Phishing, Smishing and Vishing — Oh My! Don’t Leave Your Employees in the Dark When It Comes to These Cyber Threats

There are several threat techniques hackers are using to infiltrate a company's system. Understanding the difference between them is paramount.

By: Autumn Demberger | April 24, 2022

Phishing. Smishing. And vishing.

Three ways hackers are targeting employees in an effort to infiltrate companies and gain access to sensitive information.

“Some of these fraud schemes have been going on since the early 1970s,” explained John (Jack) Bennett, managing director of cyber risk at risk consultancy Kroll.

“The term ‘phishing’ finds its roots from a guy by the name of Captain Crunch, who was a hacker back in the ’70s.”

And no, Bennett is not referring to the loveable breakfast cereal Cap’n; Captain Crunch was an American computer programmer and phone phreak. When modems used to connect to the internet, they used a systems of tones (what we’d refer to as a dial-up connection) to communicate. Phone phreaks would use the modem to “listen in” on machine-to-machine communication, using it to infiltrate systems. This “phreaking” became the genesis of the word “phishing.”

Since then, “criminals saw the value of what they could get,” Bennett said. “A company’s intellectual property, the ability to compromise a system, anything for a monetary payout.”

So what exactly does phishing mean? And how can employers help train their workforce to spot, report and prevent all types of -ishing attacks?

Let’s break each down by type first, define what we mean and discuss what companies should do.

Phishing

Let’s Define It

Phishing is “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.”

To put phishing into the “real world,” hackers will send hundreds of emails daily with false links and/or attachments designed to trick the end user into opening them.

If clicked, the links or attachments will give the hacker access to company files, where they can release malware onto the system. From there, the hacker can encrypt files, hold the data for ransom and demand payment for its safe release.

Why Hackers Use Phishing Schemes

Though companies are getting smarter in educating employees on phishing attacks, this form of hack attack continues to be the most popular, according to Bennett.

That is because, in his words, “criminals tend to be people who don’t want to work really hard.” Hackers are looking for the easiest targets with the least amount of effort.

“It’s easier to throw 1,000 lures and get 10 little fish than it is to cast one customized lure designed specifically for the biggest, best fish,” said Bennett.

Breaking down the literal fishing metaphor, a hacker can use phishing with a “ph” to send thousands of emails a day.

These emails aren’t complicated — just think how easy it is for you to copy and paste — and while not all 1,000 emails will land, a fraction will. And those, say 10, clicks can result in hundreds of thousands of dollars for the hacker.

Maybe even millions if the right hook lands.

How to Spot a Phishing Attempt

Phishing emails will include similar signs that a bad actor and not a legitimate company is on the other end. For instance, hackers will keep the language generic.

“It might start off with ‘Dear Sir’ or ‘Dear Miss,’ ” said Bennett.

Related Reading: We Talk About Ransomware All the Time. So What Do We Actually Do When a Hacker Has Our Data?

“It’ll have grammatical mistakes in there,” he added. “English does not tend to be the hacker’s native language, and so you’ll see spelling errors.”

One “trick” to spot a hacker is to keep an eye out for British-English versus American-English spellings. For example, British-English would use the term “defence” while American-English would use “defense.”

“It’s a minor detail,” but one that can alert the email’s reader to phishy activity, said Bennett.

Top Phishing Statistics to Note

Cisco, an American multinational technology conglomerate, found the following stats on phishing schemes as reported in its 2021 Cyber Security Threat Trends report:

86% of organizations had at least one user try to connect to a phishing site in 2021.
Phishing accounts for 90% of all data breaches, according to the report.
The onset of the COVID-19 pandemic drove up phishing activity.
There was a 52% increase of phishing activity in December 2020, likely having to do with the holidays.
The health care industry faces the most phishing attempts compared to all other industries, the report noted.

Smishing

Let’s Define It

Smishing is “the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords or credit card numbers.”

The smishing attempts used by hackers are clever in that they can come from any number direct to your phone.

While a personal cell phone may not seem like a gateway to a company’s data, successful smishing attempts can give hackers the information they need to gain access to sensitive information, especially if an employee ever uses their phone to conduct business.

Why Hackers Use Smishing Schemes

Though not as all-encompassing as a phishing attempt can become, smishing is growing in popularity. That is in part because everyone has a cell phone and therefore access to SMS messaging.

“Hackers figured out that smishing is also a great way to hit a broad spectrum of potential victims. Sometimes they’ll get a little more creative, they’ll do a little more work and they’ll create spear phishing campaigns, which is really more targeted,” Bennett explained.

Spear phishing is a term used to describe attacks that are custom-made to the individual being targeted. For example, a hacker might send a fraudulent text about a discount on new hardcover book releases if the end user is an avid reader.

The goal of the spear phishing attempt is to trick that user into believing it’s a legitimate business reaching out to them.

How to Spot a Smishing Attempt

Smishing can be spotted in much the same way as a phishing attempt. Spelling mistakes and generic greetings will be a common red flag to watch.

Another thing a smishing attempt might include is shortened URLs.

“It’s not going to be the right URL. You may click on that and be redirected to a landing page that looks a little funky,” said Bennett.

“The easiest thing you can do on some of these is right click on a link to get a preview of where the link will take you. If it looks like it’s coming from legit source,” it could be real. But if you “right click on the link and it’s got a strange address attached to it, probably not a good idea.”

He added, “You have to be a detective on some of these.”

Top Smishing Statistics to Note

These smishing stats are compiled from IT Pro, a technology news and review hub designed for IT professionals.

Smishing attacks increased by almost 700% in the first six months of 2021.
The UK saw 15 times the amount of smishing schemes as compared to the U.S.
Proofpoint, an enterprise security company, found that delivery scams accounted for 67.4% of smishing scams. The hackers would send texts posing as the delivery person.
There seems to be a decrease in hackers impersonating financial services and banks, though this type of smishing scam still accounted for 22.6% of schemes.

Vishing

Let’s Define It

Vishing is “the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.”

Vishing attempts are almost a dime a dozen these days, with five billion robocalls per month recorded last fall. Though some of the easiest hacking attempts out there, sometimes vishers will cold call instead of using recorded messaging to gain access to sensitive info.

How to Spot a Vishing Attempt

A robocall is easy to spot and even easier to ignore.

“It’s when a person is brazen enough to have an actual conversation” that will require that extra level of sleuthing.

“They’re really, generally, outgoing people. They can be pushy, they will use technical jargon,” Bennett explained.

“They will be aggressive but also charming. It’s all in an effort to either put people at ease and gain trust or make people uncomfortable enough to make a rash decision quickly.”

Top Vishing Statistics to Note

PhishLabs reported the following vishing statistics from 2021 in its Quarterly Threat Trends & Intelligence Report released in February 2022.

Vishing attacks more than quintupled in percentage in share over the course of 2021, increasing 554% in volume.
A hybrid phishing-to-vishing scheme is popularizing among hackers, accounting for 27% of vishing attacks last year. In this regard, hackers make contact via email and follow up with a phone call to “prove” legitimacy.
Job scams and tech support scams contributed to 9.4% and 1.4% of reports.

Key Cybersecurity Steps that Prevent Phishing, Smishing and Vishing Attacks

It goes without saying, but training is a huge part of preventing attacks. If employees are well-versed in spotting phishing, smishing and vishing attempts, then the company will be the better for it.

Remember: Hackers are looking for the easiest way in with the least amount of effort.

“If something’s hard to get into, the hacker is just going to pivot to something that’s a lot easier,” Bennett said.

“They care about access. It’s all about getting a foothold in the network. And once they can get a foothold in the network, even at a very low level, it’s a rinse and repeat process. They will move laterally. They will escalate privileges. And they can keep doing that till they get to something that’s juicy.”

Having an employee be able to spot the hack attempt from the start stops the process in its tracks.

But the best practice employers can share with their employees is why training and spotting phishing, smishing and vishing starts with them.

“You may feel like you are one small piece of a corporate network, but you are also a critical piece to security,” Bennett said.

Data compromises can have real world consequences. Long gone are the days when hackers infiltrated a system just to see if they could; now, hackers can wreak financial and physical havoc.

For example, if a hospital is compromised and has to shut down an operating room because they can’t get patient records up, patients could become gravely ill, or even die.

“We all have gone through cybersecurity training. But it has always been my experience that providing the ‘why’ we are doing this training is most important,” said Bennett. “You are a defender of this company and we are only as strong as our weakest link. If somebody doesn’t pay attention to this and it compromises our system, there are consequences.

“These threat actors are out there and they’re hunting. You want to make it as difficult as possible to compromise your company.” &

Autumn Demberger is a freelance writer and can be reached at [email protected].

How a Carrier Partner Can Help Navigate a Challenging Management and Professional Liability Market

A combination of a choppy economy with increased claims frequency and severity could lead to rate increases in the Management & Professional Liability market.

By: Risk & Insurance | April 3, 2024

Rates in the management & professional liability (M&PL) markets were on the rise from 2020 to early 2023 and are now falling rapidly.

M&PL divisions manage a number of different insurance products including management liability (D&O), professional liability (E&O), employment practices liability (EPL), fiduciary liability policies, cyber, etc. In 2023 and into 2024, a big influence on the marketplace has been the extremely aggressive and softening public company D&O market.

Though these rates have been softening for management liability, that may change over the next few years as companies continue to adjust their business models motivated by economic uncertainty. Layoffs were up nearly 200% last year, Forbes reported, even as other recession indicators, like the inflation rate, improved. A recession could lead to an increased claim activity and force carriers to raise rates.

“Whenever there is a meaningful downturn in the economy, we tend to see claim frequency pop up,” said George Schalick, Jr., senior vice president of the Management and Professional Liability Division at Philadelphia Insurance Companies (PHLY).

With continued fiscal uncertainty, businesses potentially already burdened with pandemic-related claims should seek a carrier with a long history in M&PL products. They will provide much-needed risk management guidance and be better positioned to support their insureds during market fluctuations.

Why Insureds Might See an Uptick in M&PL Claims

George Schalick, Jr., Senior Vice President of the Management and Professional Liability Division, Philadelphia Insurance Companies

The current soft market might come as a bit of a surprise as it does not track with previous underwriting cycles and economic conditions. Afterall, many privately held and non-profit organizations struggled during the early days of the pandemic with shutdowns and rapidly declining revenues. But the Government assistance programs, like the Paycheck Protection Program loans, helped keep many afloat during the tough times.

“During COVID many organizations stopped doing business until they were able to sort out all of the health and safety challenges,” Schalick said. “They were forced to lock down, but then all the government assistance programs allowed them to keep people employed. The increased volume of claims we anticipated we would see coming from the lockdowns and restrictions that were imposed upon businesses in the U.S. didn’t manifest at first.”

“Just because there wasn’t an onslaught of reported claims at the beginning of the pandemic, doesn’t mean the circumstances that would give rise to a claim being reported didn’t occur. Courts and the judicial system were closed or slowed and now that they are back open, we’re starting to see the circumstances that occurred during the COVID lockdowns becoming claims today,” Schalick said. “Litigation is progressing.”

Added to the delayed pandemic litigation is a concern over newer claims that might be filed as the country inches toward an economic downturn. Though a recession was avoided in 2023, experts think a soft dip could occur in 2024, with 76% of economists saying there’s a 50% or less chance of an economic downturn this year — that almost always results in more management liability claims.

“During the Great Recession in 2008, we saw an almost immediate spike in claims because of the economic conditions and the pressure it placed on organizations. They were making personnel changes with significant belt tightening almost immediately.” Schalick said.

What’s in Store for M&PL Policy Rates in 2024?

Despite an uptick in claims and increased economic uncertainty, management liability rates haven’t increased, resulting in market-wide pricing levels that may not meet the increased pressure of rising settlements and jury verdicts.

“Rates are going the other direction and settlement values are not falling,” Schalick said.

The mismatch between rates, claim frequency and severity is, in part, because carriers experiencing the dramatic soft market in the public D&O market are seeking premium gain in the private and non-profit market.

“In the public company market, the rates have been decreasing significantly. The rates were increasing in the private, not-for-profit market, and rightfully so, but there’s a desire to supplement overall mid-size D&O for carriers who also write private not-for-profit, and they see that as an opportunity to aggregate premium,” Schalick said. “So the always competitive landscape in the private, not-for-profit market has dramatically increased in the last 18 to 24 months.”

Still, companies of all sizes and types should be concerned about management liability rates in the future. Legal system abuse is resulting in increases in both the amount of litigation and the size of verdicts plaintiffs are receiving.

Certain areas of the country are particularly vulnerable to this type of legal system abuse. As a result, insureds in these localities are likely to be vulnerable to rate increases.

“The environment is so positive for the plaintiff that forces premium increases so carriers are able to stay in that market long term,” Schalick said.

Why a Tenured Carrier Partner Can Help Insureds Navigate An Uncertain Market

It’s clear that insureds are facing an uncertain M&PL market over the next few years. Fortunately, carriers with a long history in the M&PL space will be there to offer stability.

Philadelphia Insurance Companies has been supporting this market for 35 years. PHLY is committed to offering long-term rate stability, even as economic and claims trends start to push premiums upwards. They have an appetite for all sorts of companies, large and small, for-profit and nonprofit alike.

“We’ve been at this game for a long time and are one of the most tenured underwriters in this space,” Schalick said. “We like to stay very consistent.”

PHLY has worked with both for-profit and non-profit on management liability policies. With dedicated M&PL teams throughout the company’s 13 regions, PHLY provides the support agents and brokers are looking for on behalf of their clients. The teams know their regions well and can respond to local trends. They’re also dedicated to making the renewal process as easy as possible for their partners and policyholders.

“We have real confidence in our results, so we focus a lot on making the renewal experience as painless as possible for all agents and insureds,” Schalick said.

The company is also investing in tools to help insureds avoid losses. Earlier this year, they launched a new online risk management platform, PHLYGateway, which offers resources for insureds on how to create an employee handbook and trainings on issues such as recognizing workplace sexual harassment and discrimination.

If insureds have questions, they can consult a Best Practices Help Line, provided via the platform. That way, they can get on the spot risk management guidance to help them prevent claims.

To learn more, visit: https://www.phly.com/mplDivision/managementLiability/default.aspx.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Philadelphia Insurance Companies. The editorial staff of Risk & Insurance had no role in its preparation.