With Cybersecurity Awareness Month in full swing, you’ll no doubt see many blogs about phishing attacks. Cybercriminals frequently use such attacks as the first step in compromising unsuspecting victims by sending them a malicious link via a text message or email message. Everyone knows that feeling of having an endless sea of spam emails, annoying phone calls and bothersome text messages from strangers, but the threat actors behind all of this activity are becoming more aggressive each year.
Phishing continues to be one of the leading types of cybercrime, according to the Federal Bureau of Investigations (FBI). One of the major players behind these attacks is organized threat actor groups attempting to phish unsuspecting users to steal their private information or infect their devices with malware. For this reason, learning how to spot phishing attempts, and other related attacks, is still one of the best ways to stay safe.
What’s the Difference Between Phishing, Vishing and Quishing?
Many people are already aware of what phishing is: the act of sending email messages in an attempt to trick people into providing private information like usernames and passwords or extracting money via ransomware. Vishing is similar in its attempts to obtain information but relies on phone calls. Many mobile phones now come with built-in spam-call flagging software to try to help combat this threat, but there are still many ways to bypass it.
Quishing, which is a newer trend, uses QR codes to phish. With the rise of usage for QR codes during the pandemic in places like restaurants, the Department of Motor Vehicles (DMV) and other organizations, along with two-factor authentication (2FA), it’s becoming a normal habit now for people to scan such codes without second guessing it. Due to this acceptance, it is now becoming an easy target for threat actors to abuse.
Phishing has evolved over recent decades to be very tricky to spot. There are a few key things to look out for when reviewing emails, texts and other forms of communication to make spotting those phishing attempts much easier.
First, always check who sent the email. If the email is from someone you do not know, someone from a place you would not receive emails from, or appears to be from someone/place you expect but has a lot of typos or doesn’t sound like something they’d usually send, that is a big red flag that it may be a phishing email.
- Unknown Senders: Lumi@domain[.]com
- Unknown Company: Rena@CakeMaker[.]com
- Typos: Kathy@amazon[.]com vs Kaithy@amaz0n[.]com
Be careful, as cybercriminals have gotten extremely clever at disguising email addresses and domain names to look like those of legitimate businesses by using confusingly similar names and characters.
Emails often have attachments as well. Always be mindful of opening any files or links in emails as they could contain malware, especially if they come from a questionable source. If you weren’t expecting an attachment, if it has an odd name, or if it has an odd extension, don’t download and open the file.
Questions to Ask:
- Was I expecting this file?
- Does the title of the file relate to the email and/or what I am expecting?
- For example, if the email is about a new boutique launching, you wouldn’t expect to get an invoice with it.
- Does the file have an unusual extension, like .AWG?
- Does the file title have typos?
If you are expecting a message from someone and are unsure, it is always best to reach out to that person by other means to confirm their identity. This can be done by calling them or, if you know them locally, speaking to them face to face. Make sure to confirm the email address and the intent of the message. However, if there is any doubt, always report the message through your email software and delete it.
Threat actors will attempt to use the same types of tactics as mentioned earlier for phishing, but verbally, typically over the phone. This is known as vishing. These threat actors do everything from spoofing credible phone numbers to threatening people pretending to be the police or other government agencies.
Questions to consider:
- Were you expecting a call from this person/company?
- Does the person/business calling typically contact via phone call?
- For example: The IRS will not call you about your taxes, Social Security or other sensitive information.
- Should I be sharing my personal information over the phone?
- Should I be paying for this over the phone?
- Am I sharing too many details?
For example, a few years ago, I was visiting my parents, who still use a landline. The phone rang as we were sitting on the couch, so I went to check the Caller ID on the base of the phone. The call was the same number as our home phone, and the Caller ID showed my dad’s name. I answered the call knowing what was happening but I was still curious. The person on the other end attempted to convince me that I had a $500 Amazon package on the way. I hung up, knowing there was no such thing. Safe to say, my dad was standing right next to me and was not working for Amazon.
If you are ever concerned about any payments, packages or other related issues, always make sure to follow up directly with the given company through their website and main phone number, not a website or number that is provided to you over the phone through questionable sources. Credible support can always properly direct you to the correct human resource to help you.
With new technology and processes on the rise, phishing has evolved, too. There is now a trend for threat actors to utilize QR codes to phish people. QR codes are machine-readable codes that are constructed by an assortment of black and white squares. This is typically used for storing URLs or other information for reading by smartphones through the usage of the camera app. While QR codes are quick and easy to use they pose a lot of threats to those who are scanning them. QR codes allow some security controls to be bypassed, make URL validation difficult, are an easy way to deploy an attack and place convenience over security.
Many have become comfortable scanning these codes for 2FA, package tracking, DMV line status and even restaurant menus. As QR codes become more and more commonplace, with devices more easily supporting the technology, it gives threat actors new means to try to trick you and obtain your personal information.
Always be mindful:
- Is the QR in a credible location?
- Does the QR look printed onto a wall/banner/menu rather than a sticker or a flier (which could be fake)?
- Can I avoid using the QR code by gaining access to the information in another way?
It is always important to keep in mind that QR codes can be programmed to take you to whatever URL the attacker wants. If a QR sticker is placed near a government building indicating a sign-in form, it could obtain your Personal Identifiable Information (PII) by pretending to be whoever owns that building. These codes can even direct you to malware, which can then get downloaded to your mobile device. Always access QR codes with caution and never scan randomly placed codes.
With the growth of phishing, it has evolved to new technology types, such as phishing and quishing, to try to get people to reveal personal information or send money. By being aware of such tricks and scams, you can avoid becoming a victim of cybercriminals. Organizations can also use endpoint detection and response to help monitor for phishing and other similar attacks.
Always know who you are talking to and what types of information are included, and do not provide personal information to those who do not require it. It is always safer to double-check who you are communicating with rather than assuming a person is who they claim to be.