Phishing, smishing, vishing

Phishing, Smishing, Vishing – What’s the Difference?

In the IT world there are many words and acronyms used that mean something to those of us in the industry but that may not mean much to our customers. Phishing, smishing and vishing are three of those words. All three are related to gathering personal information to carry out a cyber attack using compromised credentials. Most people have heard of phishing but as with everything cybersecurity related, threat actors are always looking for better, easier, or complementary ways to attack.   

Today’s article will focus on defining these concepts and on how to prevent these types of attacks by understanding what methods are used by the cybercriminals and how to spot these types of attacks. 

Phishing 

Phishing is a method of cyberattack that attempts to deceive victims into clicking on fraudulent links that are included in emails. The emails look like they come from legitimate sources or known entities and usually have a sense of urgency to them. The link usually takes the victim to what looks like a legitimate form or website that asks for personal identifiable information such as usernames, passwords, account numbers or other private information. The information is then sent directly to the cyber criminal without the victim realizing that they were tricked. The link can also deploy malware, ransomware, spyware and other malicious software on devices. 

For example, an email that looks like the IT department or Microsoft that the victim’s account has been locked and requests that the victim clicks a link to regain access. The link actually leads to a fraudulent form that collects the victim’s information. The threat actor then has information that can help them access the environment the victim works in and may gain access to very sensitive data. 

Smishing 

Smishing is like phishing, except it comes in the form of a text message. A smishing text will often contain a fraudulent link that takes victims to a form or website that’s used to steal their information. Similar to phishing, the link can also download malware, ransomware, and so forth onto the victim’s device. 

Smishing text messages appear to be urgent requests sent from a bank or delivery service, for instance. They may claim that there’s been a large withdrawal from your bank account (a bank would never do this), or that you need to track a missing package (best to go directly to the delivery service website, not click on the link provided). Again, the threat actor is attempting to obtain information that can help them access the environment the victim works in and may gain access to very sensitive data. 

Vishing 

Fraudulent phone calls or voicemails fall under the vishing method of attack. Scammers call potential victims, often using pre-recorded robocalls, pretending to be a legitimate company to obtain personal information from a victim. 

An example would be a victim getting a call from someone pretending to be their IT Helpdesk. If the call is answered and the victim connects with the alleged agent, they may ask to confirm the victim’s identity to provide the help the victim needs i.e. the victim’s M365 password is expiring and needs to be changed as soon as possible:  

  • First and last name 
  • Email address 
  • M365 Username 
  • Current Password 

If multi-factor authentication (MFA) is enabled, they may ask to stay on the call until the code is received so they can gain access.  

Preventing Phishing, Smishing and Vishing Attacks 

Here are some recommendations to help avoid becoming a victim of phishing, smishing or vishing.  

  • Never click on links from someone that is unknown or not what is usually received from a known person. Instead, the real website for the organization the communication is supposed to be from should be visited to check to see if the notification indicated in the email or text message is real. Calling the person who sent the message is also a good alternative. 
  • If a call is received from a financial institution, government organization or company that the organization does business with asking for confidential information, do not provide it. We recommend calling them at their official phone number to ensure the request is legitimate. 
  • We recommend investing in Cybersecurity awareness and training for all of the organization’s leaders and employees. This will help with identifying phishing, smishing or vishing attacks and lower the risks of the organization falling victim to an attack. 

Cybersecurity awareness and training is one of the ways for organization to reduce the risks of being victimized by cyber criminals. MicroAge can help you determine what the best solution is for you. Let’s start a conversation today. 

Get the most from your IT

As service providers to more than 300 companies, the dedicated professionals at MicroAge are second to none when it comes to managed services. By improving efficiency, cutting costs and reducing downtime, we can help you achieve your business goals!

Most commented posts

In 2018, studies found that close to 60% of all cyberattacks are aimed at small and medium sized businesses. As criminals get smarter and more sophisticated, it’s never been so essential to protect businesses from cyber threats. If you own a business or are a CIO, here are five cybersecurity best practices for your company

5 Cybersecurity Best Practices for Your Company

In 2018, studies found that close to 60% of all cyberattacks are aimed at small and medium sized businesses. As criminals get smarter and more…

Read More
GDPR PIPEDA

How to Keep Your Business Compliant with GDPR and PIPEDA Regulations

Identity protection and data security are the buzzwords of the tech industry, with laws like GDPR and PIPEDA being put in place to protect an…

Read More
Industry of hacking

The Industry Of Hacking: Understanding The Business Behind Cybercrime

Cybercrime is big business with some hackers making massive annual profits. With the world being so dependent on technology, cybercriminals have loads of opportunities. There…

Read More
Create a team in Microsoft Teams

How to Build a Team in Microsoft Teams in 10 steps

Many organizations have started using Microsoft Teams for online meetings and chat. The fact is, in the past year, the usage of Microsoft Teams has…

Read More

Best Practices for Cybersecurity Awareness Training Programs

Government agencies such as the Canadian Center for Cybersecurity (CCCS) and the National Institute of Standards and Technology (NIST) in the U.S., not to mention…

Read More