In the fast-paced, digitally-driven world of today, individuals who are well-versed in cybersecurity principles still find themselves vulnerable to online threats. A crucial yet often overlooked aspect is the impact of stress and distraction on one’s ability to recognise and respond to cyber threats, particularly phishing emails. Even those who have undergone comprehensive security awareness training are not immune to this phenomenon.
Read moreChatbot Scams On The Horizon
Chatbot scams are likely possibilities in the near future as language models (LMs) become more integrated into our daily lives, the National Cyber Security Centre has claimed. Due to previous security concerns regarding data protection, LMs have already been banned by many companies and educational institutions, doing little to impact popularity, as they have undeniably useful qualities.
Growing numbers of companies are using them to deal with user queries, and people are becoming more accustomed to entrusting chatbots with personal information.
Read moreData Breach Leaves PSNI Officers ‘Incredibly Vulnerable’
The Irish News has reported that a major data breach has exposed every serving officer’s personal data online. Almost 10,000 officers and staff members have been affected.
For almost three hours, several types of personal metadata were available for the general public to see. Authorities believe undercover officers could have been exposed, and may be unable to continue their work. In general, a rise in the risk of terrorist attacks against serving officers is feared to have increased.
The data breach happened after a freedom of information request led to an unfortunate, self-inflicted error. No foul play has been suspected, but the damage is major and widespread.
In all workplaces, the importance of data protection cannot be overstated. We all handle vast amounts of sensitive information on a daily basis. Steps can be taken to safeguard and protect information, but human error remains a significant vulnerability that can lead to data breaches.
Read moreHow to Spot a Phishing Email (5 Useful Tips)
Why Learning How to Spot a Phish Is Important
Despite constant improvements in cyber-security, the manipulation of users who fail to spot a phishing email remains the criminals’ best option for infiltration.
Unwary users risk financial peril and shut-down of the company. These threats are worsening as we continue to become a digital society.
That’s why we recommend employers use tailored simulated phishing tests and training to help keep users on alert. They need to stay wary as the criminals only need one click to hold a company to ransom.
Read moreThreat Alert: QR Code Scams
What are QR Codes?
QR codes are digital images that when scanned by a smart phone app, allow rapid access to a certain document or website. They are often used for restaurant menus, business cards, links to videos in adverts, access to sporting events etc. They are fast becoming the norm as they help facilitate the move to contactless communications.
QR codes however are quickly becoming another way cybercriminals can trick users into accessing a website or document as it can be more difficult for a user to verify (in advance) the website address, the QR code will take them to.
Cyber attackers however can interfere with QR Codes and lead victims to malicious websites where their financial and personal information is stolen.
QR Code Scams
Some criminals have begun sticking fake QR Codes to parking meters enticing unwitting drivers to scan the code, and hand over their credit/debit card information in the belief they were paying for parking when they the money went straight to the criminals. Earlier this year the FBI published an advisory to warn people.
Many paid and free sites exist that will allow one to create their own QR code allowing bad actors to come up with elaborate attacks or techniques.
This QR Code we generated above allows someone to quickly and easily connect to a Wi-Fi connection. While this is convenient in a shop/restaurant/café, or to provide guests access to your wireless network, it could be very easily abused and used to entice users into connecting to a malicious network.
There are many other types of QR codes and all of these are relatively simple to repurpose for malicious activities.
A recently reported phishing email utilises a QR code while posing as DHL. The criminals behind this scam are exploiting QR codes in a unique way to avoid detection.
A fake DHL themed email begins the attack and although the sender’s address in this scam has nothing to do with the courier service’s name, the message body has a corporate logo, an order number and the purported date of package arrival, all of which are very convincing.
The reported scam notes: An order has arrived at a nearby post office, and the courier was unable to deliver it personally. Normally a link to “resolve the issue” would be included, but this time there is a QR code for the user to scan.
Albeit this scam email below is directed at companies with Spanish employees, the same scam could apply no matter the language or country.
The attackers are counting on the victim using their smartphone to read the QR code. This will cause the malicious website to load on a small screen where the URL is not fully visible and other phishing scam signs are more difficult to identify.
How to thwart an attack?
The best ways to help thwart such attacks is to:
- Always Stop, Look and Think. Are you expecting the email? Does the context indicate an unexpected or unforeseen problem has suddenly arose? Does the email infer a sense of urgency or a negative consequence if not actioned?
- Verify an emails sender address to ensure it is genuine.
- If you need to use a QR Code scanning app, use one that offers a preview where a QR code will take you before it takes you there. If this is not possible or if in doubt, don’t scan the QR Code. It is best practice to instead visit the genuine website via a web browser.
- If you’re expecting a shipment, be sure to make a note of the tracking code and check the status of the shipment on the official website.
- Where possible, save genuine links to work and personal cloud-based services (including courier services) in your PC and phones bookmarks. Access these sites via your bookmarks and avoid clicking links to these services in an email.
If in doubt, before you take any action, understand and follow your company approved policy/procedures for reporting suspicious email activity. The sooner an incident is reported, the sooner measures can be put in place to prevent a breach.
More info:
QR Codes in the Time of Cybercrime (knowbe4.com)
Criminals steal payment details of DHL customers | Kaspersky official blog