By now, you’ve probably heard the term “Phishing” where nefarious online actors attempt to utilize social engineering methods to get you to enter personal or financial information. This typically happens in the form of carefully crafted emails meant to look like legitimate emails from your bank, your gym, even Microsoft. These emails contain links to 3rd party websites where your data is stolen and used against you in some form.
What is the next thing? Enter “Quishing”!
Quishing is based on those simple, innocuous QR Codes that are everywhere these days. The popularity of QR Codes erupted during COVID when “touchless” menus and other information was readily accessible via your mobile phone. Instead of typing in a long URL, isn’t it SO much easier to just scan a little picture with your mobile phone camera and it brings up the menu? Well, that’s the problem…it’s that easy for the online bad guys to weaponize that simplicity with malware to infect your device, or steal your data!
We have seen an uptick in cases where users are being sent typical phishing emails loaded with a QR code. The bad guys hope that the user will read the email on their phone, scan the QR Code with their mobile phone and the phone is now at risk.
How can YOU help fight Phishing and Quishing?
A term we like to use with cyber-security – “Trust Nothing”! This applies to everything you do online, but most importantly what is being sent to you via email. If it looks suspect, it probably is. Things to look for to indicate the email is suspect:
- Sudden urgency – such as your password expires today, your account will be locked NOW
- Shoddy graphics, and poor layout of the email – the bad guys don’t always have the best graphic designers on staff
- Legitimate details – scroll to the bottom of the email and look for contact details, unsubscribe links, and other data that makes the email appear as if it came from the sender such as a phone number. The bad guys typically remove all of these details or simply don’t include them
- Links – SCROLL over the links in the email (WITHOUT clicking on them), and see where they link to. If the link takes you to your bank’s website then then email MAY not be phishing. If the link goes to a random website URL that you’ve never seen – don’t click on it
The golden rule is this: if you get an email from what you think is your bank (or anyone else), and they are asking you to change your password or enter personal data – DON’T click on any links in the email. Instead, open a browser on your computer/phone and head directly to the website and log in.