We’ve talked about phishing emails several times before; phishing by post is an interesting variant.
Instead of sending an email (which costs virtually nothing for the sender), people in Switzerland have received phishing letters—yes, by post.
But how can phishing by post even work, you ask?
The letters were designed to resemble a letter from a government agency—so they looked official—and contained a request to scan a QR code, allegedly to download an app. In this particular case, the QR code didn’t go to an official app store, and the app contained malware.
Obviously the cost of sending a letter has gone up a lot recently, so it is thought that this must be a highly-targeted campaign aimed only at high-value individuals. Otherwise the return on investment for the scammer would be very poor.
Of course, this kind of attack could also be used against senior people in your organisation—those with access to sensitive and valuable business data. Perhaps a letter ‘from HMRC’ would work, inviting them to check their pensions.
We suggest making staff aware of this kind of attack, and recommending that they should only download apps from the official app stores, whether using their business mobiles or their personal ones. Also, if your staff are using their phone to scan a QR code, they should check that the link it goes to looks legitimate. This is, of course, good advice anyway, but this example might just catch people’s attention—so why not share it in one of your regular team meetings?
How can we help? Contact the Click and Protect team to talk about your cyber security needs.
