At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    Threat Actors are Using Image-Based Phishing Emails to Lure Victims

    Attackers are increasingly using images in phishing to evade text-based security filters, according to researchers at INKY.

    “Secure Email Gateways (SEGs) and similar security systems are designed to detect basic textual clues that signal phishing,” the researchers write. “One way around that is to design an email without text. In this case, the examples…actually contain no text. That’s right, no text. Instead, the text is embedded in an image and attached to the phishing email. This works because most email clients automatically display the image file directly to the recipient rather than delivering a blank email with an image attached. As a result, recipients don’t know that they are looking at a screenshot of text instead of HTML code with text and since there are no links or attachments to open, the email feels safe.”

    The researchers observed a phishing campaign that used QR codes instead of text-based links.

    “INKY decoded a malicious QR code to see where it was taking recipients,” the researchers write. “As predicted, victims scanning the QR code are unknowingly taken to a phishing site so that their credentials can be stolen. They’re quickly made to feel comfortable because malicious links embedded in QR codes contain the recipient’s email address as a URL parameter to prefill personal data once the phishing site loads. In short, things feel familiar.”

    INKY offers the following recommendations to help users avoid falling for these attacks:

    • “Recipients should use a different means of communication to confirm whenever they are requested to complete a new task.
    • “Carefully inspect the sender’s email address. In these cases, emails claim to come from Microsoft and the recipient’s employer but the sender’s domain has no relation to these entities.
    • “Don’t scan QR codes from unknown sources. Websites reached by QR codes might host malicious code that exploits vulnerabilities or steals sensitive data.
    • “Be cautious when entering financial and personal information on a site reached with a QR code.”

    New-school security awareness training can help your employees stay ahead of new social engineering tactics.

    INKY has the story.

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    Here’s how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry
    Go Phishing Now

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top