Physical mail phishing is a newer form of social engineering that goes beyond traditional email and text message phishing. Companies send physical letters every day, and now cybercriminals are too. Using QR code phishing and other tactics, you could be the victim of a cyberattack by simply checking your mailbox. In this blog, we’ll dive into the rise of physical mail phishing and how it differentiates itself from typical social engineering scams.
What is Physical Mail Phishing
Phishing is a technique for attempting to acquire sensitive data where a criminal pretends to be a legitimate business or reputable person. Phishing is a form of social engineering, or an attack using human interaction to obtain or compromise sensitive information.
Typically, we most see phishing through email, text messages, fake ads, and social media platforms. Phishing is the most common type of cyberattack, with an estimated 3.4 billion phishing emails sent each day.
Physical mail phishing is similar to email or text message phishing except it uses physical mail and lands in your mailbox. These attacks are significantly rarer in number than traditional email phishing. Yet physical mail phishing attacks are continuing to rise, and we’re seeing more reports of them each year. This year we saw a physical mail phishing attack targeting users of well-known cryptocurrency hardware wallets.
The letter impersonated real companies and asked the recipient to complete an authentication check by scanning a QR code on the paper. This is known as QR code phishing, or the use of a QR code for phishing. If users scanned the code, they would be directed to a fake website to steal their credentials.
Physical mail phishing example
Photo by BleepingComputer
Similarities and Differences from Online Phishing
Physical mail phishing and traditional online phishing share a considerable amount of similarities. They also share their own unique differences. These are the similarities and differences we have found:
Similarities:
- Both rely on social engineering tactics such as urgency, authority, and fear
- The goal is typically credential theft, financial fraud, or malware installation
- Impersonation of trusted entities
- Often attempt to redirect victims to fake login portals
Differences:
- Delivery Method: Physical mail phishing arrives through postal services, while online phishing is delivered via email, text, or messaging platforms.
- Security Bypass: Physical mail bypasses typical security we see emails must go through such as spam filters, secure gateways, and endpoint detection tools.
- QR Code Phishing Component: These attacks will often use QR codes as their way of moving the victim from a physical letter to a malicious site.
- Perceived Legitimacy: People are more aware of online phishing scams, but physical mail phishing is most likely unheard-of to most individuals.
While the delivery method may differ, the underlying manipulation remains the same. Whether it arrives in an inbox or a mailbox, phishing depends on social engineering to trick individuals into acting.
Understanding these similarities and differences is only the first step. The next critical step is knowing how to recognize the warning signs before damage occurs.
How to Spot Social Engineering Scams
There are several ways to identify social engineering scams. We recommend using the Sender, Links, Attachments, and Message (SLAM) method when dealing with any kind of phishing attack. Here’s how you can use the SLAM method if you ever receive a direct mail phishing letter:
- Sender: Verify the sender’s identity by checking return addresses, contact details, and any inconsistencies before engaging.
- Links: Avoid typing in links or scanning QR codes without confirming they lead to a legitimate and expected destination.
- Attachments: Do not open, plug in, or submit any enclosed documents or devices unless they have been independently verified.
- Message: Be cautious of urgent, threatening, or confidential language that pressures you to act quickly or bypass normal procedures.
Recognizing these warning signs is critical, but awareness must be paired with action. As physical mail phishing and QR code phishing continue to evolve, organizations need a proactive approach to defending against social engineering.
Strengthening Defenses Against Social Engineering
Physical mail phishing has already targeted businesses. A report from the FBI last year warned executives of physical mail threatening to leak sensitive or corporate data. A former agent of the FBI said that physical mail adds a different layer of intimidation, makes the recipient feel more vulnerable, and bypasses traditional cybersecurity defenses.
The addition of QR code phishing makes these attacks even more dangerous, quickly moving victims from a trusted looking letter to a malicious website designed to steal sensitive data. Organizations can no longer assume phishing only exists in inboxes or online.
A security-first organization anticipates threats before they can cause damage. If your business has not evaluated its exposure to evolving threats like physical mail phishing and QR code phishing, now is the time. Strengthen your security strategy with Kirkham IronTech, and ensure your organization is prepared to defend against cyberattacks like social engineering.
Tom Kirkham brings more than three decades of software design, network administration, and cybersecurity knowledge to organizations around the country. During his career, Tom has received multiple software design awards and founded other acclaimed technology businesses.
