Vishing, Quishing, and Smishing

Some of the new forms of social engineering have interesting names and each has different ways of fooling users. Several of the most significant cybersecurity events of 2023 started with social engineering compromises. In 2022, social engineering techniques accounted for 20% of all compromises. The following information is being provided to continue training you in the basics of social engineering while also keeping you informed on the new tricks that the bad guys/gals are increasingly using.

Vishing – Voice/Phone call phishing - making phone calls or leaving voice messages to trick individuals to reveal personal information, such as bank details and credit card numbers. Often the people who fall prey to vishing are not tech-savvy. Many of our member fraud cases stem from vishing.

Did you know the recent 2023 MGM compromise started with phone calls to the MGM help desk and cost as much as $8.4 million per day in revenues. The event reportedly started with a vishing social engineering attack. Specifically, the hackers found an employee’s information on LinkedIn and impersonated them in a call to MGMs help desk to obtain credentials. The implication is that the help desk didn’t have sufficient training or tools to definitively identify the end user.

Four common Vishing methods are Bank impersonation, Tech support scams, Medicare or Social Security scams, and IRS impersonation.

So, in your reading you see the bad guys/gals can make calls to the credit union and to you personally.

What can you do?
o Never give out private information to someone contacting you from a text message or voice call. A legitimate institution will give the main number to call so that you can verify it’s an official call.
o Identify pressure and scare tactics. Scammers will pressure targeted users into sending money immediately, either using credit cards, bank transfers, or even gift cards. For instance, a common way to get users to fall for the IRS scam is to threaten jail time if money is not sent immediately.
o Ignore calls from unknown numbers. If you do not recognize the number, let the caller go to voicemail.
o Be skeptical of any caller that wants sensitive information. Never give any caller sensitive information regardless of where the caller claims to work.

Quishing - QR Code phishing – The word is a combination of the words “QR code” and “phishing,” and it means scamming people with a QR code. Cyber criminals can hide malicious URLs in QR codes. QR codes are not directly readable by users and many email security scans do not evaluate them.

What can you do?
o When you scan a QR code on your phone, a preview of the URL will pop up. Don’t click on any unfamiliar or shortened links, and look for slight misspellings in familiar names, e.g. mall.com instead of mail.com.
o If the QR code takes you to a page that asks for your login credentials, never enter them there. If you think there might be a legitimate concern with a purchase, delivery, or online account, visit the company’s website directly in your browser or call the business by phone.

Smishing is the term used to describe phishing via the use of SMS text messages. Scammers purchase spoofed phone numbers and blast out messages containing malicious links. According to Proofpoint’s 2023 State of the Phish report, 76 percent of organizations experienced smishing attacks in 2022. 
Last June, the Federal Trade Commission reported a nearly twentyfold increase in texts impersonating banks in scams that have a median consumer loss of $3,000.

What can you do?
o Never Click Suspicious Links: If you receive an unexpected or suspicious text, refrain from clicking on any links or downloading attachments.
o Verify Independently: If a text claims to be from a specific organization or individual, contact that entity directly using known contact information, not the details provided in the text.
o Use Phone Security Features: Take advantage of built-in security features, like biometric authentication and regular software updates, to keep personal data secure.
o Stay Updated: Be aware of current smishing tactics and threats. Awareness can be your first line of defense.
o Don’t Share Personal Information: Never share personal, sensitive, or financial information via text unless you initiated the conversation and are certain about the recipient’s identity.
o Check for Official Communication: Official organizations, especially banks and government agencies, typically don’t ask for personal information via text. If in doubt, call the organization directly.

Technological Solutions:
o SMS Filtering: Many smartphones and carriers now provide SMS filtering options to identify and block or flag suspicious texts.
o Multifactor Authentication (MFA): Even if attackers obtain some credentials through smishing, using MFA is an additional protective layer.
o Anti-phishing Tools: Some security applications for mobile devices can help identify phishing links in text messages and prevent users from accessing malicious sites.

Whether it is vishing, quishing, or smishing, be wary of the various types of phishing attacks and to recognize that they come in many forms.