Smishing and Vishing: Exploring These Two Phishing Variants

Many cyberattacks begin with phishing emails that dupe unsuspecting victims to click malicious links, download malware or reveal confidential information. Ever keen to evolve their tactics, threat actors no longer confine themselves to sending these deceitful messages by email. This article overviews two increasingly widespread variants of phishing attacks — smishing and vishing. You’ll also get actionable insights to help protect against these forms of social engineering.

What is Smishing?

Smishing is a type of phishing attack that targets people with fraudulent SMS text messages instead of emails. Smishing works through psychological manipulation, much like phishing. What’s even more crafty about smishing is that people tend to lower their guard when using their cell phones. Cybersecurity training often focuses on classic phishing attacks and neglects newer variants of these attacks.

Most smishing messages attempt to influence victims to take action by conveying urgency. Threat actors create this urgency in a number of different ways that include:

• Instructions to click a URL and provide online banking account login details to confirm a transaction
• Messages purporting to be from couriers asking victims to click a link and confirm the delivery time for products
• Notifications about account suspensions in services like PayPal with a link to reactivate the account
• A notice about tax refunds

Data from the FTC shows that U.S. customers were scammed out of a combined $86 million from text scams in 2020 alone. Smishing attacks don’t just focus on customers, though. This type of social engineering carries business risks too because employees frequently access corporate apps and services from their smartphones. Hackers can send smishing messages to employees or business owners and gain login credentials to critical business apps or even the ability to remotely take over employee devices.

What is Vishing?

Vishing is a type of attack that uses fraudulent phone calls and voicemails to trick people into taking certain actions or revealing private information. Like smishing, vishing preys on the fact that people often aren’t aware of the threat of being scammed while using their phones.

Voice over Internet Protocol (VoIP) platforms facilitate vishing calls by allowing hackers to avoid revealing their phone numbers and scale their attacks. Often, threat actors use AI-generated text-to-speech scripts during these calls.

Vishing might sound like it’s less easy to fall for than smishing because people tend to be more cautious when receiving random phone calls. General skepticism and fatigue from telemarketing mean many people don’t answer these calls or hang up right away. However, hackers often spoof their phone numbers so that the calls appear to come from genuine organizations trusted by the victim.

Similar to smishing, hackers try to create a sense of urgency, usually by using fear as a motivator. Here are some common scenarios for vishing calls:

• Pretending to be an IT helpdesk and asking employees to verify their login credentials by visiting a specific URL or telling employees their business laptops are infected with a virus
• Imitating a law firm and telling people they’ve been victims of identity fraud
• Claiming to be a government department and telling business owners they need to pay a fine, which they can do by providing credit card details

Vishing has become such a threat that the FBI and CISA released a joint advisory in 2020 highlighting a persistent vishing campaign that targeted remote workers. More advanced spear vishing attacks leverage personal information gleaned about targets to make the call seem more genuine. Often, threat actors scrape this data from social media or they purchase stolen personal information from previous data breaches on the dark web.

Defending Against Smishing and Vishing

Combating smishing and vishing is tricky from a business perspective. With classic phishing campaigns, email security tools often do a good job at filtering out suspicious emails before they reach employee inboxes. When threat actors have access to an employee’s phone number, it’s more of a challenge. Here are some ways to mitigate or defend against these social engineering attacks.

Use Multi-factor Authentication for Business Apps and Services

Often, smishing and vishing attacks on businesses attempt to trick people into disclosing login details for business services or apps. These login details can lead to hackers accessing your corporate network. In the 2020 remote work vishing campaign, fake IT helpdesk calls instructed employees to visit a fake login page for their company’s VPN. By entering login details on this counterfeit page, victims unknowingly provided login details to hackers.

Multi-factor authentication (MFA) provides a way to strengthen the security of business apps and services. Even if an employee gets tricked into revealing their password, MFA doesn’t grant access without a second category of evidence that verifies that employee’s identity. Sometimes this second category is a push notification on a smartphone, but it’s possible to strengthen MFA even further by using biometrics as a category of authentication.

Update Security Awareness and Training Programs

Security awareness and training programs that only focus on classic email phishing are now outdated. It’s vital to inform employees about smishing and vishing threats. Training programs should include some tips on identifying suspicious signs to look out for and what to do, including:

• Don’t automatically trust caller ID due to the potential to spoof it
• Don’t click on links in or respond to text messages
• Never disclose passwords or account recovery codes either by text message or phone call
• When in doubt about the authenticity of a caller, hang up the phone, and dial the company or department’s real number
• Remember that banks or payment merchants never ask for account information or for confirmation of transactions by text message
• Report suspicious calls or emails to your company’s IT or security department right away

Real-world examples featuring screenshots of smishing texts or audio recordings of vishing calls can reinforce learning.

Leverage Cyber Threat Monitoring and Incident Response

In a business context, smishing and vishing are usually just the initial steps taken to get inside your network and exfiltrate data or install ransomware. Even if these social engineering attacks manage to trick an employee into letting an attacker inside, continuously monitoring your environment helps you detect and respond to incidents in real time before adversaries reach their goals.

Not every business has the resources for 24/7 threat monitoring and incident response. Cybersecurity talent shortages mean that even those companies with the budget may struggle to pull together a sufficient team of experts. That’s where managed detection and response (MDR) comes in to provide these monitoring and detection capabilities in a cost-efficient way.

Want to learn more? Contact Nuspire today to find out how we help your business address these and other threats inside your network environments.