Scammers gonna scam.
Gotta love technology, where not a day goes by that we don’t make up a brand new word.
What matters most is that you understand the technique each word represents, since they are all attempts to fool you into giving up your accounts, your identity, and/or your money.
Let’s define the “ishings”.
Become a Patron of Ask Leo! and go ad-free!
The many ways of scammers
Phishing, smishing, vishing, quishing — they’re all sneaky scams trying to trick you into giving up personal information, money, or account access. Whether it’s by email, text, phone, or QR code, the key to staying safe is to remain skeptical and double-check before you click or reply.
Phishing
This is probably the one you’re most familiar with.
A phishing attempt tries to fool you into clicking a link that takes you to a malicious website. It typically includes several characteristics.
- It appears to be from a reputable source, like your bank, a shipping company, the government, or some other official entity you recognize.
- The message almost always includes a sense of urgency: you need to take some kind of action soon or risk some kind of loss.
- That action usually involves clicking on a link provided in the message.
- That link takes you to a malicious, fake website designed to look like the official site you expect.
- That fake website instructs you to fill in some kind of sensitive information. It could be as simple as looking like you’re signing into a service you already use, or it could be a payment page or something else. Because it’s all fake, you’re handing sensitive information to a scammer.
Phishing refers to scam attempts via email.
Spear phishing
In general, phishing is a game of numbers. The scammer casts a wide net and captures anyone who falls for the scam. There’s no effort to choose who gets scammed.
Spear phishing uses the same techniques but targets a specific individual or group of individuals.
This is more common in corporate or similar environments. Spear phishing allows the message to be highly personalized to help fool the intended recipient. It’s one of the ways data breaches happen. An unsuspecting employee falls for the bait, and the scammer gains access to corporate resources.
Smishing
Smishing is SMS1-based phishing. In other words, it uses text messages to fool you.
Once again, the goal is typically to get you to click or tap a link taking you to a malicious website. On mobile devices, it can also be an attempt to get you to download and install malware.
The single most effective approach to dealing with smishing is to ignore any text from someone you don’t know. This also protects you from a variety of other text-based scams.
Quishing
Quishing is QR-code-based phishing.
For example, if there’s a QR code posted in a public place — perhaps to get more information about an upcoming event — scammers can print their own QR codes on stickers and paste them over the original. The replacement QR code leads you to a malicious fake website that collects data from you.
A more specific example I heard of recently is on-street parking. Some parking lots have you scan a QR code on the parking meter to download the associated app, which you then use to pay. Scammers replace that code with one of their own, which behaves exactly the same way… except they take the money, and you get a ticket for not having paid for your parking.
Unfortunately, quishing can be difficult to detect and avoid.
Vishing
Vishing is voice-based phishing.
You get a call from someone claiming to be from a trusted authority. The goal, like any of the “ishing” attacks, is to get your personal information, including credit card information, and steal your money or worse.
The so-called “tech support scam” is a great example of vishing. You get a call from someone claiming to be from your ISP or Microsoft or some other computer-related company, telling you that your computer is causing problems. They trick you into giving them access to your computer, at which point they harvest all the personal and account information they can.
Do this
The single best way to avoid getting “ished” is to remain skeptical at all times and take nothing at face value. Ignore calls and texts from people you don’t know, and be extra cautious when dealing with email notifications of any sort.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I’ve clicked on QR codes. When I do, I look at URL it links to. Most QR code readers don’t open the link. It gives you the link to click on. So, if you have no choice, check the URL carefully. Unfortunately, the quishers might have created a website with a URL that appears to be the one you expect.
Phishing: How to Know It When You See It Quishing is similar to phishing in this aspect.
If your QR code reader opens the link, find one that doesn’t.
Regarding quishing, the best way I can think of to avoid this fishing variant may be to never scan any publicly displayed QR codes. If you need to access an app for any public service, such as to pay for parking, navigate to the appropriate website to download the app directly or do an internet search about how to get the app/perform the required action, and follow the instructions in the search results. This is what I do,
Ernie
Thank you Leo and Mark. Excellent article and follow-on comments.
Thank you, Leo, for the useful advice.
I have a related, but different problem. Some of my legitimate billers (or their accounts payable contractors) send official e-mail messages that look just like phishing attempts. I have asked them to provide some identifying information (I suggested “your visit of April 19th”), but they ignore my suggestions.
Is there a way to wake legitimate companies to this issue?
I WISH. Last I checked even PayPal was sending legit “please click on this link” emails. (Their argument may be that the customer service cost of NOT including links or including that additional information is higher than the cost of compromise. Not saying it makes sense or is right, but …)
Sadly all we can do is protect ourselves and hope that the companies get the message.
Bank of America sends me legitimate links. I ignore them and click on the bookmark on my browser’s bookmark toolbar, or I type bofa.com. I know it’s legit, but maybe one time it won’t be. They use multi-factor authorization, so the risk is small, but I still don’t click. It creates bad habits.