On contrary to what we believe, Phishing is just not limited to being carried out via emails. Due to the importance of sensitive data, scammers have found various ways to manipulate victims into handing over their information. Phishing attacks are evolving and now they have expanded into new channels to gain sensitive data. In this article, we look at two specific mediums into which the phishing attack has expanded into. Vishing, and Smishing attacks.
What is Smishing?
Smishing is a variation of phishing attack that is carried out by means of an SMS sent on a user’s cell phone.
This kind of attack is identical in nature to a phishing attack. Smishing emails typically include a threat or a link that would entice the user to click it or a phone number. In some cases, these SMS’s suggest that the user should install software which is usually malware, engineered by a hacker.
What is Vishing?
By definition, Vishing or Voice Phishing is a type of phishing attack that is carried out through a voice call over the phone and often targets Voice over IP (VoIP) users, who use applications like Skype.
To fake caller ID is an easy task for scammers these days, so it appears that the caller is making the call through a local number or from an organization that the users trust and is located locally. In case, if the user doesn’t answer the call, a voice mail is left requesting a callback. Sometimes, these scams involve an answering service through the machine or even a call center which is unaware of the crime being carried out.
Data is siphoned with the help of employees who are kept in dark about the true nature of their work or with the help of automated machines. The eventual aim is to get the credit card details; birthdates, account sign-ins, or just to harvest phone numbers from the user’s contacts. Getting the victims or users to use their personal or financial information, social engineering tactics are used which enable the hackers to get sensitive information by using the victim’s own emotions.
Breaking down Vishing and Smishing in common examples
Telemarketing
Every person with access to the internet has some time in their life experienced a telemarketing call. Below are some examples of how data can be collected by telemarketing
- Your health or Vehicle insurance is about to expire or has expired already
- Reduction of Interest rate on your loan or new offers against your credit card
- A charity or a noble cause that needs help and would be richer with a user’s donation
- An incredible business opportunity that could make you the next success story
- A winning lottery has been allotted to a user or the user has won an all-expenses-paid trip to an international location
Users are advised to be vigilant and not share their personal or financial information with anyone who is not a trusted source.
Impersonation of Government officials
The government takes various steps to reach out to the masses in order to either disseminate information or to help them acclimatize with a change incorporated by them.
- Officials from the income tax department call and request sharing of information due to security reasons
- Government personnel call with a new Medicare scheme that has been started by the government
- Representatives from the government call with a request for migration of the user’s government-issued identification number.
Tech Support Frauds
In this kind of scam, threat actors pretend to be working for tech companies or e-commerce firms and would request the user to share their data in-order to smoothly deal with the inconvenience caused to the user. This inconvenience could be anything from being unable to make an e-purchase, non-connectivity to the internet or being unable to access a certain product or service on a certain website.
Banks and Financial Institutions Impersonation.
Financial Vishing scams usually involve a treat actor impersonating a bank or financial institution, in order to get the user’s personal banking information. Below are some of examples from such incidents.
- A new credit card has been allotted on your existing bank account
- Fraudulent charges are levied on your existing account
- Fraudulent transactions have been carried out on the user’s bank account
- Personal information has been changed and needs to verify the information is correct
- The net banking password needs to be reset and require the old password to secure the changes
Vishing techniques
There are a few effective traits of a threat actor, conducting a Vishing call. In order to cajole the information out of the user, the threat actor needs to be confident, convincing, and calm and need to earn the trust of the user within a short span of time.
Hence, it is even more crucial for the user to spot these traits and always be vigilant.
On the other hand here are a few things that they treat actors plan to achieve while targeting you over a Vishing phone call.
- They catch the user by surprise by an unsolicited call
- They urge an emotional response out of the user via a fake scenario
- Creating a sense of urgency so the user ignores the warning signs
- Gaining the user’s trust
- Making the user feel that they are doing the right thing
How can one protect self from a Vishing and Smishing attack?
The millennial mindset is on the guard when it comes to emails, however, text messages or phone calls still seem a legitimate way of communication to many and hence they fall prey to these kinds of scams.
Common sense is always a person’s first line of defense and in order to stay safe one should always stop and think.
By saying that, a business or an individual can always observe the following steps to stay vigilant in the fight against Vishing and Smishing.
- Do not respond to unsolicited sales, marketing or outreach program calls.
- Do not call phone numbers mentioned in the pop-ups, online ads, and banners, emails, etc.
- Be educated and stay aware of potential threats and scams.
- Inform the authorities or the company’s IT department about any potential calls or messages.
- File an official complaint if you feel that you have been a victim of the said crime.
- Use Antivirus software to protect your passwords and reduce the risk of phishing attacks.
To read more, please check eScan Blog