Phishing Emails Now Study Your Phone Before They Attack You

A new wave of scam emails quietly profiles your device — your operating system, location, and screen size — then delivers malware tailored specifically to your setup.

ThreatVectr Newsdesk· 3 min read
Extreme close-up of a glowing laptop screen in a dim office, displaying a realistic login page, with a faint ghostly reflection of the same page morphing into a
Share

Key points

  • Cofense, an anti-phishing security company, published research in 2025 showing that phishing campaigns now fingerprint victims' devices before delivering malicious software.
  • Criminals use freely available browser data — called a "user-agent string" — to detect whether a target runs Windows, macOS, Android, or another operating system.
  • One documented campaign delivered FleetDeck malware to macOS users and Tiflux RAT — remote access software repurposed by criminals to spy on victims — to Windows users, automatically.
  • Criminals are increasingly routing stolen data through Telegram, the messaging app, to receive harvested passwords and device information in real time.
  • Security researcher Max Gannon of Cofense told Dark Reading that employees who notice something unexpected are often more valuable than automated scanners at catching these attacks.

A phishing email — a fake message designed to trick you into clicking a harmful link — used to be a clumsy, scattershot thing. Bad spelling, generic subject lines, one malicious attachment sent to a million people at once. That era is ending.

Research published this week by Cofense, a company that specialises in detecting phishing attacks, describes something more surgical. When you click a link in one of these newer scam emails, the page you land on quietly reads data your browser sends automatically. Every browser — Chrome, Safari, Firefox — announces itself to every website it visits. That announcement, called a user-agent string, reveals your operating system, your browser type, your device, your language, and more. You cannot turn it off.

Criminals are now using that data as a targeting system.

How do criminals use your browser's data against you?

They use it to decide which malicious software to send you. If your browser says you are on a Mac, you receive one piece of malware. If it says Windows, you receive another. The Cofense research documented exactly this: a single phishing page that delivered FleetDeck to macOS users and Tiflux RAT — a remote-access tool hijacked by criminals to take control of a victim's computer — to Windows users, with no human decision required.

This matters because it closes a gap attackers used to lose money on. If a criminal built a Windows-only attack and you happened to be on a Mac, the click was wasted. Now it is not.

The deception layer adapts too. The same landing page may show you a fake Google login, a fake Microsoft Teams download screen, or a fake Adobe prompt — whichever your device profile suggests will look most convincing.

Criminals are also routing the stolen data through Telegram rather than traditional servers, making the theft harder to trace.

The underlying economics are simple. One email campaign, one piece of infrastructure, multiple platforms covered, higher profit per click.

For ordinary people, the practical advice has not changed much. Be suspicious of any unexpected email asking you to download something or log in somewhere, even if the page looks exactly like Google or Adobe. If your employer offers security awareness training, take it seriously — Gannon's core finding is that a trained employee who notices an unexpected tool running on their computer will catch what automated defences miss.

Organisations should also monitor Windows, Mac, and mobile devices together rather than separately, so unusual activity across platforms registers as one connected campaign rather than isolated noise.

© 2026 Threat Vectr