Cybercriminals are now using a new and dangerous trick to fool people. They are sending fake PDF files that look like they come from well-known companies such as Microsoft, DocuSign, Dropbox, PayPal, and Adobe. These files are part of phishing attacks – a method used to steal login information, passwords, and even money.
What makes this threat more serious is that many people trust PDFs. They believe PDF files are safe because they are used in work and school every day. But hackers are taking advantage of that trust. They are hiding fake emails, invoices, and messages inside these PDFs to trick users into clicking dangerous links.
Once opened, these files often look very real. They might include company logos, urgent messages, or pretend to be from customer support. The goal is to make the user believe the file is genuine. Then, the victim is encouraged to click links or make a call – both of which can lead to stolen personal information or money loss.
Cisco Talos, a well-known cybersecurity group, has found that this type of attack is increasing fast. Between May 5 and June 5, 2025, attackers launched many such scams, mainly targeting people in the United States. They most frequently impersonated Microsoft and DocuSign in these attacks.
Hidden Tricks Inside PDF Files
The scammers are using advanced methods to hide their bad intentions. One common trick involves something called TOAD, which stands for “telephone-oriented attack delivery.” In this method, the PDF file includes fake invoices or warning messages that look urgent. These files ask the victim to call a number – which actually connects them to the scammer using internet-based phone numbers (VoIP). This allows the scammers to remain hidden and anonymous.
Another trick used in these attacks is embedding phishing emails inside the PDF file itself. This helps the scam bypass normal email security checks, which often scan the body of emails for harmful content. Since the real danger is inside the attached PDF, security software may not detect it right away.
Even more alarming is how hackers are using QR codes inside the PDFs. These QR codes are placed beside real-looking messages. When a victim scans the code with their phone, it sends them to a fake website. Some of these sites even include CAPTCHA pages – the kind that asks you to click on images or check a box – to make it seem more legitimate. Once the user goes through that step, they are asked to enter their login details, which go directly to the hackers.
In several PDF samples, attackers used smart hiding techniques. For example, they placed a visible link that looked trustworthy (like a link to Adobe’s own site), but hidden behind it was a dangerous link that led to the phishing page. This trick makes the file seem safe while still sending the victim to a fake site.
Fake E-Signatures and Global Spread
Scammers are even using Adobe’s own e-signature services to make their attacks more convincing. They create full fake documents and upload them through real Adobe systems. These documents are then shared with users, making it very hard to tell they’re fake.
This method shows just how clever these criminals have become. They are layering their attacks with fake brands, QR codes, phone numbers, and hidden URLs to catch users off guard. All of this is done inside simple PDF files that look completely normal at first glance.
These types of phishing attacks are not just local. They are happening around the world. But during the research period, most of the targets were in the United States. Cybercriminals also used brands like NortonLifeLock, PayPal, and Geek Squad from Best Buy in TOAD-related attacks.
People need to be extra careful with email attachments, especially PDFs. Even if the file appears to come from a trusted company, there is a chance it could be part of a scam. Always double-check links, avoid scanning unknown QR codes, and never call phone numbers from suspicious documents. This wave of PDF-based phishing shows how creative and dangerous cyber attackers have become.
