Phishing, Smishing and Vishing — Oh My! Don’t Leave Your Employees in the Dark When It Comes to These Cyber Threats
Phishing. Smishing. And vishing.
Three ways hackers are targeting employees in an effort to infiltrate companies and gain access to sensitive information.
“Some of these fraud schemes have been going on since the early 1970s,” explained John (Jack) Bennett, managing director of cyber risk at risk consultancy Kroll.
“The term ‘phishing’ finds its roots from a guy by the name of Captain Crunch, who was a hacker back in the ’70s.”
And no, Bennett is not referring to the loveable breakfast cereal Cap’n; Captain Crunch was an American computer programmer and phone phreak. When modems used to connect to the internet, they used a systems of tones (what we’d refer to as a dial-up connection) to communicate. Phone phreaks would use the modem to “listen in” on machine-to-machine communication, using it to infiltrate systems. This “phreaking” became the genesis of the word “phishing.”
Since then, “criminals saw the value of what they could get,” Bennett said. “A company’s intellectual property, the ability to compromise a system, anything for a monetary payout.”
So what exactly does phishing mean? And how can employers help train their workforce to spot, report and prevent all types of -ishing attacks?
Let’s break each down by type first, define what we mean and discuss what companies should do.
Let’s Define It
Phishing is “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”
To put phishing into the “real world,” hackers will send hundreds of emails daily with false links and/or attachments designed to trick the end user into opening them.
If clicked, the links or attachments will give the hacker access to company files, where they can release malware onto the system. From there, the hacker can encrypt files, hold the data for ransom and demand payment for its safe release.
Why Hackers Use Phishing Schemes
Though companies are getting smarter in educating employees on phishing attacks, this form of hack attack continues to be the most popular, according to Bennett.
That is because, in his words, “criminals tend to be people who don’t want to work really hard.” Hackers are looking for the easiest targets with the least amount of effort.
“It’s easier to throw 1,000 lures and get 10 little fish than it is to cast one customized lure designed specifically for the biggest, best fish,” said Bennett.
Breaking down the literal fishing metaphor, a hacker can use phishing with a “ph” to send thousands of emails a day.
These emails aren’t complicated — just think how easy it is for you to copy and paste — and while not all 1,000 emails will land, a fraction will. And those, say 10, clicks can result in hundreds of thousands of dollars for the hacker.
Maybe even millions if the right hook lands.
How to Spot a Phishing Attempt
Phishing emails will include similar signs that a bad actor and not a legitimate company is on the other end. For instance, hackers will keep the language generic.
“It might start off with ‘Dear Sir’ or ‘Dear Miss,’ ” said Bennett.
Related Reading: We Talk About Ransomware All the Time. So What Do We Actually Do When a Hacker Has Our Data?
“It’ll have grammatical mistakes in there,” he added. “English does not tend to be the hacker’s native language, and so you’ll see spelling errors.”
One “trick” to spot a hacker is to keep an eye out for British-English versus American-English spellings. For example, British-English would use the term “defence” while American-English would use “defense.”
“It’s a minor detail,” but one that can alert the email’s reader to phishy activity, said Bennett.
Top Phishing Statistics to Note
Cisco, an American multinational technology conglomerate, found the following stats on phishing schemes as reported in its 2021 Cyber Security Threat Trends report:
- 86% of organizations had at least one user try to connect to a phishing site in 2021.
- Phishing accounts for 90% of all data breaches, according to the report.
- The onset of the COVID-19 pandemic drove up phishing activity.
- There was a 52% increase of phishing activity in December 2020, likely having to do with the holidays.
- The health care industry faces the most phishing attempts compared to all other industries, the report noted.
Let’s Define It
Smishing is “the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.”
The smishing attempts used by hackers are clever in that they can come from any number direct to your phone.
While a personal cell phone may not seem like a gateway to a company’s data, successful smishing attempts can give hackers the information they need to gain access to sensitive information, especially if an employee ever uses their phone to conduct business.
Why Hackers Use Smishing Schemes
Though not as all-encompassing as a phishing attempt can become, smishing is growing in popularity. That is in part because everyone has a cell phone and therefore access to SMS messaging.
“Hackers figured out that smishing is also a great way to hit a broad spectrum of potential victims. Sometimes they’ll get a little more creative, they’ll do a little more work and they’ll create spear phishing campaigns, which is really more targeted,” Bennett explained.
Spear phishing is a term used to describe attacks that are custom-made to the individual being targeted. For example, a hacker might send a fraudulent text about a discount on new hardcover book releases if the end user is an avid reader.
The goal of the spear phishing attempt is to trick that user into believing it’s a legitimate business reaching out to them.
How to Spot a Smishing Attempt
Smishing can be spotted in much the same way as a phishing attempt. Spelling mistakes and generic greetings will be a common red flag to watch.
Another thing a smishing attempt might include is shortened URLs.
“It’s not going to be the right URL. You may click on that and be redirected to a landing page that looks a little funky,” said Bennett.
“The easiest thing you can do on some of these is right click on a link to get a preview of where the link will take you. If it looks like it’s coming from legit source,” it could be real. But if you “right click on the link and it’s got a strange address attached to it, probably not a good idea.”
He added, “You have to be a detective on some of these.”
Top Smishing Statistics to Note
These smishing stats are compiled from IT Pro, a technology news and review hub designed for IT professionals.
- Smishing attacks increased by almost 700% in the first six months of 2021.
- The UK saw 15 times the amount of smishing schemes as compared to the U.S.
- Proofpoint, an enterprise security company, found that delivery scams accounted for 67.4% of smishing scams. The hackers would send texts posing as the delivery person.
- There seems to be a decrease in hackers impersonating financial services and banks, though this type of smishing scam still accounted for 22.6% of schemes.
Let’s Define It
Vishing is “the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.”
Vishing attempts are almost a dime a dozen these days, with five billion robocalls per month recorded last fall. Though some of the easiest hacking attempts out there, sometimes vishers will cold call instead of using recorded messaging to gain access to sensitive info.
How to Spot a Vishing Attempt
A robocall is easy to spot and even easier to ignore.
“It’s when a person is brazen enough to have an actual conversation” that will require that extra level of sleuthing.
“They’re really, generally, outgoing people. They can be pushy, they will use technical jargon,” Bennett explained.
“They will be aggressive but also charming. It’s all in an effort to either put people at ease and gain trust or make people uncomfortable enough to make a rash decision quickly.”
Top Vishing Statistics to Note
PhishLabs reported the following vishing statistics from 2021 in its Quarterly Threat Trends & Intelligence Report released in February 2022.
- Vishing attacks more than quintupled in percentage in share over the course of 2021, increasing 554% in volume.
- A hybrid phishing-to-vishing scheme is popularizing among hackers, accounting for 27% of vishing attacks last year. In this regard, hackers make contact via email and follow up with a phone call to “prove” legitimacy.
- Job scams and tech support scams contributed to 9.4% and 1.4% of reports.
Key Cybersecurity Steps that Prevent Phishing, Smishing and Vishing Attacks
It goes without saying, but training is a huge part of preventing attacks. If employees are well-versed in spotting phishing, smishing and vishing attempts, then the company will be the better for it.
Remember: Hackers are looking for the easiest way in with the least amount of effort.
“If something’s hard to get into, the hacker is just going to pivot to something that’s a lot easier,” Bennett said.
“They care about access. It’s all about getting a foothold in the network. And once they can get a foothold in the network, even at a very low level, it’s a rinse and repeat process. They will move laterally. They will escalate privileges. And they can keep doing that till they get to something that’s juicy.”
Having an employee be able to spot the hack attempt from the start stops the process in its tracks.
But the best practice employers can share with their employees is why training and spotting phishing, smishing and vishing starts with them.
“You may feel like you are one small piece of a corporate network, but you are also a critical piece to security,” Bennett said.
Data compromises can have real world consequences. Long gone are the days when hackers infiltrated a system just to see if they could; now, hackers can wreak financial and physical havoc.
For example, if a hospital is compromised and has to shut down an operating room because they can’t get patient records up, patients could become gravely ill, or even die.
“We all have gone through cybersecurity training. But it has always been my experience that providing the ‘why’ we are doing this training is most important,” said Bennett. “You are a defender of this company and we are only as strong as our weakest link. If somebody doesn’t pay attention to this and it compromises our system, there are consequences.
“These threat actors are out there and they’re hunting. You want to make it as difficult as possible to compromise your company.” &