Criminals are constantly innovating ways to enhance deliverability and increase the success of their campaigns. Email phishing remains one of the most significant threats to organizations, but a growing number of campaigns are first touching victims via non-traditional lures or through engagement on platforms where users are more susceptible to scams.
Understanding how online threats are evolving and where they live can be challenging for security teams. New tactics are often spawned as a result of a trending technique proven successful in other online attacks. Fortra recently hosted a Brand Threats Masterclass Q&A with Digital Risk Protection experts to better understand the top threats security teams should anticipate in 2024 and proven defense strategies to protect their brands. Below we discuss the threat of QR codes, hybrid vishing, and the application of AI in threats, and how to protect against them.
QR Codes Delivered via Email
QR code abuse in email is one example where criminals use a successful attack tactic and replicate it in another space. QR phishing emails trick unsuspecting victims into scanning the code presented in the email body, causing them to land on fraudulent websites or download malware onto their devices. QR phish have increased in popularity due to their ability to bypass many security controls and a general lack of security awareness around their associated risks.
Enterprises have faced obvious risks with QR phish delivered via sms, as these types of attacks live out of the traditional corporate environment. However, emails containing QR codes are the opposite, targeting corporate inboxes specifically. These threats are still relatively difficult to block, with many email security systems lacking the ability to extract URLs from QR codes and inspect them for malicious content. As a result, these threats are not flagged as a traditional phishing email containing a link or attachment would be.
Microsoft QR phish targeting a global non-profit
The move to incorporate QR codes into email is a perfect example of combining two familiar tools to mislead users. Fortra’s email security expert Eric George spoke to this in Fortra’s recent Brand Threats Masterclass. “Email lures incorporating QR codes are the bridge between mobile and traditional email,” noted George. “Threat actors are taking advantage of how familiar the public has become with QR codes.”
“In [a recent large-scale phishing campaign detected by Fortra researchers], threat actors incorporated both QR codes and links in separate phishing emails to redirect victims to a phishing site, similar to A/B testing. Much to our surprise, the volume of phish detected using QR codes was more than three times greater than the phishing links.”
Docuphish containing a QR code
Failure to recognize a QR scam and subsequently scanning the code can result in stolen credentials, cash, or an infected device. In order to protect against these threats, security teams should focus on a combination of technology and employee reporting. One way to capture QR code threats is by implementing Optical Character Recognition (OCR). OCR is the process of detecting and extracting text from an image file, an image embedded within an electronic document, or a scan of a document and will fully inspect suspicious messages that make it into user inboxes. Additionally, employees should be trained to quickly report any suspicious emails.
Hybrid Vishing
Phishing emails containing phone numbers, also known as hybrid vishing, have seen exponential growth over the past year, with reports of email lures containing phone numbers nearly doubling over the course of 2022. These attacks often take the form of unexpected invoices, with telephone numbers as the primary point of contact.
Hybrid vishing attacks have continued to dominate response-based phishing reports in 2023, overtaking historical leader 419 scams, according to Fortra’s Suspicious Email Analysis. Most recently, hybrid vishing reports totaled nearly 40% of all response-based phish. In 2024, Fortra experts anticipate this tactic will only grow.
Much of the growth of hybrid vishing can be attributed to it’s ability to bypass email controls. “Phone numbers can be much harder to block,” stated George. “And as a result we’re seeing an increase in phone numbers coming in both enterprise and consumer email-targeted attacks.”
The top three ways criminals attempt to monetize hybrid vishing attacks are:
- ID Theft
- Credit Card Fraud
- Malware Implant
The challenges associated with hybrid vishing should be met with strong security awareness training and reporting capabilities. AI-generated lures will only add confusion to the legitimacy of email-based threats and education on how to identify these attacks should be prioritized.
Below are two examples of hybrid vishing attacks.
The Application of AI
AI continues to grow in sophistication, with government agencies issuing warnings about the ways in which deep fakes or AI-generated impersonation can be abused to target organizations. Disinformation campaigns are capable of occurring across a variety of channels, with both legitimate and illegitimate tools utilizing data science readily available to threat actors.
Fortra experts anticipate that in 2024 artificial intelligence will be increasingly weaponized in two spaces in particular: social media and email.
Social Media
In 2023, attacks impersonating executives on social media surpassed those that targeted brands for the first time since reporting on this data. Many of these attacks have identifiers indicative of artificial intelligence, and range from deepfakes to plagiarized images to AI-generated conversations. According to Omri Benhaim, Director of Social Media Threat Intelligence at Fortra, these attacks are increasingly sophisticated, with human-like traits that make it difficult for users and security controls to identify.
“It’s getting to a point now that it’s not going to be just prerecorded deep fake videos that they’re using, but actual AI chatbots where they’re having conversations with the people that they are trying to scam,” stated Benhaim during Fortra’s Brand Threats Masterclass. “And you can imagine how deep that can go in terms of what they could get victims to do.”
Social media is an especially desirable channel to launch AI-driven attacks with 60% of the global population on at least one platform. Its role among online users is also being redefined, with younger subscribers using social spaces to communicate with and research brands.
Evidence pointing to AI application on social media includes visual patterns that repeat artistic styles, anomalies within images, and object size in comparison to humans.
Generative AI will fuel more personalized email lures in the new year as bad actors increasingly use applications such as Chat GPT to produce grammatically correct text on demand, according to Fortra experts. Once again, Eric George, voiced concerns around opportunistic threat actors, stressing how advanced AI application will only make attacks more compelling.
“It’s no secret that we as average consumers have some level of personal data that’s exposed on the internet, whether it’s credentials we put into a platform that became compromised, or data we put on social profiles,” said George. “Gone are the days you have an ‘inheritance from a distant prince’ type of scam and enter the days of personalized lures that are going to be much more effective overall.”
AI is also capable of creating polymorphic malware that evades security controls. Achieved through “prompt engineering” or, the process of modifying input to bypass content filters, ChatGPT can be used by even the most inexperienced actors to mutate code for advanced attacks. As large language models improve and consume more data, this has the potential to create AI threats only detectable by other AI models.
Looking Forward
The application of QR code phishing, hybrid vishing, and AI in social media and emails are predicted to be the top threats of 2024. As AI-generated content and cross-channel threats become the norm, organizations should have a clear understanding of how these attacks manifest and how best to prevent compromise. Security teams should approach each threat type with a combination of broad detection, advanced technology such as Optical Character Recognition, and robust employee education.
Enhanced visibility through Digital Risk Protection solutions and a presence across channels such as social media are equally as critical, as there are countless attack vectors and ways in which AI can be used to create believable content for malicious purposes.