Organizations must remain vigilant against fraudulent digital activities in the ever-evolving cybersecurity landscape. In my last blog, we talked about what a phishing attack is, how it has evolved in this new AI-enabled landscape, and how organizations can help protect against a continued high-value attack technique that only gets cheaper and more efficient for attackers to employ.
Today, I will discuss two more types of nefarious social engineering: Smishing and vishing.
Smishing? What is that?
Smishing—or SMS phishing—is similar to e-mail phishing but occurs through text messages. Attackers send fraudulent texts that appear to be from a legitimate source, urging recipients to click on a link or provide personal information. These links often lead to fake websites designed to steal sensitive data.
Common smishing techniques
I’m sure some of you gotten fraudulent texts on your phone. Like a message with a helpful link pretending to be from “your bank” telling you that you need to validate a potentially fraudulent transaction or verify login credentials? Or a message that tells you just how much you can sell your home for these days and how happy they are to help you with that valuation?
These—and other tactics too numerous to list here—are common attacks, and they typically boil down to two main scenarios:
- Text message scams: Attackers send texts claiming to be from banks, delivery services, or other reputable entities, asking recipients to click on a link or call a number.
- Urgent alerts: Messages that create a sense of urgency, such as warnings about account suspensions or fraudulent activity, prompting recipients to act quickly.
More insidious are messages from an unknown number saying “Hi” or asking a random and probably intriguing question. Designed to engage the recipient in a personal conversation, these attacks try to gather enough personal information to attempt hacking accounts with a phone number they already have on hand. Your best defense here is to ignore these messages and block the number sending them.
Tip: Do NOT call the number that texted you to verify their identity, or that will lead you to the next attack type we’re discussing today: vishing.
Understanding vishing attacks
“Spam calling, ugh, so gross!” We’ve all gotten those calls. They come from a number in our area code, sometimes even our specific exchange, and either our phones tell us up front that it might be a “spam” caller, or we just let it go to voicemail. Much like smishing (and phishing) tactics we’ve discussed, these usually come with a sense of urgency. Either there’s some unbelievable deal or some urgent matter to attend to (OR ELSE!), or they just want to chat with you about your car’s extended warranty.
All of these are types of vishing attacks.
Vishing—or voice phishing—involves attackers using phone calls to deceive recipients into providing personal information. The more dangerous versions of these attacks can be targeted, but most of the time, they are mass communicated through automated calling software. These calls often seem to come from legitimate sources, such as banks or government agencies and can be highly convincing.
Common vishing techniques
Vishing attacks can include:
- Impersonation calls: Attackers pretend to be representatives from reputable organizations, asking for sensitive information. These are increasingly harder to detect if it’s a targeted attack using deep-fake technology, but that’s a topic for another blog.
- Automated messages: Robo-calls instructing recipients to dial a number or visit a website to address a fabricated issue.
Preventing smishing and vishing attacks
Organizations can combat smishing and vishing with the following strategies:
- Awareness campaigns: Educate employees about the dangers of smishing and vishing and how to identify suspicious calls and text messages. This is best worked into mandatory annual (at least) cyber training.
- Verification processes: As we often say in security, “trust but verify.” Employees should always verify the legitimacy of callers and text messages by contacting the purported sender through official channels (internal messaging services or e-mail). Another option is to have a “code word” or phrase that you share ahead of time to validate the contact’s identity.
- Security tools and policies: Implement security tools to detect and block mobile device smishing and vishing attempts. Establish clear policies on handling all requests for sensitive information, ensuring employees know when to escalate suspicious requests.
In conclusion
As with phishing, smishing and vishing are significant threats to organizations, but awareness and preventative measures will go a long way toward mitigating them. Organizations can protect themselves from fraudulent digital activities by understanding these attacks a
