Smishing and vishing: How these cyber attacks work and how to prevent them

Smishing and vishing are types of phishing attacks that try to lure victims via SMS message and voice calls. Both rely on the same emotional appeals employed in traditional phishing scams and are designed to drive you into urgent action. The difference is the delivery method.

“Cyberthieves can apply manipulation techniques to many forms of communication because the underlying principles remain constant,” explains security awareness leader Stu Sjouwerman, CEO of KnowBe4. “Lure victims with bait and then catch them with hooks.”

What is smishing?

Smishing definition: Smishing (SMS phishing) is a type of phishing attack conducted using SMS (Short Message Services) on cell phones.

Just like email phishing scams, smishing messages typically include a threat or enticement to click a link or call a number and hand over sensitive information. Sometimes they might suggest you install some security software, which turns out to be malware.

Smishing example: A typical smishing text message might say something along the lines of, “Your ABC Bank account has been suspended. To unlock your account, tap here: https://bit.ly/2LPLdaU” and the link provided will download malware onto your phone. Scammers are also adept at adjusting to the medium they’re using, so you might get a text message that says, “Is this really a pic of you? https://bit.ly/2LPLdaU” and if you tap that link to find out, once again you’re downloading malware.

What is vishing?

Vishing definition: Vishing (voice phishing) is a type of phishing attack that is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype.

It’s easy to for scammers to fake caller ID, so they can appear to be calling from a local area code or even from an organization you know. If you don’t pick up, then they’ll leave a voicemail message asking you to call back. Sometimes these kinds of scams will employ an answering service or even a call center that’s unaware of the crime being perpetrated.

Once again, the aim is to get credit card details, birthdates, account sign-ins, or sometimes just to harvest phone numbers from your contacts. If you respond and call back, there may be an automated message prompting you to hand over data and many people won’t question this, because they accept automated phone systems as part of daily life now.

How to prevent smishing and vishing

We’re on our guard a bit more with email nowadays because we’re used to receiving spam and scams are common, but text messages and calls can still feel more legitimate to many people. As we do more of our shopping, banking, and other activities online through our phones, the opportunities for scammers proliferate. To avoid becoming a victim you have to stop and think.

“Common sense is a general best practice and should be an individual’s first line of defense against online or phone fraud,” says Sjouwerman.

Although the advice on how to avoid getting hooked by phishing scams was written with email scams in mind, it applies to these new forms of phishing just as well. At root, trusting no one is a good place to start. Never tap or click links in messages, look up numbers and website addresses and input them yourself. Don’t give any information to a caller unless you’re certain they are legitimate – you can always call them back.

It’s better to be safe than sorry, so always err on the side of caution. No organization is going to rebuke you for hanging up and then calling them directly (having looked up the number yourself) to ensure they really are who they say they are.

Update your awareness training

While remaining on your guard is solid advice for individuals in everyday life, the reality is that people in the workplace are often careless. They may be distracted, under pressure, and eager to get on with their work and scams can be devilishly clever. What if the SMS seems to come from the CEO, or the call appears to be from someone in HR? You can toughen up your employees and boost your defenses with the right training and clear policies.

Every company should have some kind of mandatory, regular security awareness training program. It can include best practices for general safety, but also define policies, such as who to contact in the event of something suspicious, or rules on how certain sensitive communications will be handled, that make attempted deceptions much easier to spot.

If you do suffer any form of phishing attack, make changes to ensure it never happens again – it should also inform your security training.

The majority of smishing and vishing attacks go unreported and this plays into the hands of cybercriminals. While you may be smart enough to ignore the latest suspicious SMS or call, maybe Marge in Accounting or Dave in HR will fall victim. If you have a system in place for people to report these attempted attacks, and possibly even a small reward for doing so, then it presents you with an opportunity to warn others.

As phishing continues to evolve and find new attack vectors, we must be vigilant and continually update our strategies to combat it.