Phishing, smishing and vishing

what is phishing smishing and vishing

With cybercrime massively on the rise, you may have heard about phishing, vishing and smishing, but what exactly are they? They are all a type of financial fraud which tricks unsuspecting victims into giving out sensitive personal information by clicking on fraudulent links which results in installing malware onto their devices. 

The main difference between each term is the way in which you can be targeted, for example, phishing is for scam emails, smishing refers to scam SMS messages or WhatsApp messages and vishing takes place on a telephone call. 

Phishing, Smishing and Vishing are all types of social engineering attacks, and it is important to guard against attacks of this nature. Reach outs delivered via one of these methods will appear to be from someone who is trusted by the recipient and will ask them to follow a link, carry out an action or reply to the message with some confidential or sensitive information. 

Let’s dive deeper into the actual meaning of smishing, phishing, vishing, and some examples.

What is Phishing? 

Phishing is a type of cyber-attack that intends to trick victims into clicking on fraudulent links which are sent in emails. The link then takes the victim to a seemingly legitimate website that asks for usernames, passwords, bank details or other forms of sensitive information. This is then sent directly to cybercriminals with victims not being aware of this.

An email for example may seem to be from a genuine organisation, especially one that might be familiar to the victim. Some phishing emails state that your bank account is locked and request you to click on a link to gain access again. But that link will inevitably lead to a fraudulent website that is designed to trick you into giving away your information such as your online banking login credentials. 

The cybercriminals can then log into your bank account and steal your money. Another way of defrauding via phishing is pretending to be a governmental entity, check out the example below to see what a phishing email looks like:

phishing

What is Smishing?

Smishing is defined as phishing via SMS text messages. They will often contain a malicious link which is a shortened URL designed to encourage recipients to take some urgent action, such as getting a tax refund, claiming a prize, rescheduling, confirming a delivery or giving away personal details of a bank account. 

The number of smishing scams in 2021 which also included scam text messages pretending to be from legitimate organisations such as delivery companies, phone companies and banks, rose exponentially, and data from Proofpointshowed that reports of smishing in the UK grew by nearly 700% in the first six months of the year compared to the second half of 2020 (July to December). 

This was driven by an increase in scams since the pandemic hit in 2020, with fraudsters looking to take advantage of trends such as people getting more deliveries as well as the growth in organisations sending more text messages to their customers. 

Check out how fraudsters target their victims using smishing with the examples below:

smishing

Smishing reports in the UK are up to 15 times higher than reports of smishing in the USA, according to data from Proofpoint. Smishing attacks attempting to impersonate government entities, banks and delivery companies are common as these industries often use text messages to communicate with customers. 

With cybercriminals using increasingly sophisticated ways to ensure their messages are as authentic as possible, many people fall for smishing scams every year. Smishing text messages are like phishing emails as they often convey a sense of urgency, contain some sort of link and include a request for some personal information. 

What is Vishing?

Vishing is often referred to as voice phishing, which is phishing via a phone call or messaging services such as Facebook Messenger or WhatsApp. They often use Voice over IP (VoIP technology. Often, the recipient of a vishing attack will receive a phone call or voicemail from a fraudster who is pretending to be someone from a legitimate organisation and is attempting to get personal information from the recipient such as credit card details or login information to grant illegal access to their accounts and assets.

Cybercriminals often use a range of different techniques including the use of fake caller ID, so it looks like the call has come from a trusted source, utilising “war diallers” to contact large numbers of people, using speech that is synthesised and automated dialling processes. 

Here are some tips to prevent you from becoming a victim of vishing:

vishing

Vishing scams may start with automated messages which tell the recipient they are the victim of identity fraud and request that they contact a given number. As they are doing this, they are asked to disclose sensitive information. Cybercriminals then use the information to gain access to other accounts or sell the credentials on the Dark Web. 

The COVID-19 pandemic has given rise to vishing and presented more opportunities for cybercriminals to use it. Cybercriminals don’t just target individuals with vishing, they target organisations too. They share many of the same similarities as smishing attacks and are often used by cybercriminals to impersonate businesses, charities, banks, and tech support from organisations or government departments. 

How can you prevent Smishing, Vishing and Phishing attacks? 

There are a few ways you can prevent falling victim to these types of attacks and reduce the likelihood of being targeted in the first place: 

  • Do not click on links from anyone you don’t know. Go directly to the authentic website for the business the communication purports to be from and check to see if the notification indicated in the email or text message is real.
  • Do not give out any personal information to someone who contacts you out of the blue. If they claim to represent a bank, government department or company hang up and tell them you will call them back. Then go to the official website and call their official phone number to find out if it was really them or not and what is going on. 
  • Don’t answer calls or texts from phone numbers you don’t know.  Even if you answer only intending to ask to be taken off the list, cybercriminals will note that you interacted with the call. This will likely increase the number of calls you get from cybercriminals in general as your phone number is more likely to be sold or found on the Dark Web. 

How can you protect yourself if your personal information is stolen? 

These types of scams are becoming increasingly common, they are a known fraud trend and many people become targets before they’ve even heard of phishing, smishing or vishing. In addition to the preventative steps given, it’s important to do the following if your personal information is stolen. 

  • Immediately contact your bank’s customer service or fraud prevention department and report that your credentials are stolen.
  • Explain in detail how it happened, and provide as much detail as you can, there might be other victims and your experience may help the bank take preventive actions.
  • If you can, block or suspend any compromised account and its activity.
  • Report your case to the corresponding entity, depending on the country where you are located. For instance, inthe UK you should report phishing attempts to Action Fraud and in the USA you should report your fraud case to the Federal Trade Commission (FTC)

While phishing, smishing and vishing scams are not likely to go away anytime soon, these are simple steps you can take to help protect yourself and others.

See the big picture with the full story of fraud via flexible fraud investigation storyboards.