[Typical Case of the Year]Can you receive subsidies by scanning the QR code? Notify social security to process online?Beware of phishing scam

As life becomes more and more digital, it has never been easier to complete various businesses and services. With just a tap of the mobile phone screen, people can do things quickly and conveniently. However, while people are enjoying the convenience brought by this digitalization, some criminals are also waiting for the opportunity in secret, using various means to create fraud scams and trying to make profits from it.

“Chain phishing” is an emerging trend of subsidy fraud emails. This attack method usually involves account theft. The attacker first steals the email account of someone within an organization through various means, and then uses this account to send fraudulent emails to other email addresses under the same domain name.

These emails appear to come from trusted sources within the organization, and employees are relatively less vigilant about emails from the same domain name, which makes “chain phishing” attacks particularly dangerous.

Your account*** anomaly alert!

The link in the email body points to the phishing website https://www.nametopx.com/

This kind of title can easily arouse people's attention and nervousness. In the nervousness and anxiety, people ignore the steps to verify the authenticity of the email, and then follow the instructions in the email, and finally fall into the trap set by the scammer.

After defrauding the user's email account and password, the attacker logged into the victim's email address and sent batches of financial fraud emails to users in the domain through the organization's address book, titled “2023 Third Quarter Personal Labor Subsidy Application Notice.” The attacker will also change the name of the stolen account to the Finance Department to enhance the credibility of the phishing email.

As shown in the case, scammers will pretend to be the company's finance department and induce employees or the public to perform so-called “scan code authentication collection” by sending emails with QR codes. However, these QR codes often link to malicious websites.The goal is to steal your personal and financial information。

Once you follow the instructions in the email and scan the QR code, you will enter the fake Ministry of Human Resources and Social Security website. Enter your bank card number, ID number, mobile phone number, name and SMS verification code. Your bank account is likely to be compromised. With illegal access, your hard-earned money may evaporate in an instant.

Nowadays, scammers are becoming more and more sophisticated. They do more than just send an email or a text message. Some have really worked hard to make the scam look more real, even pretending to be an official website, such as the website of the Ministry of Human Resources and Social Security.

Imagine you open a website that looks extremely official. The page design, font usage, and even the layout of each button are exactly the same. Then, suddenly, a bay window pops up, looking like an official notification to induce you to click in.

Once you click on the picture and click on the bay window, you can probably guess what happens next – the page will ask you to fill in some personal information, such as your name, ID number, bank account information, etc. At this time, you may still be thinking: “Wow, this official website is quite user-friendly. You can even apply for subsidies online.” However, stop for a moment and think about it. Really, official organizations would do this so easily. Are you asked to fill in such sensitive information online? Can you accept the risks hidden behind this?

1. Fraudulent techniques:

1. Email subject Re: Personal labor subsidy application notice for the third quarter of 2023

2. Attachment: Supplementary materials related to the third quarter personal labor subsidy registration statistics of the Ministry of Human Resources and Social Security in 2023.docx

3. Linked phishing – a new trend in subsidy fraud emails: usually combined with stolen accounts, sent to other mailboxes with the same domain name; guided through the QR code to enter the fake Ministry of Human Resources and Social Security website to defraud bank card information

2. Protection suggestions:

First of all, tools like Coremail Email Security Gateway already have powerful interception capabilities and can effectively identify and block subsidized phishing scam emails. The email security gateway's intra-domain email detection function can provide an additional layer of protection against fraudulent emails from within the same organization, which is particularly effective in preventing internal phishing attacks that use stolen accounts.

Secondly, account security can be greatly enhanced by implementing two-factor authentication and using client-specific passwords. These measures provide double protection for account security and can effectively prevent unauthorized access even when account information is stolen.

03. Improve security awareness

Finally, strengthening security awareness training is key to preventing phishing attacks. By regularly showing and explaining typical phishing email cases to employees, we can help employees establish basic security awareness. In addition, utilizing a threat intelligence subscription service like CACTER CAC2.0 can keep organizations and employees informed of the latest phishing attack techniques and prevention strategies, thereby better protecting themselves from online scams.

Typical cases of the year

The above cases are derived from the “2023 China Enterprise Email Security Research Report”. The report records 6 annual typical cases. For more annual typical cases, please go to the website to download the “2023 China Enterprise Email Security Research Report” to view.