What Is Phishing, Smishing, Vishing, and Quishing?

The Common Thread

Phishing, smishing, vishing, and quishing are four variants of the same fundamental attack. They differ in the channel used to reach the victim — email, SMS, phone, or QR code — but the underlying mechanism is identical: impersonation and manipulation.

Attackers study the brands, institutions, and communication styles that people trust most. They then craft convincing replicas — emails that look like they came from your bank, text messages that match your parcel carrier's format, phone calls that spoof your government's caller ID — and use them to manipulate victims into doing one or more of the following:

• Clicking a link that leads to a credential-harvesting site designed to look legitimate
• Downloading a malicious attachment that installs malware or ransomware
• Providing sensitive information (OTP codes, passwords, card numbers) verbally
• Authorising a fraudulent payment or funds transfer

Understanding each variant makes you dramatically harder to fool — because recognition is the first line of defence.

Phishing (Email)

Email phishing is the oldest and most prevalent form. Attackers send fraudulent messages that appear to come from well-known organisations: banks like Standard Bank or Nedbank, tech giants like Microsoft and Google, retailers like Amazon, or payment services like PayPal. The emails are often visually polished, using stolen logos and copied formatting from legitimate communications.

The core tactic is urgency. "Your account has been compromised — verify immediately." "Your payment failed — update your details within 24 hours." The time pressure bypasses rational scepticism and pushes victims to act before they think.

Common red flags to watch for:

• Mismatched sender domains — the display name says "PayPal" but the actual address is paypal-support@secureupdate-account.net
• Generic greetings — "Dear Valued Customer" instead of your actual name
• Unexpected urgency — legitimate services rarely threaten immediate account termination via email
• Lookalike domains — paypa1.com, microsoft-login.support, or amazon-secure.co
• Unexpected attachments — unsolicited invoices, shipping labels, or legal documents

Smishing (SMS)

Smishing applies the same phishing principles to SMS text messages. The format is almost always the same: a short message with a brief claim and a link. "Your FNB account has been suspended — verify here." "Your SAPO parcel could not be delivered — click to reschedule." "SARS: you are entitled to a tax refund."

SMS feels more intimate and immediate than email. Notifications arrive on the same device you use for banking apps, creating a false sense of contextual legitimacy. Additionally, short URLs in SMS messages make it nearly impossible to preview the destination before tapping.

The rule is simple: never click links in unexpected SMS messages. If you receive a message claiming to be from your bank, navigate to the bank's official website yourself by typing the URL directly into your browser. The same applies to parcel tracking — go to the courier's website and enter your tracking number manually.

Vishing (Voice)

Vishing — voice phishing — moves the attack to a phone call. Attackers impersonate bank fraud departments, tax authorities (SARS, HMRC, IRS), police, Microsoft support, or telecommunications companies. Modern voice-over-IP technology makes it trivial to spoof any caller ID, so the number displayed on your screen may appear to be your bank's genuine number.

A skilled visher builds rapport quickly, references details obtained from prior data breaches (your name, part of your account number, your address), and creates artificial urgency: "Fraudulent transactions are being processed on your account right now — we need to verify your identity immediately."

They may then ask you to:

• Read back the OTP your bank just sent — which they triggered to perform a real transaction
• Install remote desktop software (TeamViewer, AnyDesk) so they can "help" you
• Transfer funds to a "safe account" they control
• Provide your full card number, CVV, and PIN for "verification"

Legitimate organisations will never ask for your password, PIN, or full OTP over the phone. If you receive a suspicious call, hang up and call the organisation back using the number printed on their official website or the back of your card.

Quishing (QR Code)

Quishing is the newest and fastest-growing variant. Attackers embed malicious URLs inside QR codes — which, unlike text links, cannot be visually inspected before scanning. The QR code is distributed via email (to bypass URL-scanning security tools), physical posters in public spaces, fake parking fine notices placed on car windshields, or even replacement stickers placed over legitimate QR codes in restaurants and shops.

When scanned, the code redirects the victim to a convincing lookalike login page that harvests their credentials, or to a site that exploits browser vulnerabilities to deliver malware. The attack is particularly effective on mobile devices, where the full URL is rarely displayed prominently.

Before scanning any QR code from an unexpected source, preview the URL it resolves to. Most phone cameras show the destination URL before opening it — check it carefully. If the domain looks suspicious, do not proceed.

How to Protect Yourself

Across all four attack types, the same principles apply:

• Verify independently — if a message claims to be from your bank, call the number on your card, not a number in the message
• Don't click — navigate directly — go to the official website by typing the URL yourself; do not follow links from emails or SMS
• Never read OTPs to callers — your bank will never ask for this; anyone who does is an attacker
• Preview QR code URLs before visiting them; check the domain carefully for lookalike characters
• Enable MFA — even if an attacker steals your password through a phishing page, MFA (especially hardware keys or passkeys) prevents account compromise
• Slow down — urgency is the attacker's tool; taking ten extra seconds to verify independently costs nothing and saves everything