How to Identify and Avoid Vishing and Smishing Attacks
WHAT HAPPENED?
You likely have heard of phishing attacks, a type of social engineering scheme that tricks victims into clicking email links infected with malware, or into giving sensitive information to cybercriminals posing as a credible contact.
Sophisticated attackers use a variety of tactics to gain and exploit users’ sensitive information beyond phishing emails. Other social engineering schemes include vishing and smishing; these schemes are becoming more common among employees who use personal devices for work. Fortunately, there are steps your organization can take to remain aware and be vigilant about evolving social engineering attack risks.
WHAT ARE VISHING AND SMISHING ATTACKS?
Vishing is a type of social engineering attack that relies on users providing sensitive information over the phone. Bad actors can orchestrate these schemes by spoofing phone numbers to make incoming calls appear to be from credible vendors or agencies.
Smishing attacks occur via SMS, or text, messages. The messages may contain links to malicious sites or instruct victims to call a phone number in order to provide sensitive information.
TIPS FOR SPOTTING VISHING AND SMISHING ATTACKS
As cybercriminals become more advanced and their methods of attack become more complex, it is increasingly difficult for many to spot malicious requests. Below are typical red flags:
- Unexpected requests for information- This may consist of an abnormal or unsolicited request from your bank to provide your social security number over the phone, for example.
- Text messages including links with URLs of different or unusual spelling- Attackers may use alternate spellings of common websites, like “amazonshop.net” or “googlemailbox.org” to request a response including your username and password.
- Generic greetings- Malicious texts or calls may open with non-specific greetings, like “Hello business owner” or “Dear bank customer”, possibly using the name of the bank or credit card that may be familiar.
- Phone messages that sound recorded or automated- Vishing attacks may use computerized voice messages or recorded human voice messages with requests for you to press buttons on your phone’s keypad or to call a separate phone number.
- Beware of Covid-19 schemes- It is common for bad actors to use current events to exploit the public through misinformation or alarmist tactics. Attackers may leverage Covid-19 information, updates, or falsified test results to trick recipients into providing personal information.
HOW TO PREVENT AND RESPOND TO ATTACKS
- Do not click suspicious links or respond to questionable requests for information unless you are certain of the sender’s identity.
- Contact a trusted customer service line to confirm the legitimacy of a communication if you are unsure of its safety.
- If you think you may have provided sensitive information to cybercriminals, report the incident to the appropriate people in your organization and update your passwords, for example.
- Cancel any financial accounts that may have been compromised and inform the related financial institution.
- Have policies and procedures in place for what to do if client information is stolen from your firm.
- Report the incident to the police and the Federal Trade Commission (FTC), as appropriate.
One of the biggest risks to your firm’s network security is human error. Training your firm’s network users to recognize, avoid, and report potential attacks can save your firm the financial, reputational, and security expenses of a data breach.
If your firm has questions about social engineering attacks, Fairview can help. We offer comprehensive on-going anti-phishing training and will help your firm draft and implement policies and procedures to keep your network safe and respond to potential threats. Contact us today for more information about what we can do for your firm.