News

IT NEWS

Microsoft, PayPal, DocuSign, and Geek Squad faked in callback phishing scams

Microsoft, DocuSign, Adobe, McAfee, NortonLifeLock, PayPal, and Best Buy’s Geek Squad are being impersonated online through malicious emails that contain fake telephone support numbers and dangerous QR codes that can ensnare victims into phishing scams.

The brands and their products are frequently relied upon for everyday administration, like sending emails, obtaining signatures, viewing documents, receiving payments, and even getting tech help, emphasizing the threat these phishing campaigns have to small business owners and their shops.

This latest suite of phishing attacks was observed by researchers at Cisco Talos, who discovered that, between May and June, the most impersonated brands for emails containing PDF attachments, in order, were:

  1. Microsoft
  2. NortonLifeLock
  3. PayPal
  4. DocuSign
  5. Geek Squad

The attacks involve a careful blend of technical evasion and social engineering to arrive in people’s inboxes and to send those people on a dangerous path—online or over the phone—into eventually handing over important login credentials or even downloading malware directly onto their computers.

The emails themselves, according to Talos researchers, often avoid phishing detection because the email bodies are blank. Without any text to review, phishing detection engines that rely strictly on text become somewhat useless.

But the cybercriminals in these attacks still have to trick targets with their emails, so they instead attach PDFs to those emails that are cleverly structured to automatically load when a person opens just the email, not the attachment. What the targets see, then, is nearly indecipherable from a regular email: a convincing company logo, a paragraph or two about an urgent need, and a telephone number, link, or QR code that the reader can follow to “fix” the issue.

One fraudulent email from “Microsoft” teased a potential raise with more information behind a QR code, another claimed to arrive from “Adobe” containing a file from “Human Resources,” two emails—one from “McAfee,” another from “PayPal”—included fake invoices for hundreds of dollars, and one falsely claimed that a target had a set of downloads to access through “Dropbox.”

As witnessed by the security researchers, many of the emails in these phishing campaigns are part of a broader type of attack called “telephone-oriented attack delivery” or, more simply, “callback phishing.” In these types of attacks, targets are tricked into taking their conversations to an entirely separate medium—the phone—where they can be preyed upon further, the researchers said.

“Victims are instructed to call a specific number in the PDF to resolve an issue or confirm a transaction. Once the victim calls, the attacker poses as a legitimate representative and attempts to manipulate them into disclosing confidential information or installing malicious software on their computer.”

Researchers also discovered emails that contained malicious QR codes that, if scanned by victims, would send them to a separate phishing website. The phishing sites, themselves, also impersonate brands, as researchers found fake login pages for Microsoft and Dropbox.

How to stay safe from phishing

Though the callback phishing scams discovered by cybersecurity researchers involved clever techniques to make sure they reached people’s email inboxes, the rules of phishing detection still apply for everyday businesses. Here are the clear signs of a phishing scam (some of which were present in the callback phishing emails above):

  • The email invokes urgency, fear, or confusion. Scammers trick people into clicking on dangerous links or calling unknown numbers because a bigger (fake) problem needs to be addressed immediately. Slow down before taking action.
  • The email includes attachments. It is extraordinarily rare to receive an attachment in an email from a company that you merely do business with. Don’t trust any attachment from someone you don’t personally know.
  • The email comes from an unknown sender. Even if the email looks like it has arrived from a major company or a known contact, the email address itself can be spoofed—and sometimes through rather lazy attempts, like replacing letters with numbers or adding a period in the address that shouldn’t be there.
  • The email includes a QR code. QR codes can easily hide malicious links. Be wary around any you find inside emails.

It’s important to be able to detect phishing scams on your own, but mistakes happen everywhere, everyday. That’s why the best protection requires an active antimalware solution with web protection.