The Perils of Phishing, Smishing, and Quishing

By Catherine Powell

Image courtesy Pixabay

The ongoing war being wrought by hackers has been taken to a new level with a triad of tricks designed to make you cough up personal data, financial info, and credit card numbers.  Unlike many of the brute force techniques employed in the past, phishing, smishing, and quishing are meant to kill you with kindness by offering fantastic deals that are never delivered.  Some of them are so intricately crafted that you'll think you're working with a trusted entity only to find out after the fact that you've been had.  Before you fall for any of these false flag attacks, I'd like to take the time to educate you on the latest and greatest e-scams yet to have been invented.

Don't get hooked by these phishermen.

While phishing, AKA being sent bogus emails, isn't something new, this year's bumper crop of offers are tailored to make you think you're dealing with a trusted entity like Geek Squad, Microsoft, or the US government.  Should you fall for these ruses and click on the attached link, get ready to have malware delivered to your device that can harvest credentials and passwords or deliver ransomware that will hold your data for hostage.  Some of the latest lies include lures inviting you to profit from class action lawsuits, employee termination notices, holiday greetings, bank account notices, browser updates, fraud alerts, refunds, and more.  For a comprehensive list of the latest phishing scams, click on this link to the University of California New Phishing Threats page

How do you avoid falling for phishing lures? Phishermen spin you tales designed to make you think that:

1. There's a problem with your account or payment. ( Click or call & you'll be sorry.)
2. We've noticed suspicious activity.  (Never trust the provided number or any link.)
3. You owe money. (You certainly will if you respond to this lure.)
4. If you don't respond to this, you'll be arrested. (The only person that should be arrested is the sender.)
5. You've won!  (The only winners are the con artists who profit from these bogus jackpots.)
6. You're entitled to a rebate or refund. (You'll need a refund if you fall for this scam.)
7. You need to update your payment info.  (Do so only if you want to enrich a hacker.)

In short, never fall for an offer you receive via email.  If you aren't sure if an offer or notice is legitimate, call the customer service number of the entity directly.  Never call the number included with the message.  Also, you need to be aware that the police, FBI, & IRS will never send you an email if they wish to interface with you. 

Image courtesy Pexels

Smishing: The same old scam with a whole new look.

Just like phishing, smishing involves sending unsuspecting victims juicy but bogus offers via SMS text messages.  Short Message Service, better known as texting, was first sent over the Vodaphone GSM network in the UK in 1992.  The service became popular in the US just before the turn of the century.  By the year 2000, the average amount of texts per person was 35 per month.  By 2010, teenagers alone averaged more than 4,000 text messages per month.  By 2020, more than 500 billion texts were sent worldwide every month.  The huge popularity of texting has made it not only popular and convenient for consumers and business owners alike, it has also opened a huge stalking ground for tech-savvy con artists.

Almost as soon as texting was accepted by the public it became a useful tool to hackers.  Back in the mid-1990's the first cases of smishing were reported by some cellphone users who had their login credentials stolen by hackers who wanted to hijack their accounts.  Today smishing runs rampant on many SMS platforms and mobile-messaging apps.  In 2020, smishing attacks were reported by 61% of companies.  By 2021, that percentage had jumped to 74%.  

As with phishing, smishing starts with a message, a warning, or an offer that's meant to elicit a sense of urgency.  Many of the smishes will seem to come from a person you know or a business you use and trust.  If you make the mistake of replying to a smish or clicking on any link provided, you run the risk of giving sensitive data such as login credentials, passwords, credit card information, or social security number to criminals.  Download any attachments included with the message and you risk infecting your device with spyware, malware, or ransomware.

The problem is many smishing messages can look authentic.  Nowadays they're crafted using artificial intelligence that makes smishes messages sound all too compelling.  They're programmed to sift through mountains of social data to determine patterns and craft individualized texts.  No longer is it child's play to detect smishing due to misspellings and obvious grammar errors.  Today's smishes are AI-enhanced.

That doesn't mean you can't take measures to defend yourself.   Here are a few tips from the pros:

1. Never open an unsolicited text message.
2. Scrutinize the name and phone number of the sender.
3. Set up spam filters on your smartphone.
4. Beware of any messages that create a sense of urgency or pose a threat.
5. Be suspicious of messages that ask for personal or financial information.
6. Never fall for offers of prizes, rebates, or refunds.

Image courtesy Pexels

Have you ever been quished?

Quick response codes, otherwise known as QR codes were invented in 1994 by Japanese company Denso Wave to label automotive parts.  It wasn't until 2010 that these 2-dimensional matrix barcodes became a popular way to allow cellphone users to take a picture of one to receive an offer or open a webpage without having to enter a URL.  By 2021, 45% of smartphone users reported using QR codes to access marketing or promotional offers.  

Quishing is a type of online attack that uses a QR code to direct the user to malicious website or tricks them into downloading a virus-filled document.  Just like phishing and smishing, if you fall into the clutches of criminals employing quishing, you're in for a tough time.  Below are some recent samples of quishing scams:

1. A con artist puts a fake QR code on parking meters that tells the public to pay for parking by clicking on the QR code.  Should you fall for the bait, not only will this give the crooks your credit card information, but you'll probably wind up getting a ticket or being towed for failing to pay for parking.
2. You enter a restaurant or retail store and find a QR code that offers you a discount for downloading the establishment's app.  The problem is that a cybercriminal has placed a sticker containing a QR code over the real code.  This directs you to a bogus website that asks you a lot of personal questions, only to tell you to download an app that's loaded with malware.
3. Cryptocurrency or stock investment scams that promise to double or triple your money are popular quishing bait, as are romance scams that employ QR codes that purport to help you find romance.

To avoid being taken for a ride by scammers employing quishing, there are a few things you can do:

• Avoid QR codes altogether.  
• Check for tampering to make sure the code you click on hasn't been covered by a bogus one.
• Verify the URL address you're being sent to is the real deal.  
• Install QR code scanner apps that help you spot and avoid dangerous websites.

Catherine Powell is the owner of A Plus All Florida, Insurance in Orange Park, Florida.  To find out more about saving money on all your insurance needs, check out her website at http://aplusallfloridainsuranceinc.com