Don’t fall for it: Phishing, smishing, and quishing

If you’ve ever gotten an email from a “Nigerian prince” asking for money, you’ve been a target for a phishing attack. These emails are designed to trick recipients into clicking on dangerous links and are nothing new. You’ve probably already seen hundreds if not thousands of obvious, deceptive emails. As email filters and user awareness have improved though, phishing attacks have gotten subtler and more convincing – and cybercriminals have developed new avenues of attack too. Now it’s not just about phishing emails: it’s about “smishing” and “quishing” too.

New names, familiar tactics
Smishing, a mash-up of “SMS” and “phishing,” involves sending fraudulent text messages to trick recipients into clicking malicious, spyware-laden links or providing personal information directly. It’s become a favored tactic, as people are more likely to trust text messages.

Similarly, vishing (think “voice” plus “phishing”) targets individuals through phone calls. Attackers impersonate trusted entities such as banks, agencies, or well-known retailers  to manipulate victims into revealing sensitive information or performing actions like transferring funds or “confirming” a credit card number. These voice-based attacks rely on social engineering techniques to exploit human psychology and bypass traditional security measures. A voice call from someone an employee believes is within the same organization is easy to trust. 

Another vector of attack is known as “quishing” – which means that a QR code included in an email, a PDF, or even a physical document leads to a malicious page. QR codes by their nature are convenient but not human-readable, and clever landing page design means that the victim may not realize the destination is suspicious until well after they’ve scanned the code and clicked through. 

Why it matters for IT security
These attacks are versatile and often unexpected, which makes them effective even against users who are vigilant about security in other contexts. And while filters are increasingly good at spotting fraudulent emails, these related attacks can all land directly on users’ smartphone screens or their phone calls — contexts in which their suspicions are often lower.

The targets are not just the individuals these attacks are intended to trick.  Remember: a single compromised device can provide attackers with a foothold into an organization’s network, leading to data breaches, financial losses, and reputational damage.

How to thwart the -ishing attacks

Individuals (and in organizations, that means employees) must continue to be wary of phishing attacks but also of these newer variants. Variations on common anti-phishing tactics are even more important now: 

– View with caution all messages from outside the expected channels such as a corporate email address or known number and trusted contact. 

– Confirm requests (in person, by voice, or through another trusted channel), particularly ones for financial data, passwords, or other sensitive information.

– Refrain from clicking on QR codes when you’re unsure about the source; look-alike sites are easy for attackers to construct on the fly.

– Report suspicious activity to your security team so they can be aware of these attacks, and warn other users. This goes double if you realized you’ve clicked through to a suspect site.

Technology can help fight these threats too. Multi-factor authentication, endpoint security solutions, network segmentation, and even AI pattern analysis can reduce the likelihood that an attack succeeds and mitigate its effect if it does. An IT infrastructure which keeps devices isolated from attacks is vital to strive for, no matter what. But in the end, human awareness is the key, because misplaced trust is what these attacks rely on.

Stay vigilant, stay informed, and stay secure.

Eagle Eye Networks

Since 2012, Eagle Eye Networks has provided smart cloud surveillance solutions, leveraging AI to drive natural language search, automation, and more. Eagle Eye’s camera-agnostic approach heightens security while saving money, time, and resources.