Criminals are using this stupidly simple tactic to send malicious links - and it's working

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Criminals are using a remarkably straightforward tactic to try and direct victims to phishing links - but the bad news is that it appears to be working.

Usually, hackers would draft this elaborate email trying to convince the victims to click on a link found at the bottom of the message. These emails would either tell the recipients they urgently needed to download an antivirus or cancel a pending transaction that will leave them broke, or something similar.

However, cybersecurity researchers from Check Point Harmony Email have uncovered that some hackers are replacing all of that with a simple image. Instead of typing out a long email and risking being found out by typos or bad grammar, these attackers simply generate a promotional image - a flyer informing the recipients they’ve won a prize or are invited to participate in a some kind of competition.

Obvious scam

The picture would then be hyperlinked and would direct the victims to a phishing page where they’d give away sensitive information. Sometimes it’s just an email address, and sometimes it’s passwords, personally identifiable data that can be used in identity theft, and more.

Recipients with a keen eye would be able to quickly see through the fraud: all it takes is a hover of the mouse over the image for the hyperlink to appear. These links have nothing to do with the brands impersonated in the images, which is a clear red flag that a scam is afoot.

However, the researchers are saying the trick is working and that many people - instead of deleting the phishing email - end up clicking the image and falling prey to the attackers. 

Furthermore, by not displaying a link at all, hackers are succeeding in bypassing URL filters, one of the more popular methods of safeguarding inboxes.

To defend against such attacks, the researchers say IT teams should implement security that looks at all URLs and emulates the page behind it. They should also leverage URL protection that uses phishing techniques as an indicator of an attack, and deploy AI-based anti-phishing software capable of blocking such content across the entirety of the productivity suite.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.