The recent increase in smishing and vishing schemes is prompting me to remind readers of schemes designed to trick users into providing credentials to perpetrate fraud. We have previously written on phishing, smishing, vishing, and QRishing schemes to increase awareness about these methods of intrusion.

HC3 recently warned the health care sector about vishing schemes designed to impersonate employees in order to access financial systems. See previous blog on this topic here.

The City of New York was recently forced to take its payroll system down for more than a week after a smishing scheme that was designed to steal employees’ pay. The attack targeted the city’s Automated Personnel System Employee Self Service users. The threat actor sent fake text messages with multi-factor authentication to employees with a link to insert their self-service credentials, including usernames, passwords, and copies of driver’s licenses. The scheme was designed to steal the information so the payroll system could be accessed in order to divert payroll to the threat actor’s account. 

Phishing, vishing, smishing, and QRishing continue to be successful ways for threat actors to perpetrate fraud. Applying a healthy dose of paranoia whenever you receive any request for credentials, whether by email, phone, text or through a QR code is warranted and wise.

Everyone thinks they can spot a phishing email. If true, we would not see so many security incidents, data breaches, and ransomware attacks. The statistics are overwhelming that phishing emails are a significant cause of data breaches.

If everyone was able to spot a phishing email, threat actors would stop using them. It wouldn’t be worth their time, and they would use other methods to attack victims. However, because of their effectiveness, phishing attacks actually surged 40% in 2023, according to research by Egress.

One theory about why this is true is because of the use of artificial intelligence (AI). Threat actors are using generative AI to draft phishing emails that look and sound like they are in the victim’s native language. There are no grammatical errors or misspellings in the message, which used to make detection easier. In addition, AI-generated deepfake videos or voiceovers are used by threat actors in phishing attacks to lure victims into believing that the threat actor is someone they know, trust, or love. Further, AI can assist threat actors with actually writing the malware code for the attack.

Threat actors are also hiring other attackers to carry out phishing campaigns, which is known as Phishing-as-a-Service (PhaaS). This allows threat actors to conduct more campaigns to a wider net of potential victims.

According to The Hacker News, “While AI and PHaaS have made phishing easier, businesses and individuals can still defend against these threats. By understanding the tactics used by threat actors and implementing effective security measures, the risk of falling victim to phishing attacks can be reduced.”

Recognize that phishing (and smishing, vishing, and qrishing) campaigns are increasing. Stay abreast of the new tactics used, and stay vigilant in identifying and protecting yourself against them.

Phishing, Smishing, Vishing, and QRishing. All of these schemes continue to pose risk to organizations that needs to be assessed and addressed.

Vishing made a strong debut during the pandemic [view related post], and continues to be a scheme that is surprisingly successful.

This week, Morgan Stanley Wealth Management (in the wake of another data breach that was recently settled), notified some of its customers that their accounts were compromised by threat actors impersonating Morgan Stanley employees. According to Morgan Stanley, on February 11, 2022, a threat actor called some of Morgan Stanley’s clients and tricked them into thinking the caller was a Morgan Stanley representative, obtained the customers’ online account information, and gained access to the accounts.

Once that was done, the “bad actor…initiated unauthorized Zelle payments.”

Morgan Stanley disabled the accounts of the customers that were affected by the Vishing scheme and has confirmed that its systems remain secure. It also provided resources to customers on Vishing attacks and how to prevent them.

We have previously alerted you to vishing and smishing schemes [view related post]. A new scheme, using QR codes, is called QRishing or quishing. According to security company Abnormal, between September 15 and October 13, 2021, it identified a new way for hackers to try to get around security measures put in place to keep users from clicking on malicious links or attachments. The phishing campaign they detected was designed to collect Microsoft credentials using QR codes.

According to Abnormal, the threat actors used compromised email accounts to send QR codes that looked like a missed voice mail to users.  Although the threat actors were unsuccessful in getting users to click on the QR code or take a picture of it and send it to their email account in order to click on it, the point is that attackers are getting increasingly more creative and embedding malicious code behind QR codes, which became widely used by restaurants and other establishments during COVID. Many people had never heard of a QR code or used one until COVID hit, and no one seems particularly concerned about taking a picture of a QR code when instructed to do so.

The tip here is to be cautious of QR codes, especially in an email or text, and specifically if someone is asking you to click on it or it is linked to a missed voicemail message. If QR codes are emailed, they might not be detected by the email security system, which is exactly what the attacker has designed it to do so it is delivered to your email box, giving you the chance to click on it and compromise your Outlook credentials. The new mantra is don’t click on suspicious links, attachments, or QR codes.

Impersonation schemes are on the rise, and artificial intelligence (including deep fakes and voice cloning) will only make these schemes more difficult to detect.

Threat actors are emboldened, evidenced by the fact that the Cybersecurity and Infrastructure Security Agency (CISA) recently published an alert that threat actors are impersonating CISA employees in vishing attacks in order to obtain money. (View our previous related posts here.)

Threat actors impersonate government employees to try to scare individuals into providing information and financial payment, including the IRS and the FTC. The FTC has provided numerous Scam Alerts on this subject matter, which can be accessed at www.ftc.gov

CISA reminds us that “CISA staff will never contact you with a request to wire money, cash, cryptocurrency, or use gift cards and will never instruct you to keep the discussion secret.”

Remember that scammers are bold and unscrupulous. Heed the recommendations of CISA and FTC on how to detect and mitigate against impersonation voice calls.

The FBI’s Internet Crime Complaint Center (IC3) recently issued a warning alerting consumers that scammers are using malicious QR Codes to reroute unsuspecting customers to malicious sites to try to steal their data.

Also known as QRishing, [view related post] criminals are taking advantage of our familiarity with QR codes after using them at restaurants and other establishments during the pandemic, to use them to commit crimes. The criminals embed malicious codes into QR codes to redirect a user to a malicious site and then attempt to get the user to provide personal information, financial information or other data that the criminals can use to perpetrate fraud or identity theft.

Embedding malicious code into a QR code is no different than embedding it into a link or attachment to a phishing email or a smishing text. Consumers are not as alert to question QR codes as we are to spot malicious emails and texts.

Hence, the alert from IC3. IC3 is warning consumers to check and re-check any URL generated by a QR code and to be cautious about using them for any form of payment.

QR codes should be viewed as suspiciously as emails and texts. Be cautious when asked to scan a QR code, and refuse to provide any type of personal information or financial information after scanning one.

2021 is behind us. Whether that is positive or negative for you, in my world, it was another record year. A record year of data breaches.

According to The Identity Theft Research Center (ITRC), data breaches in 2021 surpassed the previous record year of 2020 by 17 percent. The incidents ranged from the theft of cryptocurrency (Livecoin went out of business following an attack) to ransomware attacks (Colonial Pipeline), to zero-day vulnerabilities against Microsoft Exchange Server, and finally, the big one: Log4j.

There is speculation that the Log4j vulnerability will last for years. The Log4j vulnerability is so concerning that the FTC issued a warning this week to companies declaring that if companies don’t mitigate the vulnerability, they could be subject to an enforcement action [view related posts here and here].

What does this all mean to us as consumers? Many of us roll our eyes and say “All of our information is out there anyway, so why bother trying to protect it?” I say, don’t give up. Here are a few tips that are still important for protecting your data and your privacy:

  • If your information is compromised, sign up for credit monitoring or a credit freeze if offered.
  • Continue to check your credit report, which you can get for free once a year, to help determine whether any fraudulent accounts have been opened in your name.
  • Protect your Social Security number and driver’s license number. Don’t just give them when asked or fill them in on a form.
  • Mind your cookies.
  • Check the privacy settings on your phone and update them frequently.
  • Opt-in to “do not track” options.
  • Use DuckDuckGo as your browser.
  • Consider the Jumbo privacy app.
  • Read the privacy policies of apps and devices before you download or activate them.
  • Be aware of phishing, vishing, smishing, and qrishing.
  • Understand what IoT devices you have and activate unique passwords for them.
  • Change the default passwords on your home router and wi-fi.
  • Update the software on your devices as soon as you can.

And there are so many more! Check out all of our privacy tips at www.dataprivacyandsecurityinsider.com and don’t give up! Even though 2022 looks to be another whopper year for data breaches, if we don’t try to protect our privacy, then who will?