Protect Yourself from Smishing & Vishing

What is Smishing?

Smishing is a form of phishing in which an attacker uses a compelling text message to trick targeted recipients into clicking a link and sending the attacker private information or downloading malicious programs to a smartphone.

How Smishing Works?

Most smishing attacks work like email phishing. The attacker sends a message enticing the user to click a link or asks for a reply that contains the targeted user’s private data.  

The information an attacker wants can be anything, including:

  • Online account credentials.
  • Private information that could be used in identity theft.
  • Financial data that can be used to sell on darknet markets or for online fraud.
  • Smishers use a variety of ways to trick users into sending private information. They may use basic information about the target (such as name and address) from public online tools to fool the target into thinking the message is coming from a trusted source.

The smisher may use your name and location to address you directly. These details make the message more compelling. The message then displays a link pointing to an attacker-controlled server. The link may lead to a credential phishing site or malware designed to compromise the phone itself. The malware can then be used to snoop the user’s smartphone data or send sensitive data silently to an attacker-controlled server.

How to Protect from Smishing Attacks

Like email phishing, protection from smishing depends on the targeted user’s ability to identify a smishing attack and ignore or report the message. If a phone number is often used in scams, the telecom might warn users who receive messages from a known scam number or drop the message altogether.

Smishing messages are dangerous only if the targeted user acts on it by clicking the link or sending the attacker private data.

Here are a few ways to detect smishing and to avoid becoming a victim:

The message offers quick money either from winning prizes or collecting cash after entering information. Coupon code offerings are also popular.

  • Financial institutions will never send a text asking for credentials or transfer of money. Do not ever send credit card numbers, ATM PINs, or banking information to someone in text messages.
  • Avoid responding to a phone number that you don’t recognize.
  • Messages received from a number with only a few digits probably came from an email address, which is a sign of spam.
  • Banking information stored on the smartphone is a target for attackers. Avoid storing this information on a mobile device. Should an attacker install malware on the smartphone, this banking information could be compromised.
  • Telecoms offer numbers to report attacks. To protect other users, send the message to your telecom’s number so that it can be investigated. The FCC also takes complaints and investigate text-message scams.

The following image displays a sample smishing attack.

What is Vishing?

A vishing attack is a type of scam in which criminals contact a potential victim over the phone pretending to be a company and try to convince them to share personal information. A call is not always made right away; instead, fraudsters often combine different “baiting” techniques to instigate curiosity, fear, or to gain the trust of those on the other end of the line.

Vishing attacks examples include:

  • Alert from a financial institution
    • The fraudster calls the victim saying they are from their bank or another institution and informs them that there is a problem with their account or credit card. The false alert may also arrive by SMS initially, asking the person to call a number to resolve the issue.
  • Offers investments and other financial solutions
    • Another tactic used in vishing scams are links offering the opportunity to pay off debts to a value below the original amount or to make investments with high returns promises. These “offers” are usually for a limited time, so the person must act immediately.
  • Social Security Number or Health Plan Request
    • In some cases, fraudsters try to convince their targets to share personal information such as their health plan number so that they can benefit from services. Scams in which criminals impersonate government agents claiming that the victim's social security number has been suspended and ask her to confirm the number so it can be reactivated are also common.
  • Billing by a technical support service
    • This type of attack can occur by sending a link that opens a page informing you that a problem has been detected with your computer and that you need to call a number to receive technical support. Another common technique is for the criminal to call the victim directly to alert the victim that there is a device failure, and that contact is being made to help the victim. At the end of the service, a fee is charged for repairing a problem that did not exist initially.
  • There is a Frantic Sense of Urgency
    • A vishing attack often hinges on creating a sense of panic or otherwise applying pressure on the victim. This could include offers of a time-sensitive nature or those that provide a solution to a dire problem.  
  • The Caller Asks for Your Information
    • Anytime a caller asks for personal information, you should be skeptical. There is often no way to know for sure whether the request is legitimate or part of a vishing scam. It is best to say no.
  • The Caller Claims to Represent the IRS, Medicare, or the Social Security Administration
    • These are all organizations that people tend to trust—and feel comfortable providing with personal information. A real IRS, Medicare, or Social Security agent or representative will already have enough personal information to do business with you.

 

How to Protect from Vishing Attacks

  • Do Not Pick Up the Phone
    • If you see a suspicious number, let it go to voicemail. You can verify its importance by checking your messages.
  • Join the National Do Not Call Registry
    • The National Do Not Call Registry can reduce the number of telemarketing—and vishing—calls you get. If companies call numbers on the list, they can face penalties.
  • Hang Up
    • When in doubt, just hang up the phone.
  • Do Not Press Buttons or Respond to Prompts
    • Automated vishing calls depend on feedback from the victim. If you refuse to press buttons or answer questions, the attack can be stopped.
  • Verify the Caller's Identity
    • If the person provides a call-back number, it may be part of the scam — so don't use it. You can do an online search for the caller, their company, its physical location, and other information you can use to verify their legitimacy.

 

Stay Vigilant! Nobody Is Immune to Phishing, Smishing or Vishing.

OIT InfoSec

 

Print Article