In 1995, the first phishing email was sent to a user’s inbox.
Today, nearly 30 years later, phishing scams are still a major threat to individuals and organizations worldwide.
In the worst-case scenario, scam emails, text messages, or phone calls are a stepping stone to damaging attacks such as ransomware — or expensive data breaches.
For individuals who mistakenly reveal their sensitive information to criminals, phishing can even lead to identity fraud.
Almost three decades after the first phishing email, we have more advanced technology as well as more nuanced security that can detect such attacks.
So why is phishing still such a common threat?
In short, scammers exploit human biases. They impersonate people of authority or someone a person trusts. As a result, the victim often doesn’t question when such a person demands passwords or money transfers.
Another reason is that bad actors have been developing more and more advanced scams to target unsuspecting victims. Some of them can even fool cybersecurity experts.
There has also been an increase in the number of social engineering scams and the number of overall phishing sites.
What are cybercriminals doing to bypass email filters and cybersecurity defenses?
Here, we dive into the two latest sophisticated phishing scams and how to protect yourself against them.
QR Codes Embedded in the Image of an Email
Email filters have gotten better at detecting spam URLs or malware-infected attachments and analyzing text. That’s why scammers are replacing these with QR codes embedded in images.
Here is how it works.
The recipient is asked to change their password using the existing one or to complete a two-factor authentication process.
After victims click on the QR code, they’re led to a seemingly legitimate site. However, this is a phishing site that is designed to steal credentials once the target fills in their username and password.
This scam is difficult to detect because the email itself is often sent from a genuine address, the one used within the real company. A common scam that has been exploiting QR codes requests the login to a Microsoft account.
Most of these emails are image-based. They don’t contain text that an email security solution can scan and redirect to spam. This helps scammers to bypass the email spam filters.
The recipient can’t tell that they are opening an image and not the HTML code featuring the text.
How to Detect a Suspicious Email Containing a QR Code
Companies are adding this type of scam to their phishing awareness training.
What should you look for?
Major companies such as Microsoft are often used for email scams. Check whether the email that asks you to reveal sensitive data is, in fact, from a legitimate company.
Campaigns that rely on infected QR codes send generic emails to as many recipients as possible. Seek clues that the email is a scam — such as poor grammar and a sense of urgency (due date to take action).
AI-voice Scam Calls From Family Members
With just 10 seconds of someone’s voice sample, criminals can use AI to clone and mimic a person’s voice. After that, they can exploit it to request sensitive information by convincing other family members a person is in danger.
Using the voice of a person you trust or who of that has authority (e.g. your boss), the scammer can request money transfers, credentials, or social security numbers.
In January 2023, a mother from Phoenix received a call from her daughter, claiming to be kidnapped. Scammers mimicked the daughter’s voice telling her she was in danger. Criminals requested $1 million worth of ransom. A 911 call and subsequent call with her daughter revealed that the kidnapping is an AI scam.
A couple from Canada, however, wasn’t lucky enough to discover the fraud on time. The phone call that impersonated their son, who claimed that he needed money for a lawyer, scammed the couple of $21,000.
Many people get fooled. With a more experienced threat actor, even the name of the person “in danger” will appear on the phone during a call.
Vishing, or voice phishing, is nothing new. Phone call scams from tech support with a company, government representative, or service provider who want to confirm the victim’s identity have been commonplace for years.
AI just helps scammers to impersonate people who you care about the most.
How to Prevent AI-Powered Phishing Scams
A few things that you can do to protect yourself from AI vishing include:
- Choosing a safe word with your closest ones — a family password to confirm one’s identity
- Taking note of unusual requests and phone numbers
- Sharing less personal information on social media — such as vacation destinations
- If you do receive a suspicious call, contact 911 and ask them to alert the FBI
Phishing Threats Persevere
Phishing remains a major problem for organizations and individuals alike.
Advanced phishing schemes feel more personal. A scammer takes their time to get to know the victim via social media. They find sound bites of their voice and use it to scam their families.
They also exploit technology the general population doesn’t know can be used for scamming purposes — such as QR codes. Most employees who pass the phishing training are wary of links and email attachments — not QR codes.
Social engineering is the blind spot of both companies and individuals. Today, we’re up against AI voice scams and QR code phishing. Tomorrow, bad actors will find new ways to exploit human trust.
The most a company can do is to set up a strong email and endpoint security as well as restrict user access to reduce the damage of data breaches.
The most individuals can do is keep learning about the new types of phishing to build awareness and recognize scams.