Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Threat Actors are Using Image-Based Phishing Emails to Lure Victims

    Image Based PhishingAttackers are increasingly using images in phishing to evade text-based security filters, according to researchers at INKY.

    “Secure Email Gateways (SEGs) and similar security systems are designed to detect basic textual clues that signal phishing,” the researchers write. “One way around that is to design an email without text. In this case, the examples…actually contain no text. That’s right, no text. Instead, the text is embedded in an image and attached to the phishing email. This works because most email clients automatically display the image file directly to the recipient rather than delivering a blank email with an image attached. As a result, recipients don’t know that they are looking at a screenshot of text instead of HTML code with text and since there are no links or attachments to open, the email feels safe.”

    The researchers observed a phishing campaign that used QR codes instead of text-based links.

    “INKY decoded a malicious QR code to see where it was taking recipients,” the researchers write. “As predicted, victims scanning the QR code are unknowingly taken to a phishing site so that their credentials can be stolen. They’re quickly made to feel comfortable because malicious links embedded in QR codes contain the recipient’s email address as a URL parameter to prefill personal data once the phishing site loads. In short, things feel familiar.”

    INKY offers the following recommendations to help users avoid falling for these attacks:

    • “Recipients should use a different means of communication to confirm whenever they are requested to complete a new task.
    • “Carefully inspect the sender’s email address. In these cases, emails claim to come from Microsoft and the recipient’s employer but the sender’s domain has no relation to these entities.
    • “Don’t scan QR codes from unknown sources. Websites reached by QR codes might host malicious code that exploits vulnerabilities or steals sensitive data.
    • “Be cautious when entering financial and personal information on a site reached with a QR code.”

    New-school security awareness training can help your employees stay ahead of new social engineering tactics.

    INKY has the story.

     

    Return To KnowBe4 Security Blog

    Free QR Code Phishing Security Test

    Did you know dynamic QR code scans increased 433% globally from 2021 to 2022? Try our free QR Code Phishing Security Test to identify users that are most susceptible to these types of attacks so you can train them to think twice before scanning QR codes and build a stronger security culture.

    Monitor-QRT-2Here's how it works:

    • Immediately start your test for up to 100 users (no need to talk to a person)
    • Select from 35 languages and choose one of 3 templates
    • Choose from a “red flags missed” or a “404 error” landing page
    • Get a PDF emailed to you in 24 hours with your Phish-prone Percentage

    Go Phishing Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/qr-code-phishing-security-test

    Topics: Phishing

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews