Quishing
Quishing, or using QR codes to send malicious links, is the latest trend on the cybercriminal block.
I’ve talked about the risks of QR codes before, most recently in August and most thoroughly in March 2022. And now we’ve reached the point at which using QR codes in scams has become popular enough that it has its own term.
Malicious emails are called phishing, scam SMS/texts are called smishing, voice call scams are called vishing, and using QR codes to send malicious links is now called quishing.
In fact, last week I received the email below.
As you can see, this message claims to be a link to a voicemail. There are a few obvious red flags though.
- This is not how voicemails come to us at work: wrong sender, wrong message, and no attachment.
- It seems strange that a voicemail would come ‘on Microsoft Teams.’
- The word ‘recieved’ is misspelled.
- ‘Smart Phone’ is in parentheses for no reason.
- The subject line says ‘Dashboard.’
For someone who is rushing, however, those warnings could be missed. And we have been trained to pick up our cell phones when we see QR codes to get information.
That’s part of the danger with quishing. We switch from our typically protected computers to our often less protected mobile devices. And we rarely check to see what the QR code link is pointing to; we simply click on it.
Please stay alert for QR codes sent to you via email, and immediately stop yourself if you see one. Ask yourself why the sender wouldn’t have just included a clickable link. Remember to check for the usual warning signs in sender, subject, and urgency. And report any messages you are unsure of.
4 Scary Stats
1 Approximately 10,000 harvested credentials are put up for sale monthly on the dark web.
– Microsoft Digital Defense Report 2023
2 Targeted email campaigns that add phone calls (vishing) were 3X more effective than those that didn’t.
3 In a research project performed by IBM, a human-crafted scam email was only 3% more successful than the AI-generated one.
What’s more, the human-crafted one took 16 hours to make versus the AI taking about 5 minutes.
4 Senior citizens are being targeted and losing their life savings:
Between January and June 2023, 19,000 complaints related to tech support scams were submitted to the FBI Internet Crime Complaint Center (IC3), with estimated victim losses of over 542 Million.
Almost 50% of the victims reported to IC3 were over 60 years-old, comprising 66% of the total losses. As of August 2023, losses have already exceeded those in 2022 by 40%.
Global News Scam Reminder
The FBI put out a Public Service Announcement last week about charity frauds taking advantage of the Israel HAMAS conflict.
If you’ve been getting this security brief for a while, then you already know that headlines give scammers everything they need to prey on people’s emotions. And the bigger the news–especially a disaster–the larger the audience they can target.
We’ve talked about aid scams following hurricanes, ticket scams to events like the Olympics, donation scams related to the war in Ukraine, and far too many others. Now, the FBI is warning us all to be alert for fake humanitarian donation scams.
These schemes show up in emails, on social media, and in ads. They can use real agency names but direct to spoofed websites, or they can make everything up. Their goal is to separate you from your money by whatever means possible.
So please remember to verify independently any entity that you want to donate to and never give your personal banking information away to do so.
October was Cybersecurity Awareness Month
October 2023 marked the 20th anniversary of Cybersecurity Awareness Month.
Infinity was proud to champion this collaboration between the government and private industry again, aiming to empower everyone to protect their personal data from digital forms of crime. As we become more dependent on technology, it’s more important than ever to strengthen and adapt our cybersecurity habits.
This year’s focus was on 4 simple actions we can take as individuals and business owners to make our networks more secure.
- Create Strong Passwords and Use a Password Manager
- Turn on Multi Factor Authentication (MFA)
- Recognize and Report Phishing
- Update Your Software
Consider this:
Only 33% of individuals create unique passwords for all accounts. (National Cybersecurity Alliance)
Imagine 2/3 of your team using their work password as their streaming services password, or for their social account, or their Amazon password. Now if any of those get breached, they’re all at risk.
No matter how many layers of protection you have in place on your business network, a non-unique password opens it right up.
This is why building employee awareness is so important and why Cybersecurity Awareness Month has been around for 20 years and continues to make an impact.
Click on the image below to view and download an infographic you can share with your team.
