New email scam uses hidden characters to bypass filters

Cybercriminals continue to find new angles to get your attention and email remains one of their favorite tools. Over the years, you’ve probably seen everything from fake messaging ads to AI-generated scams that look surprisingly refined. Filters have improved, but attackers have learned to adapt. The last technique targets something you rarely think about: the subject line itself. Researchers have found a method that hides small, invisible characters within the subject line so that automated systems cannot flag the message. It sounds subtle, but it is quickly becoming a serious problem.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

NEW SCAM SENDS FAKE MICROSOFT 365 LOGIN PAGES

How the new trick works

Researchers recently discovered phishing campaigns that incorporate soft hyphens between each letter of an email subject. These are invisible Unicode characters that typically help with text formatting. They don’t appear in your inbox, but they remove keyword-based filters entirely. Attackers use the MIME encoded word format to insert these characters into the subject. By encoding it in UTF-8 and Base64, they can weave these hidden characters throughout the sentence.

One email analyzed was decrypted as “Your password is about to expire” with a soft hyphen between each character. It seems normal to you. For a security filter, it looks scrambled, with no clear keyword to match. Attackers then use the same trick on the body of the email, so both layers go unnoticed. The link leads to a fake login page located on a compromised domain, designed to harvest your credentials.

If you’ve ever tried to detect a phishing email, it follows the usual script. It creates urgency, states that something is about to expire, and directs you to a login page. The difference is how well it avoids the filters you trust.

Why this phishing technique is super dangerous

Most phishing filters are based on pattern recognition. They look for suspicious words, common phrases and structures. They also scan for known malicious domains. By dividing each character with invisible symbols, attackers break these patterns. The text will be readable to you but illegible to automated systems. This creates a silent loophole where old phishing templates suddenly become effective again.

The worrying thing is how easy it is to copy this method. The tools necessary to encode these messages are widely available. Attackers can automate the process and generate massive campaigns with little additional effort. Since the characters are invisible in most email clients, even tech-savvy users won’t notice anything strange at first glance.

Security researchers note that this method has appeared in email bodies for years, but using it in the subject line is less common. That makes it harder for existing filters to detect. Subject lines also play a key role in shaping your first impression. If the subject seems familiar and urgent, you are more likely to open the email, giving the attacker an advantage.

How to spot a phishing email before you click

Phishing emails often look legitimate, but the links they contain tell a different story. Scammers hide dangerous URLs behind familiar-looking text, hoping you’ll click without verifying. A safe way to preview a link is to use a private email service that displays the actual destination before the browser loads it.

Our top-rated private email provider recommendation includes malicious link protection that reveals full URLs before opening them. This gives you a clear view of where a link leads before anything can damage your device. It also offers strong privacy features like no ads, no tracking, encrypted messages, and unlimited disposable aliases.

For recommendations on private and secure email providers, visit Cyberguy.com

PAYROLL SCAM HITTS US UNIVERSITIES AS PHISHING WAVE DECEIVES STAFF

9 steps you can take to protect yourself from this phishing scam

You don’t need to become a security expert to stay safe. A few habits, combined with the right tools, can stop most phishing attempts before they have a chance to work.

1) Use a password manager

A password manager helps you create strong, unique passwords for each account. Even if a phishing email tricks you, the attacker can’t use your password anywhere else because each one is different. Most password managers also warn you when a site looks suspicious.

Next, check to see if your email has been exposed in previous breaches. Our number one password manager (see Cyberguy.com) includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2025 at Cyberguy.com.

2) Enable two-factor authentication

Enabling 2FA adds a second step to your login process. Even if someone steals your password, you’ll still need the verification code on your phone. This prevents most phishing attempts from going forward.

3) Install reliable antivirus software

Powerful antivirus software does more than scan for malware. Many can flag unsafe pages, block suspicious redirects, and warn you before entering your details on a fake login page. It’s a simple layer of protection that helps a lot when an email gets past filters.

The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.

4) Limit your personal data online

Attackers often personalize phishing messages using information they find about you. Reducing their digital footprint makes it harder for them to write compelling emails. You can use personal data removal services to clean exposed details and leaks from old databases.

While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.

AI FAILURE LEAKED GMAIL DATA BEFORE OPENAI PATCH

Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already available on the web: Cyberguy.com

5) Check the sender details carefully

Don’t rely on the display name. Always check the full email address. Attackers often modify domain names with a single letter or symbol. If something doesn’t work, open the site manually instead of clicking any link within the email.

6) Never reset passwords via email links

If you receive an email stating that your password will expire, do not click the link. Go to the website directly and check your account settings. Phishing emails are based on urgency. Slowing down and confirming the problem yourself takes that pressure off.

7) Keep your software and browser updated

Updates typically include security fixes that help block malicious scripts and unsafe redirects. Attackers take advantage of older systems because they are easier to fool. Staying up to date keeps you ahead of known weaknesses.

8) Activate advanced spam filtering or “strict” filtering

Many email providers (Gmail, Outlook, Yahoo) allow you to adjust spam filtering settings. This won’t catch all soft-script scams, but it improves your chances and reduces risky emails overall.

9) Use a browser with anti-phishing protection

Chrome, Safari, FireNews, Brave, and Edge all include anti-phishing checks. This adds another safety net if you accidentally click on the wrong link.

CLICK HERE TO DOWNLOAD THE News APP

Kurt’s Key Takeaway

Phishing attacks are changing rapidly and tricks like invisible characters show how creative attackers are becoming. It’s safe to say that filters and scanners are getting better, too, but they can’t capture everything, especially when the text they see isn’t the same as what you see. Staying safe comes down to a combination of good habits, the right tools, and a little skepticism every time an email forces you to act quickly. If you slow down, double-check the details, and follow the steps that strengthen your accounts, it will be much harder for someone to scam you.

Do you trust your email filters? ronic or do you check suspicious messages yourself? Let us know by writing to us at Cyberguy.com.

Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.

Copyright 2025 CyberGuy.com. All rights reserved.