Cybersecurity Awareness: All things -ishing
In this blog
Phishing, smishing and vishing are social engineering tactics used by cybercriminals in an attempt to gain access to personal or sensitive data, such as bank account numbers or account login information, in which they are pretending to be a legitimate business or reputable person.
- Phishing is an attempt via email.
- Smishing is an attempt via text message or instant messenger chat.
- Vishing is an attempt via phone call or voice message.
Quishing, the latest tactic, is using quick response (QR) codes to direct to a website designed to give cyber criminals access to personal data. A QR code is a two-dimensional matrix bar code consisting of a pattern of squares and dots arranged within a square on a white background.
QR code phishing is on the rise. Here's why:
- QR codes make it more difficult for detection and blocking tools because there are no phishing links in the message.
- QR codes could be legitimate, so blocking them all together is not feasible.
- Most users scan QR codes using a smartphone camera, not noticing a suspicious URL they are being redirected to.
Phishing, along with smishing, vishing and quishing, can be spotted by taking a moment to review and recognize these key indicators of suspicious activity:
- Urgency: Any email or message that creates a tremendous sense of urgency, trying to rush you into making a mistake. An example would be an expired two-factor authentication notification from Microsoft.
- Pressure: Any email or message that pressures an employee to ignore or bypass company policies and procedures.
- Curiosity: Any email or message that generates a tremendous amount of curiosity or seems too good to be true, such as an unexpected notice of an undelivered UPS package or Amazon refund.
- Tone: An email or message that appears to be coming from a co-worker or leader, but with wording that doesn't sound like them, or with a tone or signature that seems wrong.
- Generic: An email coming from a trusted organization or person, but using a generic salutation such as "Dear Customer." If FedEx or Apple has a package for you, they should know your name.
- Personal Email Address: Any email that appears to come from a legitimate organization, vendor or co-worker, but with a personal email address like @gmail.com.
- Preview the QR code link. A preview of the URL should appear on your phone when you scan a QR code. Make sure the URL seems legitimate and that it isn't a misspelling of a real URL (for example, "Microsaft.com" instead of "Microsoft.com").
- Check for tampering. If you're scanning a QR code that's in a public place, like a restaurant, make sure the QR code doesn't have a sticker above it that could have been placed by a scammer.
- When in doubt, contact the company. If you receive an unusual email or letter in the mail from a business with a QR code, contact the business to determine if the message is legitimate.
- Don't scan or open QR codes from strangers. Whether you're approached online or in the street, don't scan QR codes from people that you don't know. Be on the lookout for "too good to be true" messages, like a stranger offering you money or free products if you scan their QR code.
For business emails, follow company policies and standards.
For personal emails and text messages, refer to the websites listed below for additional information.
If the email came to your personal email address, don't do what it says. Do not click on any links – even the unsubscribe link – or reply back to the email. Just use that delete button. Remember, DON'T CLICK ON LINKS, JUST DELETE.
You can take your protection a step further and block the sending address from your email program.
Here's how to…