of phishing super-threats involve invisible characters—also commonly referred to as Zero Font or Hidden Text. So, what’s the problem with thee invisible characters? The hidden text embedded into an email displays text to the end user, while simultaneously fooling Secure Email Gateways (SEGs) into thinking it’s a legitimate email…which is why the phish gets delivered straight to your inbox!

While INKY is always catching hidden text phishing emails, we recently blocked a threat that’s in a class of its own. You see, while most attackers use HTML and CSS tricks to make their text invisible to SEGs searching for anything that seems suspicious, this latest threat was dually deceptive. On top of the HTML/CSS trickery, this hacker embedded a second level of deceit using Unicode Soft Hyphens.

Given the fact that the majority of the world doesn’t speak in programming language, let’s take a moment to understand what this means.


HTML (Hypertext Markup Language) and CSS (Cascading Style Sheets) are two of the core technologies for building Web pages and Web Applications. HTML is the language that provides the structure of the page, while CSS is the language that describes the layout of the page, including colors, fonts, and page displays. Unicode, in the IT world, is the standard language used by programmers worldwide. With Unicode, a unique number is assigned to every character, symbol, or letter so that regardless of what language you speak or what platform you use, the wording comes out the same.

That said, let’s break it down again. When the recipient can see in this email is clear, however what went on behind the scenes got complicated! Layer one of this new phishing deception used HTML and CSS styles to hide the phrase Office 365, which is a term most SEGs will flag as potential phishing. This alone is pretty sophisticated programming, and is what you might expect from a phishing attempt. However, the bad guy in this case really piled it on. Layer two of the deception used Unicode’s Soft Hyphen symbol. The Soft Hyphen symbol is what Unicode uses to break words across lines by inserting visible hyphens. Behind the scenes it’s being read as a legitimate character, however the hacker can use soft hyphens to hide words that word normally sound an alarm – words like Password and Expiring.


Complicated? Yes.

It’s rare to see this sort of dually deceptive phishing scam.

Dangerous? Yes.

Cybercrimes like this were responsible for $3.5 billion in losses in 2019.2

Preventable? Yes.

If there is one thing that any organization that is in the business of fighting cybercrime will tell you, today’s level of phishing threats clearly call for prevention and protection, not remediation. INKY® is a cloud-based email security service designed to catch everything, including spam, malware, phishing threats, and certainly hidden text. INKY® uses intelligent machine learning algorithms to catch abnormalities in emails that SEGs can’t detect, even if the threat has never been seen before. INKY is compatible with every email platform and installs in no time.

Learn more about this dually deceptive phishing threat by reading INKY’s latest eGuide: Understanding Phishing: Invisible Characters and scheduling a free demonstration.


INKY® is the emerging hero in the war against phishing. An award-winning cloud-based email security solution, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is the smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx Cybersecurity Moonshot Challenge and finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more about INKY® or request an online demonstration today.