#18: QR Code Scams on the Rise, Sophisticated Gmail Phishing Attack, Citigroup's Latest Legal Battle
This week, we’re diving into the rise of QR code scams, a sophisticated phishing attack targeting Gmail users, and Citigroup’s latest legal battle over fraud reimbursements. As fraud tactics evolve, financial institutions, tech platforms, and consumers are all feeling the pressure to adapt. Let’s break it down.
NATE'S TAKE - JANUARY 28, 2025
Top Three This Week
- QR Code Scams Are on the Rise; Scan With Caution
- Phishing Scam Uses Phone Calls and Real Google Security Prompts to Hijack Gmail Accounts
- Citigroup Faces Legal Action Over Alleged Fraud Protection Failures
1. QR Code Scams Are on the Rise; Scan With Caution
QR codes are everywhere—from restaurant menus to parking meters—but scammers are taking full advantage of this convenience. A new report warns of an increasing wave of malicious QR code scams, where fraudsters replace legitimate QR codes with ones that redirect users to phishing sites, install malware, or steal login credentials.
Unlike traditional phishing scams, these attacks bypass email filters and domain monitoring, making them harder to detect. Fraudsters have been seen placing fake QR codes over official ones in high-traffic areas, such as parking stations, transit hubs, and even ATMs. Once scanned, victims unknowingly enter sensitive information into fraudulent websites or grant access to malicious apps.
This highlights the importance of verifying QR codes before scanning. Users should double-check URLs after scanning, enable security settings that block auto-opening of QR-linked pages, and avoid scanning codes from untrusted sources. Businesses must also monitor their public-facing QR codes, ensuring they aren’t being swapped out by scammers.
2. Phishing Scam Uses Phone Calls and Real Google Security Prompts to Hijack Gmail Accounts
A new phishing attack is targeting Gmail users by combining phone calls and legitimate Google security prompts to bypass user skepticism and take over accounts. Unlike traditional phishing scams that rely on fake login pages, this scheme leverages real Google services, making it far harder to detect.
The attack begins with a phone call from someone impersonating Google support, warning the victim of suspicious activity on their account. The scammer instructs them to check their Gmail for a real security alert from Google, which contains a link to regain access to their now “blocked” account. Because the email comes from Google’s actual domain (g.co), it appears legitimate, and the victim is pressured into granting access.
With a series of security checks they can actually pass, attackers completely take over accounts, reset passwords, monitor emails, and escalate attacks to other linked accounts, putting financial and personal data at risk.
For a full breakdown of how this attack works, read the original GitHub Gist here.
3. Citigroup Faces Legal Action Over Alleged Fraud Protection Failures
Citigroup is currently embroiled in a lawsuit filed by New York Attorney General Letitia James, alleging that the bank failed to protect customers from online scammers and refused to reimburse victims. The lawsuit claims that Citibank's inadequate security measures allowed fraudsters to exploit customer accounts, resulting in significant financial losses.
Citigroup has denied any wrongdoing, stating that it follows all applicable laws regarding fraud detection and reimbursement. The bank argues that customers must take responsibility for authorized transactions, suggesting that victims were tricked into approving payments rather than experiencing unauthorized fraud.
This legal action reflects a broader trend of increased scrutiny on financial institutions' roles in fraud prevention and reimbursement. Similar issues have been observed with platforms like Zelle (FIF14) and Cash App (FIF17), where banks and fintech companies face criticism for not adequately safeguarding users against scams.
With this in mind, financial institutions may need to enhance their fraud detection systems and reconsider their policies on customer reimbursement to maintain trust and comply with evolving regulatory expectations.
===
That’s all for this week! For more insights, follow us on LinkedIn or X, and if you want to learn more about what we do, visit www.specprotected.com.
Ready to get started with Spec?
Nate Kharrl, CEO and co-founder at Spec, has built leading solutions for application security and fraud challenges since the early days of the cloud era. Drawing from his cyber experience at Akamai, ThreatMetrix, and eBay, Nate helped found Spec to focus on the needs of businesses operating in a landscape of increasing AI risks. Under Nate’s leadership, Spec grew from its mid-pandemic founding to raise $30M in venture-backed funding to build solutions used by Fortune 500 companies transacting billions in online commerce. Spec’s service offerings today include protective measures for websites and APIs that specialize in defending against attacks designed to bypass bot defenses and risk assessment platforms.
Frequently Asked Questions
“With Spec, we can mitigate fraudulent activity, protect our revenue, and create a better user experience so that Indiegogo can remain a trusted crowdsourcing platform.”
Payments Manager
