In the IT world there are many words and acronyms used that mean something to those of us in the industry but that may not mean much to our customers. Phishing, smishing and vishing are three of those words. All three are related to gathering personal information to carry out a cyber attack using compromised credentials. Most people have heard of phishing but as with everything cybersecurity related, threat actors are always looking for better, easier, or complementary ways to attack.
Today’s article will focus on defining these concepts and on how to prevent these types of attacks by understanding what methods are used by the cybercriminals and how to spot these types of attacks.
Phishing is a method of cyberattack that attempts to deceive victims into clicking on fraudulent links that are included in emails. The emails look like they come from legitimate sources or known entities and usually have a sense of urgency to them. The link usually takes the victim to what looks like a legitimate form or website that asks for personal identifiable information such as usernames, passwords, account numbers or other private information. The information is then sent directly to the cyber criminal without the victim realizing that they were tricked. The link can also deploy malware, ransomware, spyware and other malicious software on devices.
For example, an email that looks like the IT department or Microsoft that the victim’s account has been locked and requests that the victim clicks a link to regain access. The link actually leads to a fraudulent form that collects the victim’s information. The threat actor then has information that can help them access the environment the victim works in and may gain access to very sensitive data.
Smishing is like phishing, except it comes in the form of a text message. A smishing text will often contain a fraudulent link that takes victims to a form or website that’s used to steal their information. Similar to phishing, the link can also download malware, ransomware, and so forth onto the victim’s device.
Smishing text messages appear to be urgent requests sent from a bank or delivery service, for instance. They may claim that there’s been a large withdrawal from your bank account (a bank would never do this), or that you need to track a missing package (best to go directly to the delivery service website, not click on the link provided). Again, the threat actor is attempting to obtain information that can help them access the environment the victim works in and may gain access to very sensitive data.
Fraudulent phone calls or voicemails fall under the vishing method of attack. Scammers call potential victims, often using pre-recorded robocalls, pretending to be a legitimate company to obtain personal information from a victim.
An example would be a victim getting a call from someone pretending to be their IT Helpdesk. If the call is answered and the victim connects with the alleged agent, they may ask to confirm the victim’s identity to provide the help the victim needs i.e. the victim’s M365 password is expiring and needs to be changed as soon as possible:
- First and last name
- Email address
- M365 Username
- Current Password
If multi-factor authentication (MFA) is enabled, they may ask to stay on the call until the code is received so they can gain access.
Preventing Phishing, Smishing and Vishing Attacks
Here are some recommendations to help avoid becoming a victim of phishing, smishing or vishing.
- Never click on links from someone that is unknown or not what is usually received from a known person. Instead, the real website for the organization the communication is supposed to be from should be visited to check to see if the notification indicated in the email or text message is real. Calling the person who sent the message is also a good alternative.
- If a call is received from a financial institution, government organization or company that the organization does business with asking for confidential information, do not provide it. We recommend calling them at their official phone number to ensure the request is legitimate.
- We recommend investing in Cybersecurity awareness and training for all of the organization’s leaders and employees. This will help with identifying phishing, smishing or vishing attacks and lower the risks of the organization falling victim to an attack.
Cybersecurity awareness and training is one of the ways for organization to reduce the risks of being victimized by cyber criminals. MicroAge can help you determine what the best solution is for you. Let’s start a conversation today.
3 Critical Cyber Threats For Businesses in 2019
Malware, vulnerabilities, and social engineering are some of the main concerns for IT security professionals. Although the tactics used to target businesses and individuals are…
5 Benefits of an Optimized IT Infrastructure
Is your current IT infrastructure helping your business thrive in its industry or creating obstacles for growth? If you’re still not using cloud technologies to…
3 Advantages of Using Cloud Infrastructure
Everyone knows that cloud computing is a hot trend, and its adoption should only increase over the next few years. According to one study published…
Top 5 Cybersecurity Myths
The digital world has offered small businesses around the world with numerous options for growth and protection. However, it has also allowed myths and lies…
5 Tips To Avoid Clicking On Suspicious Email Links
When it comes to emails, it can be easy to click on dubious links that install malware or unwittingly share your personal information. For this…