Toro-Blog-listing

Phishing, Quishing, Smishing, and Vishing

Written by HQ | Nov 7, 2023 10:19:22 AM

Phishing, Quishing, Smishing, and Vishing – What do they mean and how can you protect yourself   

With cyber-attacks increasing daily, you may have heard about phishing, quishing, smishing, and vishing but what exactly are they? 

In our latest blog written by Gareth Stinton, Cyber Security Specialist, he explains what they each mean and shares some tips on how to protect yourself.  

Phishing (Email Phishing)

This age-old trick relies on tricking individuals through fraudulent emails, posing as trustworthy entities like banks, e-commerce sites, or even government agencies. The term “phishing” is derived from “fishing” as attackers cast their bait widely across the internet hoping to hook unsuspecting victims.   

These emails can be meticulously crafted to appear legitimate, often asking recipients to click on links that lead to counterfeit websites, or to download malicious attachments. 

Picture this scenario: you're sipping your morning coffee and decide to check your email. Amidst the many messages, you spot one claiming to be from a colleague, urgently asking you to review a document by clicking on a link and logging in to your account. You may not think twice and click, only to find out later that you have been maliciously attacked.  

So what can you do? 

  1. Always check the sender's email address, especially for unexpected or unsolicited emails. Legitimate organisations will use their official domains, and often scammers will use slightly altered or bogus email addresses. 
  2. If an email is asking you for something – whether it is information or action – like your credentials to login to your account, stop. Check it is legitimate before going any further.
  3. Refrain from clicking on any links or downloading attachments in emails unless you're certain of their legitimacy. If in doubt, it is safer to visit the organisation's website directly by typing the URL into your browser.
  4. Phishing emails frequently create a sense of urgency to prompt quick action. Take a moment to evaluate the situation.
  5. If you receive a phishing email, report it to your email provider or the appropriate authorities. This helps prevent others from falling victim to the same scam.

Quishing (QR Code Phishing)

Quishing, also known as QR code phishing, has massively increased in popularity as cyber criminals are taking advantage of the widespread use of QR codes in daily life.  

Quishing uses a QR code to carry out a phishing attack, usually either to trick people into revealing sensitive information or infecting devices with malware. Because QR codes obscure the destination of the link it creates a prime opportunity for scammers. QR codes have been around since 1994 when they were invented to track vehicles during manufacturing in Japan, but they didn’t really peak in popularity until Covid when businesses needed to find quick contactless solutions.  

We now use QR codes daily, out in restaurants, to sign up to events, to pay for parking or to view a website on an advert. With the increase in popularity, opportunities for Quishing attacks have massively expanded.  

Picture this scenario: you're in a hurry, late for an appointment, and you rush to pay for parking. You spot a QR code that promises to take you to the payment portal. You scan it, input your bank details, and think you've paid for parking. But in reality, your information has been handed over to a fraudulent third-party site. Another scenario is you are at an exhibition for work, and you see a poster about a networking event happening that evening, with a picture of QR code asking people to scan it to ‘sign up’ you scan that code and malware is downloaded onto your phone.  

QR codes sent via email also have less chance of being picked up by cyber security defences than links or attachments, so please be cautious if you receive an email with a QR code asking you to act.  

So, what can you do to protect yourself: 

  1. Only scan QR codes from trusted sources. Most of the time companies will also give tell you the web address so, if you're unsure, type that into your browser instead.
  2. Keep your mobile devices up to date.
  3. Verify that the website's name matches the business you're dealing with.
  4. Trust your instincts. If something doesn't feel right, report it to the authorities.

Vishing (Voice Phishing)

Vishing, or voice phishing, is basically the modern take on traditional telephone scams. Scammers use urgent or alarming phone calls to trick individuals into sharing personal information or transferring money. The attackers might pose as representatives from banks, and government agencies, or even claim that you've won a prize to try and trick you. 

Picture this scenario, you get a phone call when you are late for the school run, it is someone from your bank telling you that there has been a suspicious transaction on your account, they ask you to verify your bank details so they can resolve the issue. You panic and hand over your details.  

How can you protect yourself: 

  1. Verify unexpected phone requests in ways that aren’t connected to the incoming phone call. For example, call the company’s official telephone number and ask to speak with the caller who is making the request. 
  2. Never share your personal details over the phone unless you’re certain you know who you’re speaking to. 
  3. Never share passwords or multi-factor authentication codes with any caller. 
  4. Don’t answer calls from numbers you don’t know. Let the call go to voicemail and assess it from there. 
  5. Don’t respond to emails or social media messages asking for your phone number unless you know the sender. 
  6. Companies won’t call you to request that you change passwords, network settings, or move your money to a different account. Any caller who makes this type of request is probably a scammer.

Smishing (SMS Phishing)

Smishing, short for SMS phishing, creates fake mobile text messages to try and trick people into downloading malware, sharing sensitive information, or transferring money to cybercriminals.  

Much like their email-based counterparts, smishing messages often mimic trusted sources and employ social engineering tactics to trick the recipient into responding or clicking on the link.   

Even though 3.5 billion smartphones worldwide can receive text messages from any number across the globe, users still tend to place a higher level of trust in text messages, which makes smishing attacks an enticing prospect for cybercriminals, 

Smishers employ a variety of tactics to extract confidential information from their victims. For instance, they might gather basic details about their targets, such as names and addresses, from readily available online sources. Armed with this information, smishers craft messages that appear to come from trusted sources, addressing the recipient by name and even mentioning their location, creating a convincing and compelling narrative. Within these messages, a concealed link points to a server controlled by the attacker, potentially leading to a malicious website designed to harvest credentials or deliver malware capable of compromising the recipient's smartphone. Once the malware infiltrates the device, smishers gain access to sensitive data or silently siphon it to their own servers, leaving victims vulnerable to a host of potential threats.  

Picture this scenario: you receive a text message saying that your streaming subscription service is about to be cancelled due to a payment issue. You are asked to click on a link to “resolve” the issue, you click on the link, and you are sent to a fraudulent website. 

Other types of common smishing attacks claim to be related to tech support, tax claims, your bank, account verification and prize or lottery scams. 

So, what can you do?  

  1. Treat links in texts the same as links in emails. If in doubt, it is safer to visit the organisation's website directly by typing the URL into your browser. 
  2. If you are ever pressured to make payments or share sensitive information, stop, and take a moment to verify the legitimacy and trustworthiness of the source.  
  3. Never engage with texts from unknown or suspicious numbers, even if it's to ask them to stop.  
  4. Keep your phone's operating system up to date 
  5. Maintain a healthy scepticism towards texts requesting personal information, especially if they claim to represent reputable organisations.   

Most attackers use either urgency, curiosity, or fear to trick you into giving away your information. It’s important as you go about your day-to-day life that you take a pause before you act. If something doesn't feel right, then it probably isn't. It’s really important that you trust your instincts and, if in doubt, it’s better to be overly cautious!   

Phishing, Quishing, Smishing, and Vishing are ever-present threats in our digital lives but by understanding how these attacks work and following best practices for online safety, you can significantly reduce your risk of becoming a victim.   

If you are victim of a scam or see something that you suspect could be an attempt at phishing, smishing, quishing or vishing then please report it. Reporting a scam is free and only takes a minute but if everyone acted, we could help prevent future people from becoming victims.  

To report scams please visit https://www.ncsc.gov.uk/collection/phishing-scams  

If you suspect your business has been hacked, please get in touch with Toro today.