Phishing, Quishing, Vishing, and Smishing
Just when you thought it was safe to go back in the water…
Most people are familiar with the term “phishing,” which describes emails sent by malicious hackers to coax the email recipient (the victim) into clicking on a link that asks them to divulge personal information or login credentials. Sometimes, the victim’s computer is infected with malware that could damage files, steal data from the device, or intercept secure communications (such as with their bank, credit card company, or investment firm).
What are the common elements of phishing?
Phishing is a form of social engineering designed to make the target take an action without giving it much thought. The malicious email contains “bait” that the attacker hopes the victim will click on. Typical phishing attacks use variations on several themes:
- An email that threatens severe legal or financial penalties if an action is not taken right away. Sometimes, a phony invoice is attached, demanding payment immediately.
- An email purporting to be from a familiar brand (bank, retail store, software company) that advises the victim that their account has been compromised. Ironically, taking the link and entering your credentials will actually compromise your account.
- The promise of a valuable prize, “Take the link to register to win!”
By instilling a sense of urgency, the victim rarely gives themselves time to look for signs of malicious intent. Once the victim takes the link, they are presented with a webpage that appears to be from a legitimate firm. They are then asked to enter their login information. Alternatively, the link might trigger the victim’s device to download malware (ransomware, man-in-the-middle, spyware, etc.) in the background. Once installed, malware can be used by the hacker to access features of the infected device, such as data storage, network connections, location information, lists of contacts, or access to the device’s camera and microphone.
Phishing variations
Many companies have instituted email screening programs to protect employees by identifying and removing suspicious phishing emails. Of course, that only leads to bad actors finding alternative methods to get what they want.
So now, in addition to phishing, we have quishing, vishing, and smishing!
Quishing
Quick Response (QR) codes have been around since the 1990s. QR codes are two-dimensional digital barcodes that can carry a wealth of information. During the COVID-19 pandemic, many businesses used QR codes as a contactless way to convey information to their customers. For example, many restaurants use QR codes to send customers to their online menu. The customer used their mobile phone to take an image of the QR code, which then took them to a URL that displayed the restaurant’s menu.
“Quishing” is a form of phishing attack where an email is sent to the target with the same threats or enticements and sense of urgency as a phishing email using a QR code to send the victim to the hacker’s URL. However, since the malicious link is an image (QR code) rather than a text string (URL), it becomes harder for email filters to identify a possible attack. Once the victim takes the link in the QR code, they are “hooked.”
Quishing is difficult to prevent in the workplace because they are often scanned with BYOD (Bring Your Own Devices, like mobile phones and tablets) which are typically unprotected, unmanaged, and often not even connected to corporate networks.
Bad actors also place QR codes in public places, for example, on restaurant napkin holders, masquerading as a link sponsored by the restaurant. If the unsuspecting customer clicks the link from the QR code, they are taken to a malicious site.
Vishing
“Vishing” uses the same tactics as phishing but uses voice via telephone calls to socially engineer the victim into divulging their personal information – account numbers, social security numbers, birth dates, etc. Vishing attacks might use a live person, a computer-generated voice, or a combination.
Smishing
In another variant, “smishing” uses SMS text messages to fool victims into taking a link and surrendering their information. Common smishing attacks pretend to be bosses, CEOs, and managers asking to call or engage with a sense of urgency. Be cautious, especially if they are asking for login information to a system. Another common tactic is a fake delivery notification where “something has gone wrong” and they need your info immediately.
Protecting yourself
In all these attacks, the common theme is to get the victim to take a link or divulge personal information, usually using a scare tactic. The best way to protect yourself is to remain vigilant:
- Be aware of social engineering tactics. Savvy hackers will research their victims, scanning LinkedIn and Facebook profiles, looking for connections, phone numbers, subscriptions – anything to give their communication a sense of legitimacy by knowing your personal information.
- Verify the links are genuine. The sender’s email address can be easily spoofed using software, so it is not a reliable way to verify the sender. In addition, the visible text of a hyperlink might show the address of a bona fide website, but take a moment to hover over the link without clicking on it to see the actual URL. Often, in a phishing attack, it will be a different URL. Many times, phishing websites are replicas of legitimate sites. Look to see if subtle differences in the names might fool your eye. For example, the combination of lower-case R and N can be mistaken for a lower-case M (‘rn’ vs ‘m’), or a .com might be changed to a .org. In addition, legitimate sites will indicate they are secure with a URL containing “HTTPS://” instead of just “HTTP://” and an icon of a lock to the left of the URL.
- Don’t always trust the calling number, either. Phone numbers can be easily masked, making voice calls and text messages appear to come from different originating numbers.
- Look for misspellings and odd phrasing. Legitimate businesses proofread their communications. They will not send out a poorly worded message with multiple misspellings.
- Be on the look out for a false sense of urgency. Be suspicious if the message (email, phone call, text message) wants you to act “right now” or “immediately” or dire consequences will occur. Phishing works best if they can get you to act first and think later. This is true in business as well as personal life.
- Beware of attachments. Don’t open files you are not expecting, particularly from unknown senders. If you’re unsure, call the individual first to see if they sent you the file.
- Don’t reuse the same username and password for multiple accounts. If an attacker successfully steals your username and password for one account, they can access multiple accounts using the same credentials.
- Be careful using public WiFi. Public WiFi in stores, restaurants, hotels, and airports often provides unsecured access without passwords. Cybercriminals can snoop on network traffic and intercept your communications (Man-in-the-Middle attack). It is more secure to use your phone (or other device) as a personal WiFi hotspot or set up a Virtual Private Network (VPN).
- Never give your login credentials to anyone…ever! If somebody, even someone you trust, needs to log into a system, tell them to contact the administrator to grant them access.
- Use 2FA when available. While not perfect, two-factor authentication (2FA) can be an effective deterrent to a cyberattack. 2FA will challenge you to enter a separate credential after you log in, such as sending you a code via text message or email. Even if the cybercriminal gets your login credentials, they will also need access to your phone or email before they can hack into your account.
If you are ever in doubt about the legitimacy of a message, call the company or agency (for example, your bank, the electric company, IRS, Social Security) directly. Never use the contact numbers contained in the email itself.
The best way to avoid falling victim to a phishing, quishing, vishing, or smishing attack is to remain vigilant and practice safe cyber hygiene.
October is Cybersecurity Awareness Month. Check out more security blogs from ArcherPoint
- Protecting Your Business Against Security Threats with Good IT Hygiene
- Clearing the Confusion Around Cloud ERP Security
- Protecting Your Cloud Applications from Unauthorized Access
- How to Address Common Security Vulnerabilities with a Zero Trust Model
- Considering Cyber Insurance? You Need a Solid Security Strategy
- How to Respond to a Ransomware Attack – A Framework for Companies