Stefano Gazzella : 16 October 2025 11:34
Curiosity, that old rascal. It’s the kind of thing that’s been making people click links or open attachments in a decidedly reckless manner for a long time. After all, it’s one of those tricks cybercriminals know well and have no qualms about incorporating into phishing campaigns. And it works damn well , especially when the fishing nets are cast on a large number of recipients. After all, as long as a method works, why change it?
Of course, over time, it’s all about designing the right bait through social engineering techniques. But what matters is crafting a good bait that attracts attention, piques interest, and prompts the victim to open a link or attachment. Once the victim has completed this action, it can only be prevented by a good anti-malware program and a healthy dose of luck. But this last ingredient is too rare to count on, while curiosity is far too widely distributed.
This is why it’s important to always be aware of the extraordinary trigger our curiosity is. It’s also the fundamental prerequisite for independently adopting a series of safe behaviors. This, along with awareness of the consequences of our actions, even the most seemingly trivial ones, like a single click.
We don’t think all the risks of that tempting click are limited to email alone: there are SMS messages, or QR codes. The latter are generally strangely underestimated for their offensive potential, despite actually consisting of links presented via a barcode mosaic. But this reduced perception of danger, due to the lethal combination of a lack of knowledge of the medium and a false sense of security induced by the habit of seeing them used in everyday life, makes this type of attack highly effective.
QR-ishing , or phishing using QR codes, has been reported as a growing phenomenon recently, most likely due to the widespread use of this tool, not only in restaurants for menus but also in advertising campaigns or on informational signs. In short, there’s a direct correlation between the growing use of a tool and its use by cybercriminals as an attack vector. And in this case, there’s nothing more inviting or likely to spark curiosity than a beautifully placed QR code. A bait that doesn’t currently raise too many concerns or raise too many questions. It’s scanned, and voilà: the link, or attachment, is ready!
As for SMS, however, despite their old-school appeal, smishing campaigns owe their success to a certain degree of unsustainable—from a security perspective—lack of use of smartphones. A text message may well contain a link to a malicious file or website, but even here, everything hinges on the user’s lack of awareness of the risk.
In short, the common denominator? For the victims, that lethal mix of recklessness and unawareness, while for the attackers, the ability to arouse just enough curiosity to ignore the most basic precautions.
Digital hygiene, that is, the set of behaviors and habits to adopt daily to protect your digital security, represents an effective antidote to that otherwise unstoppable surge of curiosity. It strengthens—or rather, establishes—the defenses of individuals, both as digital citizens and as operators within an organization.
Note one detail: being aware of the risks and adopting safe behaviors doesn’t make you immune to online fraud, but rather increases its cost to attackers. They will therefore have to step up their efforts to engineer better attacks, only giving up when the expected reward isn’t sufficiently attractive and profitable.
This is a significant detail, which should be written in capital letters on the antidote’s information leaflet, highlighting the side effect of overestimating one’s own safety.
Which has consequences comparable to those resulting from not taking care of it.
Stefano Gazzella