A Guide to Advanced Phishing and QR Code Scam Prevention
For every step IT security takes, cyber criminals are making moves, too. While threats continue to advance in complexity and ingenuity, among these, phishing remains a predominant tactic that tricks even the most cautious of individuals. Keeping a pulse on the latest and greatest phishing techniques is a sure way for both you and your organization to protect your sensitive information.
Understanding phishing
Phishing is a cyberattack that uses disguised email or faulty links as a weapon. The goal is to trick the email recipient or link clicker into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their company — and to click the link or download an attachment. But just how common is this criminal tactic? A 2021 FBI report cited that nearly 22% of all data breaches occur through phishing attacks, making it one of the most prevalent cybercrimes known today.
What’s new in phishing? This year’s advanced scam tactics
In 2023 and looking into the new year, classic phishing scams are continuing to evolve. Cybercriminals are now employing more sophisticated methods to deceive users and bypass security measures. So, let’s dive into some of the most sophisticated phishing techniques that you and your colleagues should look out for.
Spear phishing
Unlike traditional phishing attacks, which are sent to a large number of individuals, spear phishing is highly targeted. Attackers often do extensive research on their victims to make the attack more personal and convincing. For instance, they might use information from social media profiles to create a false sense of familiarity or urgency—making their deceptive tactics feel all the more real.
Stats from Norton reveal that nearly 88% of organizations experience spear phishing attacks every year. It’s likely you may have experienced an attempt yourself. Let’s have a look at some common scenarios that are popping up for businesses today:
A criminal pretending to be your CEO and requesting sensitive info from finance
Fake invoices sent from so-called customers to your accounts payable department
Requests for passwords or login credentials seemingly sent by the IT team
2. Whaling
Whaling attacks specifically target senior executives and other high-profile targets within your organization. These attacks are more sophisticated and involve crafting a highly authoritative and legitimate-looking email that appears to come from a reliable source.
What makes whaling so threatening in 2023? According to the National Cyber Security Centre in the UK, cybercriminals are now sending highly targeted whaling emails to senior executives and following up with a phone call. This extra step may alleviate doubt from the victim, as more real-world interactions have the tendency to make us complacent.
3. Business email compromise (BEC)
A more advanced form of phishing, BEC targets companies that conduct wire transfers and have suppliers abroad. Attackers pretend to be company executives or vendors to request transfers to fraudulent accounts. Because of the rise of remote work, BEC attacks are increasing in prevalence and sophistication—there were nearly 20,000 complaints to the FBI last year, and this is in the United States alone.
Some common types of BEC attacks to look out for include:
Lawyer or vendor impersonation — If a hacker can gain access to your lawyer’s email accounts, they’ll send false invoices or a link to pay online.
CEO fraud — By hacking into your senior executive’s accounts, they can make legitimate-looking requests for other staff members to make a wire transfer or purchase gift cards
The tricky thing with these scams is that they almost always seem legitimate because the email source is valid. When in doubt, scope it out—give your vendor or coworker a call.
4. QR code scams (quishing)
There’s a new rising threat that many overlook: QR code scams, otherwise known as “quishing.” QR codes have gained immense popularity, especially in the wake of the pandemic, for their contactless convenience. However, this convenience also brings new opportunities for scammers.
How QR code scams work
Malicious QR Codes: Scammers embed malicious links in QR codes. When scanned, these QR codes can lead to phishing websites or automatically download malware onto the user's device.
Physical Tampering: Scammers can place their own QR code stickers over legitimate ones in public places, like on parking meters, menus, or advertisements.
Fake Promotions: Scammers create QR codes that lead to fake websites offering non-existent deals or contests, tricking users into providing sensitive information.
In October 2023, up to 22% of phishing attacks involved QR codes [Hoxhunt]. So what signs can you look out for that might indicate you should be concerned?
Signs of a QR code scam
Unknown Source: Be cautious if a QR code appears in a suspicious location or context, or if it's provided by an unknown source.
Unusual Requests: Be wary if, after scanning a QR code, you're asked to provide personal information, login credentials, or financial details.
Pressure Tactics: Scammers often use urgency or fear to prompt immediate action. If you feel pressured after scanning a QR code, it's a red flag.
How to Protect Yourself from Phishing Scams
After reading some of these statistics, it may seem like phishing is ominous and ever-present. The fact is that even trained professionals can fall for phishing scams from time to time. But when you follow these safety measures, you’ll be far less likely to take the bait.
Be Skeptical: Always verify the source of the email. Check email addresses for slight alterations that make them look legitimate at a glance.
Don’t Click on Unverified Links: Hover over any links in the email to see where they lead. Be wary of clicking on unsolicited links.
Use Multi-Factor Authentication (MFA): MFA adds an additional layer of security to your accounts. This can be fairly simple to set up across your organization but can make all the difference in preventing attackers from getting in.
Educate and Train Employees: Regular training can help employees recognize and avoid phishing attempts. Research shows that 84% of US-based organizations believe conducting regular security awareness training has helped reduce the rate at which employees fall prey to phishing.
Keep Systems Updated: Ensure that your software, including antivirus and email filters, is up to date. This means regularly installing operating system upgrades and maintaining reliable backups in the event a data breach does occur.
As phishing techniques become more advanced, staying informed and vigilant is the best defense. Regular training, robust security measures, and a culture of cybersecurity awareness are key to protecting sensitive information.
While cybersecurity can seem daunting, it’s a necessary investment in today’s business landscape. Luckily, you don’t have to go it alone. With a Managed IT Services partner, you can stay focused on running your business while we handle the day-to-day maintenance and monitoring that protects your organization. And that peace of mind? It’s priceless.