Many cyberattacks begin with phishing emails that dupe unsuspecting victims to click malicious links, download malware or reveal confidential information. Ever keen to evolve their tactics, threat actors no longer confine themselves to sending these deceitful messages by email. This article overviews two increasingly widespread variants of phishing attacks — smishing and vishing. You’ll also get actionable insights to help protect against these forms of social engineering.
Smishing is a type of phishing attack that targets people with fraudulent SMS text messages instead of emails. Smishing works through psychological manipulation, much like phishing. What’s even more crafty about smishing is that people tend to lower their guard when using their cell phones. Cybersecurity training often focuses on classic phishing attacks and neglects newer variants of these attacks.
Most smishing messages attempt to influence victims to take action by conveying urgency. Threat actors create this urgency in a number of different ways that include:
Data from the FTC shows that U.S. customers were scammed out of a combined $86 million from text scams in 2020 alone. Smishing attacks don’t just focus on customers, though. This type of social engineering carries business risks too because employees frequently access corporate apps and services from their smartphones. Hackers can send smishing messages to employees or business owners and gain login credentials to critical business apps or even the ability to remotely take over employee devices.
Vishing is a type of attack that uses fraudulent phone calls and voicemails to trick people into taking certain actions or revealing private information. Like smishing, vishing preys on the fact that people often aren’t aware of the threat of being scammed while using their phones.
Voice over Internet Protocol (VoIP) platforms facilitate vishing calls by allowing hackers to avoid revealing their phone numbers and scale their attacks. Often, threat actors use AI-generated text-to-speech scripts during these calls.
Vishing might sound like it’s less easy to fall for than smishing because people tend to be more cautious when receiving random phone calls. General skepticism and fatigue from telemarketing mean many people don’t answer these calls or hang up right away. However, hackers often spoof their phone numbers so that the calls appear to come from genuine organizations trusted by the victim.
Similar to smishing, hackers try to create a sense of urgency, usually by using fear as a motivator. Here are some common scenarios for vishing calls:
Vishing has become such a threat that the FBI and CISA released a joint advisory in 2020 highlighting a persistent vishing campaign that targeted remote workers. More advanced spear vishing attacks leverage personal information gleaned about targets to make the call seem more genuine. Often, threat actors scrape this data from social media or they purchase stolen personal information from previous data breaches on the dark web.
Combating smishing and vishing is tricky from a business perspective. With classic phishing campaigns, email security tools often do a good job at filtering out suspicious emails before they reach employee inboxes. When threat actors have access to an employee’s phone number, it’s more of a challenge. Here are some ways to mitigate or defend against these social engineering attacks.
Use Multi-factor Authentication for Business Apps and Services
Often, smishing and vishing attacks on businesses attempt to trick people into disclosing login details for business services or apps. These login details can lead to hackers accessing your corporate network. In the 2020 remote work vishing campaign, fake IT helpdesk calls instructed employees to visit a fake login page for their company’s VPN. By entering login details on this counterfeit page, victims unknowingly provided login details to hackers.
Multi-factor authentication (MFA) provides a way to strengthen the security of business apps and services. Even if an employee gets tricked into revealing their password, MFA doesn’t grant access without a second category of evidence that verifies that employee’s identity. Sometimes this second category is a push notification on a smartphone, but it’s possible to strengthen MFA even further by using biometrics as a category of authentication.
Update Security Awareness and Training Programs
Security awareness and training programs that only focus on classic email phishing are now outdated. It’s vital to inform employees about smishing and vishing threats. Training programs should include some tips on identifying suspicious signs to look out for and what to do, including:
Real-world examples featuring screenshots of smishing texts or audio recordings of vishing calls can reinforce learning.
Leverage Cyber Threat Monitoring and Incident Response
In a business context, smishing and vishing are usually just the initial steps taken to get inside your network and exfiltrate data or install ransomware. Even if these social engineering attacks manage to trick an employee into letting an attacker inside, continuously monitoring your environment helps you detect and respond to incidents in real time before adversaries reach their goals.
Not every business has the resources for 24/7 threat monitoring and incident response. Cybersecurity talent shortages mean that even those companies with the budget may struggle to pull together a sufficient team of experts. That’s where managed detection and response (MDR) comes in to provide these monitoring and detection capabilities in a cost-efficient way.
Want to learn more? Contact Nuspire today to find out how we help your business address these and other threats inside your network environments.