The recent increase in smishing and vishing schemes is prompting me to remind readers of schemes designed to trick users into providing credentials to perpetrate fraud. We have previously written on phishing, smishing, vishing, and QRishing schemes to increase awareness about these methods of intrusion.

HC3 recently warned the health care sector about vishing schemes designed to impersonate employees in order to access financial systems. See previous blog on this topic here.

The City of New York was recently forced to take its payroll system down for more than a week after a smishing scheme that was designed to steal employees’ pay. The attack targeted the city’s Automated Personnel System Employee Self Service users. The threat actor sent fake text messages with multi-factor authentication to employees with a link to insert their self-service credentials, including usernames, passwords, and copies of driver’s licenses. The scheme was designed to steal the information so the payroll system could be accessed in order to divert payroll to the threat actor’s account. 

Phishing, vishing, smishing, and QRishing continue to be successful ways for threat actors to perpetrate fraud. Applying a healthy dose of paranoia whenever you receive any request for credentials, whether by email, phone, text or through a QR code is warranted and wise.

Phishing, Smishing, Vishing, and QRishing. All of these schemes continue to pose risk to organizations that needs to be assessed and addressed.

Vishing made a strong debut during the pandemic [view related post], and continues to be a scheme that is surprisingly successful.

This week, Morgan Stanley Wealth Management (in the wake of another data breach that was recently settled), notified some of its customers that their accounts were compromised by threat actors impersonating Morgan Stanley employees. According to Morgan Stanley, on February 11, 2022, a threat actor called some of Morgan Stanley’s clients and tricked them into thinking the caller was a Morgan Stanley representative, obtained the customers’ online account information, and gained access to the accounts.

Once that was done, the “bad actor…initiated unauthorized Zelle payments.”

Morgan Stanley disabled the accounts of the customers that were affected by the Vishing scheme and has confirmed that its systems remain secure. It also provided resources to customers on Vishing attacks and how to prevent them.

We have previously alerted you to vishing and smishing schemes [view related post]. A new scheme, using QR codes, is called QRishing or quishing. According to security company Abnormal, between September 15 and October 13, 2021, it identified a new way for hackers to try to get around security measures put in place to keep users from clicking on malicious links or attachments. The phishing campaign they detected was designed to collect Microsoft credentials using QR codes.

According to Abnormal, the threat actors used compromised email accounts to send QR codes that looked like a missed voice mail to users.  Although the threat actors were unsuccessful in getting users to click on the QR code or take a picture of it and send it to their email account in order to click on it, the point is that attackers are getting increasingly more creative and embedding malicious code behind QR codes, which became widely used by restaurants and other establishments during COVID. Many people had never heard of a QR code or used one until COVID hit, and no one seems particularly concerned about taking a picture of a QR code when instructed to do so.

The tip here is to be cautious of QR codes, especially in an email or text, and specifically if someone is asking you to click on it or it is linked to a missed voicemail message. If QR codes are emailed, they might not be detected by the email security system, which is exactly what the attacker has designed it to do so it is delivered to your email box, giving you the chance to click on it and compromise your Outlook credentials. The new mantra is don’t click on suspicious links, attachments, or QR codes.

New dictionary words have been formed to describe online scams. Phishing, one that everyone knows by now, is when a scammer uses a pretext in an email to get someone to click on a link or attachment in the email to deploy malicious malware and ransomware.

Social engineering is when criminals conduct online search of individuals and companies by looking at Facebook and LinkedIn profiles and through Google searches to find out as much as possible about a company and its employees and develop a dossier on the company to launch a phishing, vishing or smishing scam.

Vishing can occur, for example, when a criminal buys a similar domain to a company domain, then adds some security terms to make it look like they are from the IT department of the company and calls an employee, tells them a story about how they need to update the VPN or add additional security measures, sends the employee an email from the fake company email address and while they are on the phone with the employee, convinces the employee to put their user name and password into the pop-up, now allowing the criminal full access to the employee’s account.

And smishing (it’s so new that spell check doesn’t recognize it) is when the scammers use a text (SMS messaging) as the ruse instead of an email or a telephone call.

People tend to trust text messages more than emails. They also read them more frequently and faster than emails. Scammers are using old techniques with new technology to get people to click on embedded links to introduce malicious malware into individuals’ phones or to give up personal or corporate credentials. Now the scam is using text messages.

This should be concerning for IT professionals since so many employees use their personal phones for work. Even though the employees are being targeted on their personal phones, the smishing scams can be a threat to corporate security. IT professionals may wish to add smishing as a technique when providing security training to employees so they are aware of the latest techniques used by criminals.

When the Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) get together to issue an alert to warn us about a security threat, you can bet that the threat is real, and that they have seen it used successfully at an alarming rate.

The joint advisory issued on August 20, 2020, “Cyber Criminals Take Advantage of Increased Telework Through Vishing Campaign,” warns companies of the increased use of vishing attacks by cyber criminals. The advisory defines “vishing” as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward” [see related Privacy Tip].

People are always amazed at how much time and effort cyber criminals take to get the big pay-off. I always say this is how they make their living. We go to work every day and get a lot of work done in a legal way, while they go to work every day to figure out how to steal from us. They are spending the same amount of time on strategy, development and implementation to work out the details of the crime as we are in making an honest living. What they are doing in cyber crime is no different than planning for a bank robbery. They have to plan carefully and then execute the crime. That’s what the cyber criminals have done with their vishing campaign.

The vishing campaign referred to in the advisory started with the criminals registering domains and creating phishing pages that duplicate a company’s internal VPN (virtual private network) login page, including the requirement for two-factor authentication or a security passcode. They then obtained SSL (Secure Socket Layer) certificates for the registered domains, including support(victim company name), ticket(victim company name), employee(victim company name), or (victim company name)support. The point is that they are using the actual company name in combination with IT support to lure the victims and convince them into thinking the domain is real. It certainly looks very real.

The criminals then do online research on potential company victims, and according to the alert, “compile dossiers” on employees of the companies “using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.” This is publicly-available information about companies and their employees that the criminals use to implement the crime. They aggregate the publicly available information and then start calling the employees on their cell phones. When an employee answers, they engage them in conversation as if they know them (from social engineering—including name, address, position in the company) to get them to believe they are from IT support. They advise the employee that the company has changed the VPN and that a link to the new login will be sent, which includes multi-factor authentication, and that they will need to log in to reset the VPN. During the call, they assist the employee in logging in to the VPN and in the process, they gain access to the employee’s log in credentials and now have access to the employee’s account.

Once in the employee’s account, the criminals have access to other potential victims in the company using the same tactics, and are able to “fraudulently obtain funds using varying methods dependent on the platform being accessed.”

The alert acknowledges that this old scam, previously used on telecommunications and internet service provider employees, has now expanded to all industries because of the transition from work at the office to work from home during the pandemic. Companies need to be aware of the campaign, alert their employees, and provide them with resources and tips to avoid falling victim to it.

The Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert warning the public about vishing campaigns [see related post]. Vishing is defined by the FBI as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward.”

Vishing basically means that cyber criminals are gathering publicly-available information on companies and employees so they get to know a lot about them, and then they call employees on their cell phones to try to get them to believe that they are from IT support and that a new VPN (virtual private network) is being used. They then assist the employee with activating the new VPN and in the process obtain the employee’s credentials to access the company’s system and look for new victims.

We all know not to give our credentials to strangers via email. We also know not to give our credentials or personal information to anyone over the telephone. That said, the joint alert makes it clear that people who are working from home are falling victim to this campaign as there is no face-to-face authentication, and the criminals have gathered so much information on the individual employee that the employee believes it is a co-worker calling to assist.

Beware of giving any information to anyone over the telephone (or via email for that matter).

The Alert gives the following “End-User Tips”:

  • Verify that web links do not have misspellings or contain the wrong domain.
  • Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis  of an inbound phone call.
  • Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
  • If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
  • Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
  • Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.

For more information on how to stay safe on social networking sites and avoid social engineering and phishing attacks, refer to the CISA Security Tips below.

We have educated our readers about phishing, smishing, QRishing, and vishing scams, and now we’re warning you about what we have dubbed “snailing.” Yes, believe it or not, threat actors have gone retro and are using snail mail to try to extort victims. TechRadar is reporting that, according to GuidePoint Security, an organization received several letters in the mail, allegedly from the BianLian cybercriminal gang, stating:

“I regret to inform you that we have gained access to [REDACTED] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents.”

The letter alleges that the recipient’s network “is insecure and we were able to gain access and intercept your network traffic, leverage your personal email address, passwords, online accounts and other information to social engineer our way into [REDACTED] systems via your home network with the help of another employee.” The threat actors then demand $250,000-$350,000 in Bitcoin within ten days. They even offer a QR code in the letter that directs the recipient to the Bitcoin wallet.

It’s comical that the letters have a return address of an actual Boston office building.

GuidePoint Security says the letters and attacks mentioned in them are fake and are inconsistent with BianLian’s ransom notes. Apparently, these days, even threat actors get impersonated. Now you know—don’t get scammed by a snailing incident.

CrowdStrike recently published its 2025 Global Threat Report, which among other conclusions, emphasized that social engineering tactics aimed to steal credentials grew an astounding 442% in the second half of 2024. Correspondingly, use of stolen credentials to attack systems increased.

Other observations in the report include:

  • Adversaries are operating with unprecedented speed and adaptability;
  • China expanded its cyber espionage enterprise;
  • Stolen credential use is increasing ;
  • Social engineering tactics aim to steal credentials;
  • Generative AI drives new adversary risks;
  • Cloud-conscious actors continue to innovate; and
  • Adversaries are exploiting vulnerabilities to gain access

The details behind these conclusions include that the time an adversary starts moving through a network “reached an all-time low in the past year. The average fell to 48 minutes, and the fastest breakout time we observed dropped to a mere 51 seconds.” This means that threat actors are breaking in and swiftly moving within the system, making it difficult to detect, block, and tackle.

Vishing “saw explosive growth—up 442% between the first and second half of 2024.”

CrowdStrike’s observations are instructive to plan and harden defenses against these risks. Crucial pieces of the defense are:

  • Continued education and training of employees (including how social engineering schemes work;
  • The importance of protecting credentials;
  • How credentials are used to enter into a system.

Although we have been repeatedly educating employees on these themes, the statistics and real life experiences show that the message is not getting through. Addressing these specific risks through your training program may help ebb the tide of these successful social engineering campaigns.

I often get asked whether law enforcement is making any headway in catching cybercriminals. Although it is a challenging task, a recent example of a big win for law enforcement deserves celebration.

Authorities from 40 countries, territories, and regions came together to assist INTERPOL with a recent global cybercrime initiative known as Operation HAECHI-V. The initiative took place between July and November 2024, resulting in the arrest of 5,500 individuals and the seizure of over $400 million. The initiative culminated with “Korean and Beijing authorities jointly dismantl[ing] a widespread voice phishing syndicate responsible for financial losses totaling $1.1 billion and affecting over 1,900 victims.”

One scam outlined in an INTERPOL purple notice, warns consumers:

[O]f an emerging cryptocurrency fraud practice called the USDT Token Approval Scam that allows bad actors to drain victims’ wallets by leveraging romance-themed baits to trick them into buying popular Tether stablecoins (USDT tokens) and investing them. Once the scammers have gained their trust, the victims are provided with a phishing link claiming to allow them to set up their investment account….In reality, by clicking they authorize full access to the scammers, who can then transfer funds out of their wallet without the victim’s knowledge.

We love wins for law enforcement, and this win was significant, but it also informs consumers about how these schemes work. Pay attention to the techniques. This one included both phishing and vishing. Those techniques continue to be tried and true for international cyber criminals.

Everyone thinks they can spot a phishing email. If true, we would not see so many security incidents, data breaches, and ransomware attacks. The statistics are overwhelming that phishing emails are a significant cause of data breaches.

If everyone was able to spot a phishing email, threat actors would stop using them. It wouldn’t be worth their time, and they would use other methods to attack victims. However, because of their effectiveness, phishing attacks actually surged 40% in 2023, according to research by Egress.

One theory about why this is true is because of the use of artificial intelligence (AI). Threat actors are using generative AI to draft phishing emails that look and sound like they are in the victim’s native language. There are no grammatical errors or misspellings in the message, which used to make detection easier. In addition, AI-generated deepfake videos or voiceovers are used by threat actors in phishing attacks to lure victims into believing that the threat actor is someone they know, trust, or love. Further, AI can assist threat actors with actually writing the malware code for the attack.

Threat actors are also hiring other attackers to carry out phishing campaigns, which is known as Phishing-as-a-Service (PhaaS). This allows threat actors to conduct more campaigns to a wider net of potential victims.

According to The Hacker News, “While AI and PHaaS have made phishing easier, businesses and individuals can still defend against these threats. By understanding the tactics used by threat actors and implementing effective security measures, the risk of falling victim to phishing attacks can be reduced.”

Recognize that phishing (and smishing, vishing, and qrishing) campaigns are increasing. Stay abreast of the new tactics used, and stay vigilant in identifying and protecting yourself against them.