The more sophisticated and complex the average workplace technology becomes, the more gaps there are for malicious entities to squeeze their way into your systems. Your existing system may be locked down with the best cybersecurity solutions. But lack of security awareness training can leave a significant flaw in your system that even the latest innovations can’t prevent. As a social engineering scam, phishing bypasses your systems to strike at your weakest link. Vishing and smishing are two types of this scam that do the same things differently. In this article, we define what phishing and its sub-types are. We also look at common attempts to look out for and the ideal way to reduce your risk and protect your business from these malicious attacks. Read on to find out more:
What is phishing?
As a threat that has existed for over 25 years, you likely already have a basic idea of what phishing is. As the origin of an increasingly more complex web of scams, phishing involves an attacker attempting to gain access to information or systems via email. These scam emails trick employees into releasing information through targeted messages. For example, providing financial details or giving login credentials for access to an account.
As the world has become more familiar with standard phishing, there’s a greater general understanding of how these emails can be a risk. The average employee is less likely to fall victim to a phishing email than ten years ago. But while that risk may be lower, phishing has continued to evolve alongside other technology to become an entirely new threat to business operations.
Smishing and vishing are two sophisticated examples that take the phishing template in new directions. Instead of focusing on emails, these methods use other communication tools to attempt to access information. We cover each of these phishing scams in detail for you below.
What is smishing?
Smishing is a form of phishing that goes outside of the inbox by sending texts directly to your employee’s smartphones. The term was initially coined as ‘SMiShing’ to include ‘SMS.’ However, today’s smishing attempts cover a whole host of messaging platforms. Malicious attempts via iMessage, WeChat, or even social media chat functions are standard options that often catch people out.
Businesses that utilize texting within their organization are more likely to fall prey to these malicious attacks. Unlike emails, it’s often taken at face value that texts won’t be as formal between coworkers. Smishers often impersonate a bank or financial organization. All it can take is a strong mimicry of official text communication to gain access to private information.
What does a smishing attempt look like?
Smishing attacks use social engineering to encourage you to provide a range of information. For example, you could receive a text that appears to be from a bank. This text could ask you to provide details of a card number or bank account to verify your identity. Sometimes, texts include a link that downloads malware when you open it on your smartphone. This malware can access data and private information for use or sale.
What is vishing?
Vishing is a form of phishing that can be hit or miss for hackers, depending on how legitimate they sound. As the name suggests, this form of ‘voice phishing’ involves phoning an individual and asking for details over the phone. Vishing takes several forms. From posing as a tech support specialist to sending automated voice messages. In some cases, there’s no requirement for a human voice to be involved.
While you may associate spam calls with poor-quality phone lines or particular accents, many modern scammers have vishing down to a fine art. The right voice and urgency can encourage many employees to disclose information they wouldn’t over email. Vishers often have success targeting larger or international companies. This practice is particularly effective in companies where employees may not know upper management personally, making them easier to impersonate.
What does a vishing attempt look like?
Vishers use urgency and realistic situations to try to appear genuine. For instance, the caller may pretend to be tech support within the organization. They may request your login information, including your password, to resolve an urgent issue that requires immediate attention. Highly sophisticated vishers may even spoof phone numbers, appearing as though they are a legitimate contact from within a business.
Common smishing and vishing schemes
Understanding the most common phishing schemes is key to combatting these malicious attacks. Being forewarned means you’re forearmed against potential risks to your company. As with many attacks, knowing more about what happens is vital for preventing an issue from occurring in the first place. For businesses, it’s even more integral to protect private data and financial information. At the very least, many more people have access to that information. In comparison to a personal account, the risk can be tenfold.
Here are some of the most common schemes to keep an eye out for:
Requesting financial information or transfers as a HR professional
Pretending to be an HR professional is increasingly common in all areas of phishing scams. Employees are more likely to believe the credibility of a call, email, or text if it appears to be from HR. In these scams, it’s common for sophisticated phishers to use the public name of an HR manager or director to gain information. For instance, your employees may be asked to provide login information. Requesting personal financial details for payroll is another standard scheme when posing as an HR professional.
Posing as an IT professional to reset or access passwords
Scammers often use employees’ lack of IT knowledge against them by pretending to be IT professionals. For example, an employee may receive a text message saying their password needs to be changed urgently. The attacker then provides a URL to a fake page where the employee would enter their credentials, granting the attacker access to all of the resources the employee uses. Urgency is often used in IT-related scams, such as telling employees their computer is infected or that they need to provide immediate access to take temporary control of their system.
Impersonating a colleague to gain information
Some smishing scams can be spotted a mile off due to their grammar or tone. Despite this, some hackers are convincing enough to make employees think they are talking to their coworkers via chat or text. If a malicious hacker can gain access to a single messaging account, there’s a possibility they can contact dozens of people across an organization. All it takes is a single person providing a login over the phone or by text.
Claiming to be a supplier that hasn’t been paid
Supplier-related vishing scams are widespread. Malicious attacks often focus on getting banking information or financial transfers as swiftly as possible following contact. For example, a scammer could call claiming to be a supplier that is overdue for invoice payment. Taking an aggressive and angry tone can pressure employees. As a result, they may provide payment over the phone to appease the angry supplier, not realizing they aren’t who they say they are.
Asking for financial information as a fraudulent government operative
Using authority positions is another standard option for phishing attempts. Such as posing as the government, a regulating body, or other public services. For example, in a vishing attempt, a caller could say they are calling about unpaid taxes as a government official. These scammers pressure individuals within a company to pay over the phone to avoid fines. Scammers often use the fear of ‘messing up’ on finances to manipulate the situation.
How to defend against social engineering attacks
Social engineering attacks are a significant risk for businesses and individuals. Employees that are victims of phishing attempts are often distressed at causing harm to the business. The cost of a successful malicious attack can be significant for company owners. For the peace of mind of everyone involved, actively defending against attacks is your ideal option. Some of the methods you can use to protect yourself and your business include:
Encourage cautiousness with unknown contacts
Encouraging employees to use caution when taking phone calls and receiving other forms of contact is an excellent foundation for better awareness. For instance, having the confidence to double-check information with a coworker can help to avoid many phishing attempts. Knowing the specific words, phrases, and actions to be wary of can help employees identify scam calls. Teaching not to trust caller ID and to feel empowered to ask for more information can help significantly reduce risk.
Improve general awareness of phishing attempts
The more knowledgeable employees are, the less likely they will fall into a phishing trap. Providing examples of what phishing looks like helps raise awareness. As scams change and evolve, ensuring these examples are up to date is essential. A scam email from just a couple of years ago may be far less sophisticated than one your employees receive today. Posters, reminders, and even bulletin emails can keep employees in the loop of the latest risks.
Provide a flow chart for confirming legitimacy
Knowing what to do in a stressful situation can be challenging for employees. Particularly with vishing attempts, where there is significant pressure and urgency, having a simple flow chart of what to do can make all the difference. A step-by-step guide to confirm if a call is genuine can help employees avoid malicious attacks in a safe, practical way. The clearer these steps are, the easier they are to tick off when a vishing or smishing attempt occurs.
Consider implementing robust cybersecurity measures
While vishing and smishing methods don’t use email, that doesn’t mean there’s nothing you can do about them. With many offices using VoIP, a range of systems help reduce scam or spam calls into the business. Workplaces with smartphones can also implement security measures within work-owned devices. By extending cybersecurity beyond computers, you can help to make the workplace safer.
Change your internal approach to security
The way that communication happens in your business can significantly change your risk of vishing and smishing attempts. For example, managers may often require immediate, sensitive data over the phone. Likewise, international teams may discuss private company information over text. In these examples, you’re training employees to provide information in high-risk ways. Changing your internal processes to be more security-conscious can help to reduce that overall risk.
Introduce dedicated security awareness training
Security awareness training is an ideal way to improve employee understanding of phishing attempts in greater detail. While general awareness stops less sophisticated attempts, a dedicated training program is the best way to gain current knowledge about scams to look out for. Research suggests[1]Impact of Security Awareness Training Components on Security Effectiveness: Research Findings, Karen Quagliata, Ph.D., PMP, 2010[2]Changing Users Behaviors, Aberdeen Group, 2014 that ongoing training allows all employees to develop their understanding of phishing, reducing the risk of malicious attacks in their personal and professional lives.
Defend against phishing, smishing, and vishing with high-quality security awareness training
Are you looking to improve your defenses for emerging social engineering threats like vishing and smishing? Ramsey Consulting Services provides the ideal solution. We help you to manage your risk with a high-quality training program. Get in touch with our expert team today to discuss what we can offer your business.
References
