Researchers at INKY Technology Corp. today detailed a new image-based phishing scam that uses brand impersonation to encourage a victim to contact those behind the scam by phone rather than click on a link or download a file.
INKY researchers have observed bad actors adopting a technique called image-based phishing in phone scams. The technique involves sending a phishing email where the message is embedded in an image and attached to the phishing email. Phishers craft an email, turn it into an image and send only the image to their victims.
Since most email clients display the image file directly to the recipient rather than delivering a blank email with an image attached, recipients won’t know that they are looking at a screenshot instead of HTML code with text. And since there are no links or attachments to open, the email feels safe. The goal of sending the phishing message via image is that a simple image typically bypasses anti-spam and email security scanning, since there’s no text in the email.
In one example, the researchers observed bad actors impersonating Geek Squad (pictured) with potential victims receiving an email that their subscription with Geek Squad had been renewed for a year and a significant amount of money would be debited from their accounts within 24 hours.
Recipients who call the phone number listed in the email are then presented with options to stop the payment from going through, including the need to install remote access tools on their computers to resolve the issue. Those who have fallen for the scam are then directed to a malicious site where banking information is requested, with victims asked to buy gift cards to get reimbursed for the Geek Squad charges.
The technique’s effectiveness relies on causing victims to panic that they’re about to be charged for goods or services they did not purchase. By generating an emotional reaction, those behind the scam are hoping that it will impair the judgment of victims and cause them to take the bait.
“The natural response is to get right on the phone and try to back out of the order, or, barring that, find a way to obtain a refund,” the researchers explain. “The phishers take advantage of this disrupted emotional state to extract personal or financial information before the victim realizes that something is off.”
Other than to be wary of such scams, there’s not much that can be done to protect against them. The researchers note that trusted brands will never contact people asking them for personal information or payments related to support issues unless they have been previously engaged directly. It’s also advised that it’s unwise to call any phone number in an unsolicited email. Anyone wishing to call a company should use the number on the firm’s official site.