Skip to content
All about technology.All about cybersecurity.

Most Popular Phishing Scams Posing as Human Resources and Information Technology Departments

Malicious entities persistently utilize phishing emails, even going as far as to imitate internal correspondence, to carry out their most successful assaults.

 and  Administrator
3 min read
Most Frequently Opened Phishing Scams Masquerade as Human Resources and IT Departments
Most Frequently Opened Phishing Scams Masquerade as Human Resources and IT Departments

In the digital age, phishing remains a significant concern for organizations worldwide. Cybercriminals continue to target businesses with attempted or actual payments fraud, often using business email compromise and spoofed internal communications as their tactics of choice [1].

A recent study by KnowBe4 revealed that approximately 60% of phishing failures involved emails referencing internal teams, with nearly half specifically mentioning HR [2]. This underscores the importance of employee education as a critical component of an organization's fraud defenses.

The Association for Financial Professionals reported that an alarming 79% of organizations experienced attempted or actual payments fraud over the past year [1]. As the threat landscape evolves, it is increasingly incumbent upon organizations to think outside the box to stay ahead of this spiraling problem.

One such evolution is the use of QR codes in phishing attacks, also known as "quishing." These attacks can be particularly effective as they often appear professional and evade traditional security filters. Organizations must, therefore, adopt a multi-pronged approach to combat these novel phishing methods [3].

Employee Training and Awareness

Training employees to recognise QR code phishing and phishing attempts disguised as internal communications is crucial. Regular simulated phishing and QR code phishing tests can increase vigilance, while clear policies restricting the scanning of QR codes from unsolicited emails or documents, especially PDFs, can help reduce risk [2]. Establishing easy reporting procedures for suspicious QR codes or unexpected internal-looking communications is also essential [2].

Technical and Security Controls

Deploying AI-based email filtering capable of analysing the full content of PDFs and attachments can help detect embedded malicious QR codes or spoofed internal messages. Endpoint protection that monitors user behaviour after a QR code scan or email interaction can help detect suspicious activity. URL filtering, phishing detection tools, and browser developer tools can analyse redirect chains triggered by QR code scans [1][2]. Restricting access to login portals via geo-fencing and device fingerprinting can reduce the risk from compromised credentials. Implementing Mobile Device Management (MDM) to monitor and control corporate mobile endpoints is also advisable [1][2].

QR Code Governance and Usage Policies

Auditing internal QR code generation and usage can ensure only secure, branded, and traceable QR codes are used for official communications. Regularly verifying that legitimate QR codes have not been tampered with or replaced by malicious ones is also important [2].

Incident Response Preparation

Developing clear response procedures for suspected or confirmed phishing/quishing incidents is essential. These procedures should instruct users to disconnect from networks, change passwords, scan for malware, and notify IT/security teams promptly [2].

Additional User-Level Guidance

Encouraging users to verify URLs before entering credentials after scanning QR codes, avoiding scanning QR codes in unexpected packages or unsolicited PDFs, using password managers that autofill only on known legitimate domains, and keeping operating systems and security software up to date can further strengthen an organization's defenses [1][2][4].

The increasing use of QR codes in business communications, especially post-pandemic, has made quishing a growing attack vector. Ongoing vigilance and adaptation of defenses to these novel phishing methods are, therefore, essential [3].

Social engineering, in combination with convincing emails, has proven particularly effective for cybercriminals. Employees must be conditioned to question every communication to minimise the risk of falling victim to these tactics [2].

A recent breach at the U.S. Office of the Comptroller of the Currency serves as a stark reminder of the potential consequences of a single compromised account. Criminals gained access to thousands of highly sensitive emails for over a year, underscoring the importance of robust cybersecurity measures [1].

Organizations that combine proactive training, advanced detection technologies, strict QR code policies, and incident readiness are best positioned to mitigate this rising threat [3].

Sources:

[1] KnowBe4 (2021) [Available at: https://www.knowbe4.com/]

[2] SANS Institute (2021) [Available at: https://www.sans.org/]

[3] Cybersecurity Dive (2021) [Available at: https://www.cybersecuritydive.com/]

[4] TechRadar (2021) [Available at: https://www.techradar.com/]

  1. Given the recent surge in QR code usage in business communications, it is imperative for organizations to educate their employees on recognizing QR code phishing attempts and internal communications that may be spoofed.
  2. In the face of evolving phishing tactics like "quishing," where QR codes are used maliciously, it is essential for businesses to incorporate multi-pronged measures such as technical controls, user guidance, and incident response preparedness in their cybersecurity strategy.

Read also:

    Related

    Latest