A picture is worth a thousand words.
True more often than not, but it’s worth even more when it gets integrated into the latest phishing attacks. What criminals are doing is instead of trying to get you to open an attachment or click a link, they want you to click an image.
Just as with every attack of this sort, they direct you to a website that isn’t legitimate. It’s a scam site created to steal your credentials as you try to log in.
The image attacks can be absolutely anything. They just want to engage you to click it. Maybe the image looks like a sale of an item you want, or it’s a meme you laugh at, or dare I say it – they weaponize pictures of cute cats (or dogs if you’re a dog person).
A huge trend is to send a promotional image informing the recipient there is a special sale on an item, an invite to participate in a raffle, or that they have won a prize. Of course, the image links to a phishing site to steal their data.
Image-based attacks have been growing in number and recently a large number of image-based junk emails have been unleashed to email servers worldwide.
One prominent attack that has surfaced is the sending of a QR code in an email that looks like a Microsoft security authentication. Recipients fall victim when they scan the code, which sends them to a phishing site to harvest their Microsoft credentials.
How do you know if what you’re looking at is a legitimate email or a scam?
Here’s what to look out for in image-based phishing attacks:
Unexpected email
Were you expecting an email from the sender? Do you normally get emails from them?
If you got an email about a sale from a store you aren’t signed up to get marketing emails from is a good reason to be cautious. Even if it’s from somebody you know, does the email seem out of place?
I recently received an email from a friend of mine asking if I shop on Amazon. Nothing more, nothing less. Why would he be asking me that? Why isn’t there more information? I called him and sure enough, his email was hacked. While this wasn’t an image-based attack, that is the type of stuff you need to think about and look out for.
Too good to be true
The old adage applies here; that if something sounds too good to be true then it probably is.
If that email promises a grand vacation or the promise of free expensive items, then it’s probably a scam.
Grammatical mistakes
Even with image-based attacks there might be some text involved giving you some context. Always look at the grammar and spelling as a warning sign something may be off. Sure, we all make typos or auto-correct goes whacky on us, but too many errors that don’t seem to line up with the typical errors we see in messages daily should stand out.
No Words
Maybe there are no grammatical errors because there are no words! If there is literally no text accompanying the image, take note of that and suspect it is a scam. Also, make sure that text is actually real text and not an image itself.
One of the reasons the recent QR code scam going around has had some success is that it includes no text. All the text of the email is actually part of the image. Therefore, many threat scanners can’t analyze the text to determine it’s a threat. The recipients simply don’t notice there are no words, thinking that the words in the image are part of the email text, so they follow the image link.
Mismatched Logos or Branding
If the email claims to be from a known company but their logo or branding is slightly off, it’s probably a scam. This gets harder to tell the less familiar you are with the company being impersonated, but you can always double-check with external searches of your own to see what the current look of the company is.
Here’s how you protect your business from image-based phishing attacks:
The reason best practices become established is that they handle common and multiple issues. The same is true for these security practices. They should add safeguards against image-based attacks as well as others.
Educate your employees
As always, knowledge is power. The more your team is aware of threats, both specific and general, the more they will be on alert and catch them before they click on something they shouldn’t. We recommend periodic training that keeps security front of mind.
Turn off automatic image display
Most email programs automatically display attached images inside the body of the email. This is a convenience factor and improves the overall interface and experience. However, one of the reasons the QR code scam is having success is because people don’t notice there is no text included in the email. If the automatic image display setting is disabled, it would be obvious. Sure, you would need to click each email to display the images, but it’s a simple, single click whereas you can visually check every email for security purposes before you do.
Check your links
When you receive any link in an email, even those that are images, always hover over the link (or image) to display the destination URL. For most of these scams, this is a sure fire way to identify that they are not sending you to the brand website but instead to a fake site.
On mobile this might be a bit trickier. You can press and hold the link to have it pop up a display of the URL, but be careful not to accidentally tap it in this process or it will send you to the destination site. If in doubt, just wait until you can sit at a computer to check that link.
Alternate Confirmation
If you are questioning if an email is legitimate, see if you can confirm it outside of email. Sometimes picking up the phone is a fast and reliable way to confirm and circumvent typical attacks.
Check the sender’s email address
Many attacks spoof the sender’s domain because they have not set up appropriate security or have themselves been compromised. That you can’t check because it is technically legitimate.
However, many attacks mimic the domain with an alternate spelling to make it look legitimate if you only glance at it.
Carefully read the email address and see if it looks right. Are there any letters left out or added to the domain? Check for spelling tricks like R and N placed together to look like an M (“rn” vs “m”).
Keep software up to date
Keeping software up to date is considered normal maintenance for technology. Good developers will consistently improve performance and patch security holes that are found. You wouldn’t continue driving your car without maintenance like oil changes, so don’t do that with your technology.
Use strong passwords and a manager
Get a password manager. Seriously. They aren’t expensive and they will ensure your passwords are the most secure they can be. Long, complex passwords that are unique for every account are what will keep your data safe. A password manager handles all of that for you, and you just need to remember just one password.
Enable MFA
You should have multi-factor authentication on every account. Preferably the kind where you need to provide a one-time code from an authenticator app. This simple step will increase the security of your credentials exponentially.
Backup your data
Always have a good backup and disaster recovery plan. If disaster ever strikes (including cyber attacks) then you know all your data is recoverable.
Use Advanced Protection
Advanced Protection can monitor your network, workstations, servers, and all devices 24/7 to keep your data safe. This is “advanced” because it doesn’t rely on definitions like anti-virus does. It scans logs, watches traffic, and uses artificial intelligence, to identify threats and attacks. This is what modern businesses should have in place in the same way every business relied on antivirus 20 years ago.
Cyber criminals are getting creative and throw different attacks your way daily. Be vigilant and keep your team and data safe. If you have any questions or we could help with any of these solutions discussed, book a call with our live calendar.