Cybercriminals are constantly evolving their methods, moving well beyond traditional email scams to exploit newer technologies and social engineering tactics. In previous editions, we explored wire fraud and common phishing emails. This quarter, we focus on two growing threats—voice phishing (Vishing) and QR code phishing (Quishing). These scams are increasingly sophisticated and harder to detect, even for the most cautious and diligent of users.
Understanding Advanced Phishing
Advanced phishing goes beyond suspicious links in emails. Today’s fraudsters target victims through multiple channels – calls, texts, and even printed QR codes – counting on urgency, trust, and convenience to catch people off guard.Voice Phishing (Vishing)
Vishing occurs when scammers pose as representatives from trusted institutions – like banks, government agencies, or tech support – to pressure individuals into giving up sensitive information.According to Keepnet Labs, in 2021 approximately 59 million Americans – 23% of adults – lost money to vishing scams. That number has climbed steadily from 43 million in 2019. Nearly 70% of these scam calls used spoofed phone numbers, making them appear to come from trusted contacts (Vishing Statistics 2025: Unmasking the Voice Phishing Threat, 2025).
How Vishing Works
•Impersonation: Callers sound professional and claim to be from known entities.•Urgency: The scammer insists there’s a pressing issue – like fraudulent charges or locked accounts.
•Data Requests: Victims are pressured to share personal or financial information such as Social Security numbers, passwords, or account details.
An Example of Vishing
You receive a call from someone claiming to be your bank’s fraud department. They say unusual charges were detected and ask you to verify your identity. Wanting to act quickly, you provide your account information – only to realize later it was a scam.QR Code Phishing (Quishing)
Quishing attacks involve malicious QR codes that redirect users to fraudulent websites or install malware. These codes may appear in public spaces – flyers, restaurant menus, or business cards – or in seemingly legitimate emails and messages.Hoxhunt reports that quishing attacks have increased by 25% year-over-year, highlighting their growing popularity among scammers (Baker & Cartier, 2025).
How Quishing Works
•Placement: Fake QR codes are placed on posters or included in phishing emails.•False Promises: They may claim to offer discounts, contest entries, or policy updates.
•Redirects: Scanning the code opens a fake site that can steal login credentials or install malware.
An Example of Quishing
While shopping, you see a flyer offering a store discount via QR code. You scan it, land on a familiar-looking page, and enter your credentials – unknowingly handing them to scammers.Multi-Channel Attacks: A Dangerous Trend
Fraudsters now combine techniques – email, QR codes, and voice calls – to increase success rates. Here’s how a layered phishing attack might unfold against a bank customer or employee:Step 1: The Initial Lure (Email): The target receives a highly convincing email that appears to come from a legitimate source such as their bank, vendor, or IT department. It includes personal details like their name or references to recent events to build credibility. The email warns of a problem, such as a needed software update, locked account, or urgent policy change, and asks them to take immediate action.
Step 2: The Mobile Bridge (QR Code / Quishing): Rather than including a suspicious link, the email contains a QR code and encourages the recipient to scan it with their smartphone to “securely” access a portal or document. This step:
•Shifts the victim to a mobile device, often with fewer security tools than a work computer.
•Evades traditional email security filters that don’t inspect QR code images.
•Leverages trust in mobile convenience to reduce scrutiny.
Step 3: The Deceptive Destination: The QR code leads to a fake login page or a form requesting personal information, such as a name and phone number. The page may mimic the layout of the recipient’s bank, employer, or internal system. It might also attempt to download malware disguised as a policy document.
Step 4: The Follow-Up Call (Vishing): Within minutes, the target receives a call from someone claiming to be the support agent referenced on the site. The scammer, now armed with the victim’s name and device information, sounds credible and references the “security update” to establish trust. They ask for:
•Multi-factor authentication (MFA) codes
•Account credentials or passwords
•Remote access to the device
Each step appears plausible on its own, but when layered together, they form a highly effective and convincing attack.
Protecting Yourself Against Advanced Phishing
1. Verify Caller Identity: Hang up and call back using a phone number from an official source – never the one provided in a suspicious message.2. Pause Before Acting: If a request feels rushed or threatening, stop and think. Scammers want you to react without verifying.
3. Be Cautious with QR Codes: Only scan QR codes you receive from trusted individuals or businesses. If something feels off, go directly to the website by typing the address.
4. Use Secure Scanning Tools: Most modern smartphones preview a URL before opening it – always review the link and don’t proceed if it looks suspicious.
5. Stay Informed: Threats evolve. Keep learning about new scam tactics and encourage others to do the same.
GreenStone’s Commitment to Your Security
At GreenStone, protecting your financial and personal information is one of our top priorities.
If you ever receive a suspicious message claiming to be from GreenStone – whether by phone, email, or QR code – do not respond. Instead, contact your local branch directly or call us using the verified number listed on our official website. Never use contact information provided in an unsolicited message.
To view the summer 2025 issue of Partners magazine in its entirety, click here.
