Phishing, Smishing, Vishing – What’s the Difference?

In the IT world there are many words and acronyms used that mean something to those of us in the industry but that may not mean much to our customers. Phishing, smishing and vishing are three of those words. All three are related to gathering personal information to carry out a cyber attack using compromised credentials. Most people have heard of phishing but as with everything cybersecurity related, threat actors are always looking for better, easier, or complementary ways to attack.   

Today’s article will focus on defining these concepts and on how to prevent these types of attacks by understanding what methods are used by the cybercriminals and how to spot these types of attacks. 

Phishing 

Phishing is a method of cyberattack that attempts to deceive victims into clicking on fraudulent links that are included in emails. The emails look like they come from legitimate sources or known entities and usually have a sense of urgency to them. The link usually takes the victim to what looks like a legitimate form or website that asks for personal identifiable information such as usernames, passwords, account numbers or other private information. The information is then sent directly to the cyber criminal without the victim realizing that they were tricked. The link can also deploy malware, ransomware, spyware and other malicious software on devices. 

For example, an email that looks like the IT department or Microsoft that the victim’s account has been locked and requests that the victim clicks a link to regain access. The link actually leads to a fraudulent form that collects the victim’s information. The threat actor then has information that can help them access the environment the victim works in and may gain access to very sensitive data. 

Smishing 

Smishing is like phishing, except it comes in the form of a text message. A smishing text will often contain a fraudulent link that takes victims to a form or website that’s used to steal their information. Similar to phishing, the link can also download malware, ransomware, and so forth onto the victim’s device. 

Smishing text messages appear to be urgent requests sent from a bank or delivery service, for instance. They may claim that there’s been a large withdrawal from your bank account (a bank would never do this), or that you need to track a missing package (best to go directly to the delivery service website, not click on the link provided). Again, the threat actor is attempting to obtain information that can help them access the environment the victim works in and may gain access to very sensitive data. 

Vishing 

Fraudulent phone calls or voicemails fall under the vishing method of attack. Scammers call potential victims, often using pre-recorded robocalls, pretending to be a legitimate company to obtain personal information from a victim. 

An example would be a victim getting a call from someone pretending to be their IT Helpdesk. If the call is answered and the victim connects with the alleged agent, they may ask to confirm the victim’s identity to provide the help the victim needs i.e. the victim’s M365 password is expiring and needs to be changed as soon as possible:  

• First and last name 
• Email address 
• M365 Username 
• Current Password 

If multi-factor authentication (MFA) is enabled, they may ask to stay on the call until the code is received so they can gain access.  

Preventing Phishing, Smishing and Vishing Attacks 

Here are some recommendations to help avoid becoming a victim of phishing, smishing or vishing.  

• Never click on links from someone that is unknown or not what is usually received from a known person. Instead, the real website for the organization the communication is supposed to be from should be visited to check to see if the notification indicated in the email or text message is real. Calling the person who sent the message is also a good alternative. 
• If a call is received from a financial institution, government organization or company that the organization does business with asking for confidential information, do not provide it. We recommend calling them at their official phone number to ensure the request is legitimate. 
• We recommend investing in Cybersecurity awareness and training for all of the organization’s leaders and employees. This will help with identifying phishing, smishing or vishing attacks and lower the risks of the organization falling victim to an attack. 

Cybersecurity awareness and training is one of the ways for organization to reduce the risks of being victimized by cyber criminals. MicroAge can help you determine what the best solution is for you. Let’s start a conversation today.