What are smishing, vishing, and quishing scams?

Security challenges

All social engineering attacks use deception to trick someone into doing something. This is usually transferring over money or giving up sensitive credentials that can be used to further exploit the victim. What differs is their vector of attack.

Email phishing is still the most popular social engineering scam going (if you’re not up to speed on email phishing, check out our content hub) but what about some of the lesser covered attacks like smishing, vishing – and even quishing? Here’s everything you need to know.

What is smishing?

Smishing scams are sent via text (SMS) messages to mobile phones. Like with email phishing, you’ll receive a message that looks like it came from a trusted source such as a bank or government department. Display names can be spoofed to make the texts appear authentic. Common scams include telling people they’ve won a prize, have been locked out of their bank account, or need to reschedule a delivery.

How does smishing work?

Just like phishing, the goal of the scammer is to get the recipient to give up some information or click on a link. This will of course lead to their personal information being compromised or malware being downloaded onto their mobile device.

The first message may even be benign and simply be used to alert the scammer as to whether the number is active and the recipient is a good target for further messages. Fake SMS messages related to Covid-19 have exploded too – usually about booking vaccines or contact tracing.

Businesses and consumers under attack

Smishing has taken a while to get near the heights of phishing, but it’s now a threat to millions of consumers and businesses. According to the FBI, smishing cost Americans over $50m in 2020 – and they’re expecting that number to have risen sharply throughout 2021. This year alone has seen a seven-fold increase in smishing attacks on UK consumers.

You’ve probably seen a few smishes on your own phone. It’s not just a problem for consumers though, as smishing attacks can just as easily target corporate devices. And with the popularity of BYOD (bring your own devices), personal mobiles can provide valuable routes into corporate networks for attackers.

How to stop smishing?

These messages can be hard to block. Awareness is the best place to start. All employees should know that banks and delivery services will never ask for personal information via text. And with links, it’s always better to stay on the side of caution – especially when a text seems unusually urgent. It’s much harder to verify links on mobiles than on a desktop computer as you can’t hover with a cursor to see where they’re taking you.

Smishing attacks are designed to make you panic and act quickly, so slowing down and thinking is always the best call.

What is vishing?

Vishing (or voice phishing) is phishing via a phone call. Someone may call impersonating a trusted source, such as a bank employee or the police. It can also be in the form of an automated message leaving instructions or telling the victim to call a number belonging to a hacker.

Caller IDs will either be kept private or spoofed to look like a legitimate one. They can hide their identity in convincing ways too. VoIP (the method used to make calls over the internet) makes it easy to create fake numbers and even realistic spoofs of a local number or a police, government, or hospital department.

How does vishing work?

Like phishing and smishing, the goal is to trick someone into giving up valuable information. For example, asking you to ‘verify’ certain private details that cybercriminals will then use to commit identity fraud. They might also make voice calls in combination with another scam, like encouraging you to click on a link in a phishing email or smishing text.

The criminal gangs behind vishing don’t just call random numbers. They’ll research victims and may even ‘warm them up’ with phishing emails or smishing texts to see which people respond. If someone seems responsive and pliable over text or email, they’re probably a good target for a voice scam too. From there, their details will be used for further scams.

Vishers may target vulnerable people with persuasive of threatening language to try and convince them to take action. They’ll usually attempt to persuade the victim they’re doing them a favor or helping them in some way – for example, we need this information now or you’ll be arrested/your bank account will be closed.

A real-life vishing case

Unlike phishing and smishing it can be harder to impersonate someone via vishing – as they can obviously hear your voice. For example, a call from your CEO would be less effective than a phishing email if you know the voice is wrong. However, cybercriminals have found a way around this too. In some cases, a voice can be deepfaked.

A high-profile case from 2019 offers a prime example. AI was used to mimic the voice of a German conglomerate’s CEO and trick an employee at another business into transferring funds to the wrong bank account. Cybercriminals managed to steal almost $250,000 from a U.K. based energy company with the scam. The victim said it sounded just like the CEO, even down to his accent.

How to stop vishing

Never give out personal information over the phone. Be wary of threatening or urgent requests, or unusual language. Most phones have the option to block private numbers. You can also add yourself to a do not call registry, which legitimate companies should respect. However, remember criminals can create fake or spoofed display names – and they can look very convincing.

Watch out for email phishing too – sometimes they use an email to get your phone number or as the ‘warm-up’ part of the scam.

Example of a vishing attack

What is quishing?

QR or ‘quick response’ codes have made something of a comeback since the start of the pandemic, thanks to them offering a touch-free way of accessing information without having to type in a web address. Unfortunately, cybercriminals have spotted an opportunity too.

By linking to a scam website via QR codes, they can bypass traditional defences such as secure email gateways (SEGs) that scan for malicious links and attachments. These attacks have been given the name of (you guessed it) quishing.

How does quishing work?

Quishing scams first need the QR code itself to be delivered to the victims (usually via email). A common tactic is to invite people to access an encrypted voice message via a QR code. The victim then uses their camera to access the QR code and open up their browser, which takes them to a phishing website.

At this point a site pop-up might ask the victim for their login credentials that can be harvested and used to launch further attacks. New scam QR codes can be made quickly, meaning it’s unlikely they’ll be reused, recognized and caught by a SEG’s blocklist. They’re zero-day attacks that need intelligent email security in order to be detected and caught.

Example of a quishing attack email

Detecting quishing attacks

Quishing is used in combination with email phishing. The QR codes are useless without a delivery mechanism. This means quishing needs to be stopped by detecting the emails themselves. Only intelligent anti-phishing solutions such as Egress Defend can understand that an account may be compromised and that a sender is suspicious. It analyses both the content and context of emails, rather than relying on known signals.

Social engineering signs to watch out for

While the method of attack differ, there are certain things to watch out for when it comes to phishing, smishing, vishing, and quishing. These scams can be sophisticated, so vigilance is required to detect the most advanced threats:

  • Urgency: A scammer usually wants something done immediately, as the longer you have to think, the more you may question whether it’s a legitimate request. They want you to take action fast, whether that’s following a link, downloading something, or sharing personal information.
  • Plausibility: Modern attacks will often be based on real-life mundane scenarios. If the scam request is close to something an employee does every day, they’re more likely to miss the signs of phishing and do it in autopilot. They might also try to align with current events. For example, lots of scams have arisen in relation to Covid-19 and vaccinations.
  • Familiarity: There’s been a marked rise in impersonation scams, where the attack is at least partially tailored to an individual – often claiming to be from an authority figure, such as a CEO, or a trusted source like your bank or a government department.
  • Confidentiality: The action required is specific to you and needs to be done by you alone, as getting someone else involved increases the chances of the scam being spotted.

You can find more advice on dealing with phishing here. Or if you’d like to protect yourself against the most advanced threats today, you can learn more about Egress Defend or claim your free trial here.