Kingston Police warn of ‘blank image phishing’ scams

Many email providers include security filters which check emails for malicious links or attachments. Kingston Police have issued a release outlining a new way cybercriminals are bypassing these filters called “blank image phishing.”

“The scam starts with a fake email that appears to be from DocuSign,” Kingston Police explained. “The email asks you to review and sign a document as soon as possible and contains an HTML attachment. Instead of an important document, the attachment is a blank SVG [Scalable Vector Graphic – essentially an image file] with malicious code. Because this code is hidden inside the attachment, the email can bypass security filters.”

According to police, when a user downloads the attachment, the code will redirect to a malicious website that will prompt the user to enter sensitive information. “If you enter this information, cybercriminals can use it for their own purposes,” police said.

Kingston Police provided the following tips to help everyone stay safe from similar scams:

• Always think before you download an attachment. This type of cyberattack is designed to trick you into downloading attachments impulsively.
• Never click a link or download an attachment in an email that you aren’t expecting. While this attack targets DocuSign users, this scam could be used with any organization that manages electronic agreements.
• Enable multi-factor authentication (MFA) on your accounts when it is available. MFA adds an extra layer of security and lowers the chance of cybercriminals logging in to your account.