Phishing Attempt in the Mailbox – An Old Scam in a New Disguise
Cyber criminals have discovered a new means of attack: postal delivery. Customers of a Swiss bank recently fell victim to a fraud attempt in which a fake letter was waiting in their letterbox. Fraudsters used a QR code on the fake letter to try to gain access to the recipient's accounts. This so-called “quishing” — a combination of phishing and QR code — is not an isolated case. Customers of a German bank also recently fell victim to a similar scam by post. We show you what makes “quishing” so dangerous and what security measures you can take against it.
What’s Behind the Fake Bank Letters?
The Zurich cantonal police warn of a fake letter from a bank. The recipients are asked to change their PhotoTAN login - a security procedure in online banking. But behind the letter are cyber criminals. Anyone who scans the QR code from the letter ends up on a fake website. This phishing page imitates the appearance of the bank with its logo and hotline number. Victims are asked to enter their personal access data and take a photo of the bank's genuine activation letter issued when the account was opened. Anyone who follows this request inadvertently gives the fraudsters full access to their bank account.
A similar approach was used in a phishing attempt on customers of the German bank previously mentioned. Here too, deceptively genuine-looking letters with a QR code were sent out, leading victims to a fake website where they were asked to enter their bank account details.
Why Does "Quishing" Work?
Phishing attempts in the letterbox are unusual. While we are often more cautious with e-mails, letter post is considered a secure communication channel. Until now, banks have focused their warnings on digital channels such as email, SMS or WhatsApp and largely ignored the potential threat posed by phishing letters.
“Quishing” cleverly exploits this security gap. It is a form of social engineering in which recipients are put under pressure to act quickly and rashly due to an apparent sense of urgency.
How Can You Better Protect Your Portals and Customers?
Banks and other providers of digital services and portals have a responsibility to make their customers aware of potential scams. However, they can also take a number of technical steps to prevent such fraud attempts from being successful. We have put together three recommendations for you:
Recommendation 1: Single-use Activation Codes
The attempted phishing via letter post and QR code has exposed a vulnerability in the authentication process. The attack aims to exploit the QR code of the existing and reusable activation letter. Such reusable activation codes are a potential security risk, as attackers can use them to register their own device as a second factor. An authentication procedure that does not require the multiple use of activation codes is therefore more secure.
For security reasons, Airlock 2FA does not use activation codes that can be used multiple times. This prevents attackers from registering their own devices as a second factor and linking them to another person's eBanking account. A similar attack would therefore not be possible with Airlock 2FA. To activate new devices, we recommend sending new activation codes via an independent and secure channel.
Recommendation 2: Warn and Delay
Bank customers should be informed immediately in the event of security-relevant events, such as access from a device. This can be done via various channels such as SMS, email or push messages.
Delayed activation of new devices has proven effective in preventing fraud attempts in some regions, particularly in Asia. In Singapore, for example, the regulator stipulates that a newly registered mobile device may only be used for security-critical actions after at least 12 hours. This time delay gives the account holder sufficient opportunity to respond to the notification and take appropriate action in the event of unauthorized access.
Airlock IAM supports these security measures by enabling notifications about security-relevant events on various channels. In addition, the activation of new mobile devices can be delayed if necessary.
Recommendation 3: Secure Login Procedures Against Phishing
FIDO2 is currently the only login procedure that can consistently prevent phishing attacks in the browser. Apple, Google, and Microsoft have high hopes for the further development of this standard under the name “Passkeys”. These access keys could replace the unpopular passwords in the long term.
However, there are still some challenges for financial institutions that cannot be fully resolved with FIDO2 alone. These include the question of whether passkeys meet the requirements of the PSD2/3 regulations with regard to strong customer authentication (SCA). In addition, the confirmation of sensitive transactions with FIDO2 is only possible to a limited extent.
Airlock IAM supports both FIDO2 and passkeys as well as other passwordless login methods. FIDO2 support is continuously adapted to developments in operating systems and browsers to ensure an optimal balance between user experience and security.
Conclusion: No Simple Remedy
The FIDO2 standard, passkeys and the resulting user experience are constantly evolving. For this reason, we are continuously adapting Airlock to the latest technical possibilities and the specific needs of our customers. Which login method is most suitable for your company and whether a combination of different methods makes sense depends on your individual requirements.
We are happy to help you find the right balance between a user-friendly experience and the highest security standards. With over 250 active banking customers in more than 20 countries, we know the needs and challenges of the financial sector inside out.
Our final recommendation is therefore: let us advise you. We look forward to hearing from you.
Blognews directly in your mailbox
The Airlock Newsletter informs you continuously about new blog articles.