What Is Quishing? | Managed Cyber Security | Neuways – Technologist
The National Cyber Security Centre (NCSC) of Ireland has recently issued a critical warning about a growing trend in WhatsApp verification code scams targeting users across the country. This type of scam is not entirely new and has been referred to as Quishing. However, the frequency and sophistication of these attacks have notably increased, prompting the NCSC to advise heightened vigilance among WhatsApp users. Read below to find out more about the Whatsapp scam and help spread awareness of what quishing is and why all employees need to be aware of potential scams.
How the Scam Works – What is Quishing?
The scam begins when cyber criminals obtain a victim’s phone number, often through social engineering tactics or by purchasing data from illicit sources. With this information, the attackers enter the victim’s phone number into WhatsApp’s login screen. As part of its security protocol, WhatsApp then sends a verification code via SMS to the phone number associated with the account.
Here’s where the scam becomes particularly devious: instead of using complex hacking methods, the scammers rely on human psychology. They contact the victim directly through WhatsApp, posing as a friend, family member, or trusted contact. The impersonation is often convincing because the attacker has already compromised another account from the victim’s contact list using the same scam. By pretending to be someone the victim knows, the attacker requests the verification code under various pretexts, such as “I accidentally sent my code to your number; can you please send it back to me?”
The NCSC emphasises that this tactic is highly effective because it exploits trust and the natural inclination to help friends and family. “The victim, believing they are helping a friend or family member, may share the code without questioning the request. If distracted or caught off guard, the victim is more likely to comply,” stated the NCSC in its advisory.
The Dangerous Implications of Quishing
Sharing a WhatsApp verification code may seem harmless but can have severe consequences. By obtaining this code, the attacker can access the victim’s WhatsApp account. Once inside, they can continue the scam by targeting the victim’s contacts and posing as the victim to gain further access to sensitive information or financial accounts.
The dangers extend beyond just unauthorised access to WhatsApp. Threat actors can use the compromised account to launch more sophisticated phishing attacks against the victim’s contacts. For instance, they could impersonate the victim to request sensitive information such as passwords, credit card details, or login credentials for other online services. Given people’s trust in their contacts, these phishing attempts are more likely to succeed.
Moreover, with control of a WhatsApp account, attackers can monitor private conversations, steal personal information, and manipulate communications to create further social engineering opportunities. This level of access can be devastating, leading to potential identity theft, financial loss, and breaches of privacy.
Protecting Yourself from WhatsApp Scams
In response to the increasing Quishing threat, the NCSC has outlined several critical steps users can take to protect themselves from falling victim to these scams:
- Keep Your Verification Code Private: Your WhatsApp verification code is as sensitive as your password. It should never be shared with anyone, not even with someone claiming to be from WhatsApp or a trusted contact. WhatsApp will never ask for this code directly.
- Activate Two-Step Verification: Enhance your account security by enabling two-step verification. This feature adds an extra layer of protection by requiring a PIN and a verification code when accessing your account. Go to WhatsApp settings under Account > Two-step verification to enable this feature. This additional security measure can prevent unauthorised access even if the verification code is compromised.
- Be Cautious of Urgent Requests: Even if a message appears from someone you know, be wary of any urgent requests, particularly those involving money or sensitive information. Scammers often create a sense of urgency to pressure victims into making hasty decisions. If you receive such a request, take a moment to verify the sender’s identity by calling them or using another trusted method.
- Report and Block Suspicious Activity: If you receive suspicious messages or notice any unusual activity on your WhatsApp account, report it immediately. WhatsApp provides in-app tools for reporting and blocking suspicious accounts, helping protect yourself and other users from potential scams.
The Bigger Picture: Growing Sophistication in Cyber Scams
The rise of WhatsApp verification code scams is part of a broader trend in cybercrime, where attackers increasingly leverage social engineering tactics to bypass traditional security measures. As digital communication tools become more integral to our daily lives, the risks associated with these platforms also grow.
While technological defences like two-step verification are essential, the human element remains a critical vulnerability. Scammers will continue to exploit trust and familiarity to manipulate victims. Therefore, education and awareness are key to combating these threats.
Be proactive with Cyber Security
By staying informed and adopting proactive cyber security practices, users can significantly reduce their risk of falling victim to these scams. The NCSC’s warning serves as a timely reminder that in the digital age, vigilance is essential—not just in securing our devices but also in scrutinising the communications we receive, even from those we trust.