Ask Jack: What Do I Need To Know About Malware Delivery Beyond Phishing?

By Jack McCalmon, The McCalmon Group, Inc.

We spend a lot of time and money training employees on how to spot phishing. Are there other potential threats that we need to address?


There are many ways criminals deliver malware.

One is when the malware is built into a new peripheral or loaded onto a used peripheral, like a memory device or a camera. You plug in the peripheral, and it delivers a load of malware.

Another is via adware where malware is engaged upon selecting an ad on a website. Malware delivered through social media posts is very common.

Obviously phishing and other social engineering techniques is how criminals deliver a lot of malware. Training on phishing is important, but you want to make certain your trainees do not leave a session believing email or text phishing is the only risk.

A lady in Singapore is reported to have been a victim of malware that stole money from her bank account while she slept after she downloaded a survey using a QR code in a store. The 60-year-old saw an advertisement for a free drink if she downloaded the survey, so she took a shot of the QR code with her camera and took the survey. Then, in the middle of the night, her phone lit up and she was locked out of her device. The scammers took $20,000 from her bank account. Here is how they did it according to the source:

…when the victim scans the QR code, he is prompted to download an app containing malware and is made to grant access to the phone's microphone and camera.

He is also asked to enable Android Accessibility Service, an app intended to assist users with disabilities, which allows the scammer to view and control the victim's screen.

The scammer waits for the victim to use his mobile banking app and notes his login credentials and password. The scammer can also disable the facial recognition function, so the victim has to physically key in his details to log into his account, allowing the crook to record the information.

The scammer then accesses the camera to monitor the victim's activity, waiting for the right moment to strike.

At night, when the victim is sleeping, the scammer takes control of the phone through the malware.

He logs into the victim's mobile banking app and transfers money out of his bank account.

The final takeaway is that you should train your employees that their devices are a fortress. Like the Trojan Horse, the only way to get into it (unless the malware is pre-loaded) is if they let the criminals into their fortress.

Jack McCalmon, Leslie Zieren, and Emily Brodzinski are attorneys with more than 50 years combined experience assisting employers in lowering their risk, including answering questions, like the one above, through the McCalmon Group's Best Practices Help Line. The Best Practice Help Line is a service of The McCalmon Group, Inc. Your organization may have access to The Best Practice Help Line or a similar service from another provider at no cost to you or at a discount. For questions about The Best Practice Help Line or what similar services are available to you via this Platform, call 888.712.7667.

If you have a question that you would like Jack McCalmon, Leslie Zieren, or Emily Brodzinski to consider for this column, please submit it to Please note that The McCalmon Group cannot guarantee that your question will be answered. Answers are based on generally accepted risk management best practices. They are not, and should not be considered, legal advice. If you need an answer immediately or desire legal advice, please call your local legal counsel.










Finally, your opinion is important to us. Please complete the opinion survey:

What's New

Ask Jack: Can Trusted Agents And Contractors Play An Unknowing Part In E-Mail Compromise Attacks?

Are internal breaches the main concern for email compromise attacks? Jack explains why such attacks go beyond office walls.

Ask Jack: Can Dating Scams Cross Over Into The Workplace?

Scammers are using dating apps to scam money from people looking for love. How can that creep over to employers? Learn why the leap is pretty easy.

Ask Jack: Is Disconnecting From The Internet A Smart Move If You Think You Opened Malware?

Jack explains the value of disconnecting and shutting down if you think you have selected a bad link or opened a questionable attachment.