by Jon Lober | NOC Technology
Over time, fish learn to avoid common artificial lures. If a fisherman continues to use the same bait in the same hole season after season, the fish get wise and stop taking the bait. As a result, dedicated fishing enthusiasts never stop seeking the perfect bait. Every year, new lures trickle into their tackle boxes, each with an innovation designed to convince a wary fish to bite.
As it turns out, anglers seeking Pisces in ponds are not the only ones that understand this principal. Phishers and scammers are constantly tweaking their methods and lures in ways that could convince savvy users to click. Every now and then, they invent a completely new category of bait. Today we are going to take a look at one of those examples
If you need a refresher on phishing—what it is and why it matters—read our first Phishing Report before you continue.
QR Codes (short for “Quick Response Codes”), have become nearly ubiquitous shortcuts into the virtual world. These black and white 2D patterns can encode up to 4,296 alphanumeric characters, which can be used to store serial numbers, passwords, URLs, email addresses, and more. Although they were invented nearly 30 years ago, QR codes only rose to their current popularity when smart phones took up residence in every pocket and purse.
Since QR codes can send users to virtually any website, they should be regarded with the same level of suspicion as any other link. Microsoft recently reported that scammers have been taking advantage of our familiarity with QR codes in a variety of contexts.
A fellow managed service provider (MSP) recently alerted us to a new quishing attack that we consider to be particularly dangerous for businesses of any size. The phishing email posed as an internal email requesting the user to release “Held” messages by scanning a QR code.
Unprepared users could easily scan the QR code, sign in, and continue on with their day without realizing that they had just given away the login information to their business accounts. Successful scammers could fool their victims into giving them access to an entire business network without anyone being the wiser.
Unlike our Geek Squad, PayPal, and Dicks Sporting Goods phishing analyses, this quishing attack is directly targeted at business users. This attack is refined, uses some very effective social engineering methods, and is likely causing significant damage to a number of businesses.
This is a well-executed attack, but it is not perfect. It contains several errors and tip-offs that should still alert a well-trained user.
The warning signs above should be enough to warn you to not scan the QR code. If you do happen to scan the code, ensure that the link does not download anything to your PC. If you are taken to a page requesting personal or payment information, leave the page immediately.
If you encounter an email like our example above, take the following steps.
If you would like more information on how to report a phishing email or what to do if you clicked, called, or scanned something suspicious, read our "How to report phishing emails" blog post for more comprehensive instructions.
If you do not know where to start, we want to help. We offer free, no-commitment, one-time consultations with our SMB tech experts to small business owners and IT personnel. Just let us know what your concerns are, and we can explain some of your options. Even if you just want to run an idea by us, we are here to help. Just click the button below to schedule a slot in our team's calendar.
Contact us
Existing Customers
IT Support based in Franklin County, MO | 1816 Hwy A, Washington, MO 63090
Copyright 2024 © NOC Technology. All rights reserved. Designed and developed by Cultivate Creative.