From Phishing to Smishing and More…

What is Social Engineering?

Socially engineered scams are ones where a scammer undertakes a false identity and uses that disguise to trick victims. Oftentimes social engineering scams focus on tricking a victim into downloading malware, sharing sensitive or privileged information or sending money to malicious groups.

What kinds of socially engineered scams are out there?

Smishing (or SMS phishing) is when a scammer utilizes text messaging that seems to be sent from a legitimate source, in an attempt to convince their victim to share sensitive information.

Common smishing scams:

• Scammers remotely taking control of the SIM card in your cell phone (or physically swapping the SIM card out), giving them access to any account information stored on the device

• Another common scam is when a scammer mimics a “One Time Password (OTP)” or “Password Reset” bot. Operating under the guise of an automated bot allows the scammer to send fraudulent Password Reset or 2-Factor Authentication messages to a victim. Once the message has been received, recipients are fooled into providing real authentication codes received from the organization scammer impersonating, allowing scammers to reset your password and lock you out of your accounts.

Vishing (or voice phishing) is when a scammer uses pre-recorded or a computer-generated voice to call potential victims and trick them into providing personal information. The strategy behind most vishing voicemails is to cause panic for the victim, leading them to act so quickly they don’t have time to realize how suspicious the situation or request might be until it’s too late.
Common vishing scams:

• Receiving a phone call from a fake utility company, saying your bill must be paid within a few minutes to avoid shutdown.

• Using AI to clone the voice of a family member or friend, allowing scammers to then make requests of victims from what seems like a trusted source

• Using auto-calling voiceovers to pose as a message from a reputable institution (like a bank) demanding immediate action or sensitive information to avoid account closure.

Quishing (or QR phishing) is when a scammer utilizes the quick nature of scanning a QR code with a smartphone camera to fool victims into opening dangerous webpages or downloading malware without realizing until it’s too late to stop. The strategy behind most Quishing scams is to act quickly enough that victims have little to no time to react after scanning the code and authorizing the page to open, exposing them to the threats of the opened page without room to pause.

Common quishing scams:

• Scammers create a fraudulent digital or physical flier that they distribute, requesting that readers scan the QR code on the page to learn more. That QR code often leads to a fraudulent webpage or starts a malware download on the smartphone used, before the victim has a chance to realize what has happened.

• Scammers physically pasting a fraudulent QR code over an existing one, leading victims to scan the fake code while believing they’re scanning something presented to them from a trusted source

How can I avoid falling victim to social engineering?

Take a step back, slow down and listen to your gut:

1. Never answer a call, text or email that feels suspicious and requests personal information.

2. Look out for typos in a message claiming to come from a legitimate institution.

3. When in doubt, give a direct call to the verified customer support line of the company and confirm whether the message is legitimate.

4. The FBI recommends against downloading applications or making payments directly on sites linked to QR codes since they could potentially be malicious. Instead, navigate to the URL manually so that a payment can be made confidently on a trusted, known website, the agency recommends.

Remember: Most companies will NEVER ask you to verify sensitive information over the phone, such as usernames, passwords, PIN or account numbers. If you receive a message requesting that information, it should be an immediate red flag that a scam could be taking place.