The phishing scam isn’t “just another irritating emails.” The year 2024 the FBI’s Internet Crime Complaint Center (IC3) recorded 859,532 complaint and $16.6 billion in losses reported — the most significant record. Phishing/spoofing was the most frequently reported form of complaint.
Federal Bureau of Investigation
The new landscape for phishing (what’s changed from last year’s)
-
QR-code frauds (“quishing”): posters, emails, even package slips that urge users to look through. The code typically opens an identical login, or even drops malware with or without any visible URL for hovering over. Regulators warn against treating unintentional QR codes as potentially suspicious.
-
OAuth/consent Phishing Instead of taking your password, hackers trick you into giving permission to an untrusted app to read your email or drive. Proofpoint has detected persistent Microsoft OAuth-based impersonation campaigns until 2025.
-
MFA fatigue and “approve-bombing”: repeated push notifications at irregular times until you click Approve to end the background noise. Microsoft’s advice: Switch to an MFA that is secure against phishing (e.g. Passkeys and FID,) and make notifications more secure.
Make use of to use the P.A.U.S.E. method for any unexpected message
P — Pause: Breathe. Scammers make money off the need to be urgent (“pay today,” “approve within 10 minutes”) “).
A -Check your sender’s address: Expand the address. The real domain is what’s after the last dot (e.g., company.com, not company.com.secure-verify[. information). U Unmask the link by hovering over the desktop before clicking. Long-press on mobile the button to show. The QR code: look at the link first, do not scan codes that aren’t known from flyers or emails.
S – Separate channel: Don’t respond in response to the email.In the event that “your bank” called you, dial the number that appears on your credit card or go to the official site that you are aware of. E — Escalate/report: When at work, click at work, click the “Report Phishing” button at work.For America, you can report phishing to IC3. U.S., you can also submit a report to IC3. Federal Bureau of Investigation
The red flags you should be looking for in a matter of minutes
-
Unmatched “From” names and “From” domains (brand name appears to be correct however the domain name doesn’t).
-
Look-alike domains:
micr0soft.com,microsoft-secure-account.net. -
Link text URL (hover preview does not exactly match).
-
Afflicted QRs or shorter hyperlinks (especially for shipping, payroll or resets of passwords).
-
Unsolicited app access prompts (“Authorize this application to access your email”). If you did not start this process refuse and submit a report. This is the typical consent fraud.
-
Serial MFA prompts you didn’t initiate (often late night/early morning).
How can you verify a suspicious message (step-by-step)
-
Qualify it Please don’t download, click or even reply.
-
Find the sender’s information: Expand the header and confirm that it is a domain belonging to an company.
-
Check out every link/QR you visit: If the website is not familiar or misspelled, do not click.
-
Validate through a safe way: Call your bank with the number of your card; contact your IT department using your usual corporate app; then go to the website by entering the number yourself.
-
To prompt you for consent: Cancel, then look over the apps you have connected and then revoke everything you don’t recognize. Proofpoint’s study identifies the use of malicious OAuth apps as a regular method.
If you approved or clicked, do this right now.
-
Remove the device from networks that are risky (public WiFi).
-
Modify your password for the account in question using an alternative device.
-
Make sure you enable MFA that is phishing-resistant (passkeys/FIDO) when feasible. Microsoft’s 2024 guideline puts this on the top of the list of things to do.
-
Refuse app access/tokens (Google/Microsoft accounts settings or through your administrator).
-
report it Use your report button for phishing or the SOC process. U.S. consumers–file at IC3 and organizations can look at CISA’s guides on recognizing and reporting the phishing.
Federal Bureau of Investigation
For business You can achieve quick wins that you apply in a matter of 30 days
-
Create reporting with one click within the mail client and send these reports to an monitored mailbox or SIEM. CISA’s guideline emphasizes clearly defined reporting pathways and ongoing awareness.
-
Secure app consent: Allow only pre-approved OAuth applications; notify on the registration of new enterprise apps. This shuts down consent-phishing right at the point of origin.
-
Be phishing-resistant when it comes to MFA: Prioritize passkeys/FIDO for admins and roles with high risk and reduce prompts based on push to minimize MFA fatigue.
-
Eliminate the lures of today: Add detections/policies for QR codes as well as link shorteners and domains that have been registered for chat and email. (Pair with user-training so legitimate QR usage for business has the security of.)
-
Practice the “oops” strategy: Create a short runbook for clicked link, authorized app / entered credentials. Include who to contact and what information to record (headers URLs, headers) and the best way to quickly reset/revoke. CISA provides practical tools that which you can modify.
Commonplace examples (and how to break them down)
“Payroll changes are needed today”
-
What’s the risk? urgency tone unidentified sender’s domain, preview of link isn’t compatible with to your portal for HR.
-
The best way to handle it? Make a report and then inquire with HR through your usual channels to make any necessary changes.
“Package is not deliverable, scan for confirmation”
-
The reason it’s dangerous: It’s embedded the QR code in an email, or printed notice; the theme of surprise delivery.
-
How to handle it? Do not scan; instead, verify your real account with the carrier or use an app instead. The FTC specifically warns against QR-based lures.
“Microsoft would like to gain access to your email”
-
The reason it’s a risk: A consent screen for an application that you did not initiate.
-
How to proceed? deny, then examine/remove suspicious applications; inform IT. Proofpoint is able to detect active OAuth-impersonation wave.
Checklists that you can print (stick it by your monitor)
-
Unexpectedly, you’ll get a question concerning passwords, money Payroll, packages, or money
-
urgent and threats (“today,” “final notice”)
-
The Sender domain does not match the brand or company
-
Link/QR connects to an unknown domain
-
Request to allow an application that you did not start
-
MFA prompts you didn’t trigger
-
If you feel anxious or rushedIt is P.A.U.S.E. and confirm it through a clear channel
Bottom line
Phishing focuses on the speed of your computer and the stress you are under. Reduce your speed, P.A.U.S.E. and confirm that you are not in the message. If you do fall, act immediately–reset credentials, deactivate access to apps, and then make a report. The data indicates that the issue is widespread and expensive, but a few simple behaviors and a phishing-resistant MFA can stop the majority of attacks before they even begin.
Federal Bureau of Investigation
Additional studying: IC3’s 2024 figures (scale) and FTC’s QR-code warnings (new lures) Proofpoint’s OAuth research (consent frauds) and Microsoft/CISA guidelines regarding phishing-resistant MFA as well as the reporting of users.
