First came phishing. Now, consumers and cyberdefenders need to guard against “quishing.”
As the Financial Times (FT) reported Sunday (Oct. 27), banks and regulators are warning against the rise of this type of phishing scam, which involves QR codes.
Banks such as Santander and HSBC have joined the UK National Cyber Security Centre and Federal Trade Commission (FTC) in sounding the alarm about this threat, the report added.
In a quishing scam, criminals will send a QR code in a PDF attached to an email, a strategy that experts say lets them avoid corporate cybersecurity defenses.
“The appeal for criminals is that it’s bypassing all of the [cyber security] training and it’s also bypassing our products,” Chester Wisniewski, a senior adviser at security software company Sophos, told the FT.
As the report noted, most smartphones display a short preview of the URL contained in a scanned QR code, though researchers say this pop-up generally can’t help users determine if a link is fraudulent.
“These attacks take advantage of the fact that QR codes, by nature, are difficult to interpret visually, so victims often don’t know where they are being directed to until it’s too late,” said Amir Sadon, director of research at cybersecurity consultancy Sygnia.
The report added that researchers and fraud managers can’t easily estimate the costs of “quishing” as cybersecurity firms and banks do not typically record the format of malicious links and because such emails may be just one piece of a larger cyberattack.
However, IBM research has shown that “phishing” attacks — in which scammers send targeted emails with malicious links — are costing businesses more and more, with the global average cost of a data breach climbing nearly 10% to $4.9 million this year.
The rise of quishing attacks comes as cyberthreats plague businesses of all sizes, as PYMNTS wrote last week. At the same time, security is hardly a one-size-fits-all effort and depends largely on how solutions are implemented.
“Boards [of directors] have an increased responsibility for providing effective oversight of cybersecurity and technology risks,” Alicja Cade, director of financial services in the Office of the CISO at Google Cloud, told PYMNTS, saying this is especially true in financial services, where the regulatory environment is becoming more stringent.
Cade said she believes cybersecurity must be “baked into the DNA” of the business. It cannot be siloed within the IT department but must be integrated into every part of the organization, from business processes to leadership decision-making.
Comments
Post a Comment