Sign in Subscribe

Sealed with a Quish - the Problem with Cybersecurity Terminology

Last updated on 
Sealed with a Quish - the Problem with Cybersecurity Terminology

Part of the challenge of working with technology and security is helping "normal" people to identify risk and take appropriate action. We naturally have to categorise and label some of the threats that users face - but in doing so we often inadvertently make those threats seem more opaque by creating words that quite frankly sound ridiculous.

20 or so years ago, we saw the advent of phishing, which Wikipedia defines as:


"fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication"

The word was likely born from hacker culture and "phreaking": Phreaks first appeared on the US scene in the early 1960s (phreaking was the study and exploration of telecommunication systems, particularly telephone networks, often with the goal of manipulating or exploiting them). The name is a portmanteau of Phone, Free and Freak, and probably made sense in its limited scope for finding it's way into the daily vernacular or the population.

Fast forward quarter of a century, and we live in an age when computer use is part of daily life, and fraud is rife. Crime can be committed from the other side of the world, and individuals and businesses see attempts to compromise their data on a daily basis. This has led to a whole industry dedicated to preventing and responding to this new and emerging set of threats. However this has also led to an increase in terminology that may confuse and distract end users and detract from the overall messaging.

One of my personal bugbears is the creation of terms for attacks that are fundamentally the same apart from their delivery mechanism; the only difference between a "phish", a "smish" (sms phishing), a "quish" (QR code phishing) and a "vish" (voice phishing) is the method of delivery of the scam. As time progresses there will be more and more tools and communications channels that can be used by attackers, and frankly it would be ridiculous to continue to make up new terms for them all (are we going to start calling Teams Phishing "tishing"?)

As experts and educators we need to start simplifying the messaging to our users of the techniques that are likely to be employed against them rather than the tools - the underlying strategies of fraudsters have been around since the dawn of time and when people understand the methods that they are likely to be conned using, the training is everlasting and universal.

Instead of getting caught up in whether it's a "phish" or a "smish," we should focus on teaching people to recognize the psychological tricks that haven't changed since the first con artist walked the earth. These techniques work regardless of whether they arrive via email, text, phone call, or carrier pigeon:

Creating false urgency: "Your account will be closed in 24 hours!" or "Limited time offer expires today!" Fraudsters know that rushed decisions are bad decisions. They want you to act before you think.

Exploiting fear and anxiety: Threats about suspended accounts, compromised security, or legal consequences trigger our fight-or-flight response. When we're scared, we're more likely to click first and ask questions later.

Playing on greed and opportunity: "You've won!" or "Exclusive investment opportunity" appeals to our desire for something good to happen. If it sounds too good to be true, it probably involves a Nigerian prince.

Authority impersonation: Whether it's your "bank," the "tax office," or "IT support," criminals love to pose as figures we're conditioned to trust and obey. They're counting on us not to question authority.

Social proof and FOMO: "Everyone in your area is switching to this service" or "Your colleagues have already updated their details" leverages our herd mentality and fear of missing out.

Reciprocity manipulation: Small favours or "free" services that create a sense of obligation, making victims more likely to comply with subsequent requests.

The beauty of understanding these tactics is that once you know what to look for, it doesn't matter if the scam arrives via instagram or hologram - you'll still spot the manipulation.