Phishing, vishing and smishing -- oh, my!

By Mark Lanterman
BridgeTower Media Newswires

Social engineering attacks are some of the most common that occur in an organizational setting, with phishing being at the top of the list. Hackers have discovered that oftentimes, it is much easier to take advantage of a human vulnerability than a technological one. When discussing social engineering attacks that occur in the workplace, phishing attacks are often pointed to as being the most common.

-----

Phishing

As most are aware, phishing attacks are email-based scams that attempt to trick users into clicking malicious links or providing confidential information. These emails typically come with a sense of urgency ("Credentials required or you will be locked out of your account permanently"), have grammatical and spelling issues, contain links that don't connect to the website they appear to represent, and make use of small pieces of personal information making them appear to be legitimate. These emails are becoming increasingly sophisticated and can be difficult to spot for the average user. Phishing attacks are easy to execute, can be sent to a wide victim base, and they allow for a lot of anonymity. With a single click, organizational information can be compromised.

While phishing attacks seem to get the most attention, there are two other varieties of social engineering attacks that I would like to discuss in this article. Though less frequently executed, it is beneficial for any cybersecurity program to take into account all potential attack mediums. Apart from email, phone and texting-related attacks can be equally damaging to an organization. Since these attacks are not as publicized within the organizational setting, they may be even more damaging since there is less awareness surrounding their use. These attacks are known as vishing and smishing, respectively.

-----

Vishing

Vishing refers to social engineering attacks that utilize the phone. These types of scams aim to trick users into providing confidential information or information that may allow for subsequent attacks. Someone on the phone may pose as a colleague, client, or other legitimate party seeking information. In some instances, these individuals will direct the victim to provide his or her email address. The perpetrator may then instruct the individual to open an email, click on a link, or visit a fraudulent web page. These callers can also purport to be representatives of the organization's upper management. As with phishing attacks, an employee may not be comfortable asking for clarifying information when a situation involves upper management, especially when the situation seems urgent.

Unlike phishing or smishing attacks, the phone may add an extra layer of personalization to an attack. A person may be less willing to hang up on a person "in real life" than simply ignoring an email or text. Proper call authentication and training is crucial when it comes to instruction on what information is appropriate to give over the phone. Outside of the organizational environment, elderly people are frequently made victim to vishing attacks. Believing that a child or grandchild is in need or danger, elderly victims are often tricked into sending money to fraudulent callers.

-----

Smishing

Smishing is very similar to phishing, except instead of email, attackers will use texting to target and trick victims. Smishing attacks usually involve attempting to get users to enter in account credentials or click on a malicious link. Like phishing, sometimes an urgent message will appear in a text on your phone, "Your bank account has been identified as being part of a breach. Please respond to this message with your PIN, username, and password to secure your accounts." When the attempt has the goal of gathering personal information, smishing messages often convey the same sense of urgency that phishing attacks do. Fearing for an account's safety, a person may hastily reply to this message without realizing that this text didn't actually come from their bank. Or, a link will appear with a message like, "Somebody liked your profile picture. Click here to see who." In instances like these, scammers will prey upon a victim's curiosity (and vanity!). Fake social media-related texts are frequently successful for this very reason.

Smishing attacks take advantage of the fact that most people today carry around a smart phone. With the attention given to phishing and suspicious emails, it may be more likely for someone now to respond to a smishing attack. While someone may know that their bank wouldn't send an email with this kind of request, it's possible he or she would be less familiar with their bank's other communication policies. Ultimately, cybercriminals will pursue the types of devices that amass the largest number of victims; today, most people have smart phones.

-----

Fueled by doxxing

Phishing, vishing, and smishing attacks all depend on one primary thing for their success: personalization. The more personal information backing a cyberattack, the more authentic that attack will look. The more authentic a message looks to a user, the greater the likelihood that he or she will take the bait. Doxxing is often utilized by cybercriminals to personalize their attacks.

Doxxing refers to the buying and selling of personal information online, often with malicious intent. The most successful social engineering schemes are those that make the user believe that the communication in question is genuine, and/or is coming from a trusted source. With that being said, just because a communication seems real, check for the red flags that may indicate otherwise. Verify the actual sender of the communication, establish if any urgent requests are being made, hover over links to see their true destinations, and recognize that no reputable organization will ever ask for confidential information (such as PINS or passwords) over the phone, through email, or over text. If a message or phone call seems urgent, and you feel pressured to make an immediate decision, take that as a sign that maybe something is amiss. Double-checking is also an effective safeguard, especially when it comes to communications appearing to come from within your organization.

-----

Conclusion

Phishing, vishing, and smishing are all attacks that target people. In many instances, cybercriminals need our help to execute an attack. Social engineering attacks are those that attempt to trick people instead of technology, with the attacks discussed in this article being some of the most common methods. Education and awareness of these types of attacks is important in keeping an informed cybersecurity protocol that balances technological threats with human vulnerabilities.

Published: Thu, Jan 25, 2018