Fake FedEx Address Verification Email Uses QR Code to Steal Personal Data in Likely AI-Generated Attack
In this likely AI-generated phishing attack, cybercriminals impersonate FedEx by sending an email from a spoofed address with the subject line "Action Required: Address Verification Needed for Package Delivery." The email falsely claims that the recipient must verify their delivery address and contact number by scanning a QR code in a PDF attachment. The message pressures recipients into urgent action by implying that failure to complete the verification will result in shipping delays. However, the QR code directs recipients to a phishing site designed to steal personal information. By mimicking FedEx branding and using a QR code to obscure the malicious link, the attackers attempt to bypass traditional security filters and manipulate recipients into divulging sensitive details.
Older, legacy email security tools struggle to accurately identify this email as an attack because the use of QR codes makes detecting phishing links more challenging, the message originates from a spoofed sender, and it lacks suspicious links. However, modern AI-powered email security solutions identify potentially malicious QR codes within attachments, recognize that the sender is unknown to the recipient, and detect a mismatch between the sender and reply-to addresses to correctly identify the email as an attack.
To stay protected, recipients should avoid scanning QR codes in unsolicited emails and instead verify package updates directly through FedEx’s official website or tracking tools. Organizations can further mitigate risks by educating employees about phishing tactics and deploying advanced security measures to detect and block evolving threats.
Phishing attack posing as fake FedEx notification
Malicious QR code embedded in PDF attachment redirects targets to phishing site
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- QR Code Usage: The use of a QR code to direct recipients to a malicious site can bypass traditional link-scanning mechanisms used by legacy security tools.
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Lack of Links: The absence of links in the email body helps it avoid detection by legacy systems that typically rely on link scanning to identify phishing emails.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Attachment with QR Code: The presence of an attachment containing a QR code prompts Abnormal’s systems to scrutinize and flag the email for potential malicious activities, as this is not a common method used by legitimate internal communications.
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
- Reply-to Address Mismatch: The email includes a reply-to address that differs from the sender's address, further raising suspicion and prompting Abnormal's systems to analyze the email more deeply.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.