Doctor Digital, I've heard of phishing, but what is smishing and vishing?
Doctor Digital Says
With consumers getting savvier at picking up on the more common phishing scams, cybercriminals are now turning to alternative scamming methods and mobile devices are in their sights.
As with phishing, scammers rely on the human frailties of trust and busyness to trick people into giving away information that allows hackers to fraudulently transact. This blog looks at two common scams that you are likely to have already been a target of - smishing and vishing.
Smishing is a phishing cybersecurity attack carried out over mobile text messaging. When cybercriminals "phish," they send fraudulent emails that seek to trick the recipient into clicking on a malicious link. Smishing simply uses text messages instead of email.
There are two primary ways your information is obtained - the smishing URL link might trick you into downloading malware — malicious software — that installs itself on your phone, it might be masquerading as a legitimate app, tricking you into typing in confidential information and sending this data to the cybercriminals.
The other way is that the link in the smishing message might lead to a fake website that requests you to type sensitive personal information. Cybercriminals use custom-made malicious sites designed to mimic reputable ones, making it easier to steal your information. These deep fakes are very well constructed, so if you weren't looking closely at red flags in the URL or links you may easily miss the deception.
An attacker’s smishing scheme is successful once they’ve used your private information to commit the theft they aimed for. This goal could include but is not limited to directly stealing from a bank account, committing identity fraud to illegally open credit cards, or leaking private corporate data.
Smishing deception is enhanced due to users having false confidence in text message safety. Email fraud is better known and publicised - but still manages to strip millions of dollars from businesses and consumers every year. When people are on their phones, they are less wary. Many assume that their smartphones are more secure than computers but smishing can attack any mobile device with text messaging capabilities regardless of brand or platform.
The main risk factor really is that you use your smartphone on the go, often when you’re distracted or in a hurry. This means you’re more likely to get caught with your guard down and respond without thinking when you receive a message asking for bank information or to redeem a coupon - or pretending to be a family member who has lost their phone and needs to borrow some money in a hurry.
Vishing is like smishing and phishing but uses voice scams to con a business or consumer. With vishing, criminals typically pretend to be from an official source, such as a bank or government organization. Many vishing scams may originate outside of your own country.
As such, a lot of vishing scammers will use voice-to-text synthesizers and recorded messages to mask their identity. You know the type, the robotic voice telling you the police are on their way to arrest you or the tax office is coming after you for fraud. These are the clumsier attempts, but for people who are unused to the way of scammers can seem very real and very scary, and prompt them to go along with the fraud out of fear.
Most vishing attempts try to convince the victim to give up PIN numbers, Social Security numbers, credit card security codes, passwords, or other personal details. That information will then be used for some type of identity fraud, or to later steal money directly from an account. In some cases, the vishing scammer will attempt to gain access to personal or financial accounts (such as a bank account) in order to steal information or money.
Most vishing scammers now rely on what’s known as caller ID spoofing. This allows them to send out phone calls that appear to be from a legitimate or localized source. Targets may feel more compelled to pick up the call as a result. However, many vishing scammers also leave a pre-recorded voicemail message should the call be ignored to further legitimise their mission.
Common types of vishing you’re likely to experience include:
- Supposed fraud or suspicious activity on your bank account
- Overdue or unpaid taxes to the ATO
- Prize or contest winnings
- Fake computer tech support calling to remotely access your PC to fix a problem
- Fake government agencies (such as a law enforcement agency)
For businesses, vishing scammers may be more likely to put real people on the line. The scammers may warn about fraudulent or suspicious bank transfers or pretend to represent some form of computer or IT support service. The goal is to gain access to financial account information or gain remote access to computers. Some reports include people giving their supposed Telstra staff number for validation, but stay vigilant and request any details of the issue to be emailed with a job number and call Telstra directly not through any email contact details.
Here are a few strategies to protect yourself and your business from smishing and vishing:
- Do not respond to texts or calls. Even prompts to reply like texting “STOP” to unsubscribe are used to identify active phone numbers, refuse to engage.
- Slow down when it's urgent. You should make haste slowly with urgent account updates, demands for server malfunctions or platform issues and limited time offers as signs of possible smishing and vishing. As yourself would this business really demand you engage this way?
- Call your bank or the business directly. Legitimate institutions don’t request account updates or login info via text or threaten you over the phone. The time it takes to check it out will be far less than trying to recoup your losses.
- Avoid using links in the message. Go directly to official contact channels when you can.
- Check the phone number. Odd-looking phone numbers, such as 4-digit ones, can be evidence of email-to-text services. This is one of many tactics a scammer can use to mask their true phone number.
- Use multi-factor authentication (MFA). Using MFA or Google's authenticator is the safest way to ensure you are safe to proceed.
- Never provide a password or account recovery code via text. Never. Ever. Only ever use official account sites and check for the lock icon to make sure they are secure.
With all of these scams, the best defense is to ignore, remembering that legitimate agencies and banks will never call or ask you to give personal data over the phone. Don't answer calls from unknown numbers and be wary of emails, texts, and voice messages that don't look or sound legit. Follow the advice for above, and remember your phone is vulnerable to attack but you have the power to be discerning and stay safe. Make sure your staff and teams are trained and understand that a cyber attack can come on any mobile device - whether a work or a personal one. The good news is that the potential ramifications of these attacks are easy to protect against. Do nothing - if you don't take the bait you can't be hooked on the scam.